From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH backup 1/2] fix #7054: client: remove trailing newlines from credentials
Date: Fri, 20 Feb 2026 12:17:10 +0100 [thread overview]
Message-ID: <20260220111951.280082-2-m.sandoval@proxmox.com> (raw)
In-Reply-To: <20260220111951.280082-1-m.sandoval@proxmox.com>
For repositories and fingerprints we simply strip trailing whitespaces.
For passwords, we refer to the password regex at proxmox-schema:
`^[[:^cntrl:]]*$`, we can only strip trailing control characters without
potentially breaking existing passwords.
The encryption password is just a blob of bytes handled locally by the
client, we cannot remove trailing whitespace here without potential
breakage. Creation of such passwords (via
proxmox_sys::tty::read_and_verify_password) only verifies valid utf-8
and len >= 5.
In order to prevent an allocation for credentials that do not need to be
stripped we perform a preemptive check with str::ends_with before
allocating.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
pbs-client/src/tools/mod.rs | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/pbs-client/src/tools/mod.rs b/pbs-client/src/tools/mod.rs
index 7a496d14c..8dc7c2cd5 100644
--- a/pbs-client/src/tools/mod.rs
+++ b/pbs-client/src/tools/mod.rs
@@ -169,6 +169,17 @@ fn get_secret_impl(env_variable: &str, credential_name: &str) -> Result<Option<S
Ok(Some(password))
} else if let Some(password) = get_credential(credential_name)? {
String::from_utf8(password)
+ .map(|s| {
+ if matches!(credential_name, CRED_PBS_REPOSITORY | CRED_PBS_FINGERPRINT)
+ && s.ends_with(char::is_whitespace)
+ {
+ s.trim_end().to_string()
+ } else if credential_name == CRED_PBS_PASSWORD && s.ends_with(char::is_control) {
+ s.trim_end_matches(char::is_control).to_string()
+ } else {
+ s
+ }
+ })
.map(Option::Some)
.map_err(|_err| format_err!("credential {credential_name} is not utf8 encoded"))
} else {
--
2.47.3
next prev parent reply other threads:[~2026-02-20 11:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 11:17 [PATCH backup 0/2] " Maximiliano Sandoval
2026-02-20 11:17 ` Maximiliano Sandoval [this message]
2026-02-20 12:05 ` [PATCH backup 1/2] " Christian Ebner
2026-02-20 12:21 ` Maximiliano Sandoval
2026-02-20 12:23 ` Fabian Grünbichler
2026-02-20 11:17 ` [PATCH backup 2/2] docs: client: document further password constrains Maximiliano Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260220111951.280082-2-m.sandoval@proxmox.com \
--to=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox