From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id C8DDF1FF165
for <inbox@lore.proxmox.com>; Thu, 24 Apr 2025 13:35:20 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 15CD36212;
Thu, 24 Apr 2025 13:35:28 +0200 (CEST)
From: Fiona Ebner <f.ebner@proxmox.com>
To: pmg-devel@lists.proxmox.com
Date: Thu, 24 Apr 2025 13:34:51 +0200
Message-Id: <20250424113451.38672-1-f.ebner@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.036 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [proxmox.com, config.pm]
Subject: [pmg-devel] [PATCH pmg-api] schema: fix verification for
transport-domain-or-nexthop type
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
<pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>
Since pmg_verify_transport_address() is called with $noerr set, it
will not die on failure. Make sure that the verification method does
not quietly accept an invalid value in this case by making sure the
code for failure is also executed in this scenario, i.e. moving it
out of the 'else' branch.
As reported in the community forum [0], this could case issues when a
CIDR is specified instead of an IP or domain name for TLS destination
policy, which is not intended.
[0]: https://forum.proxmox.com/threads/165167/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PMG/Config.pm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 82bd42e..0a5dff0 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -1141,10 +1141,11 @@ sub pmg_verify_transport_domain_or_nexthop {
$nexthop = $1;
}
return $name if pmg_verify_transport_address($nexthop, 1);
- } else {
- return undef if $noerr;
- die "value does not look like a valid domain or next-hop\n";
+ # else fall through, because it is a failure
}
+
+ return undef if $noerr;
+ die "value does not look like a valid domain or next-hop\n";
}
sub read_tls_policy {
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel