From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id BE2B51FF16E
	for <inbox@lore.proxmox.com>; Mon, 28 Apr 2025 14:24:12 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id A6660303CF;
	Mon, 28 Apr 2025 14:24:22 +0200 (CEST)
Date: Mon, 28 Apr 2025 14:23:48 +0200
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20250428142348.375c5a01@rosa.proxmox.com>
In-Reply-To: <20250424113451.38672-1-f.ebner@proxmox.com>
References: <20250424113451.38672-1-f.ebner@proxmox.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.064 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pmg-devel] applied: [PATCH pmg-api] schema: fix verification for
 transport-domain-or-nexthop type
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Cc: pmg-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>

Hi,

Thanks for tackling this and identifying the issue!

gave it a quick spin on my test-setup and applied the patch!

On Thu, 24 Apr 2025 13:34:51 +0200
Fiona Ebner <f.ebner@proxmox.com> wrote:

> Since pmg_verify_transport_address() is called with $noerr set, it
> will not die on failure. Make sure that the verification method does
> not quietly accept an invalid value in this case by making sure the
> code for failure is also executed in this scenario, i.e. moving it
> out of the 'else' branch.
> 
> As reported in the community forum [0], this could case issues when a
> CIDR is specified instead of an IP or domain name for TLS destination
> policy, which is not intended.
> 
> [0]: https://forum.proxmox.com/threads/165167/
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  src/PMG/Config.pm | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
> index 82bd42e..0a5dff0 100644
> --- a/src/PMG/Config.pm
> +++ b/src/PMG/Config.pm
> @@ -1141,10 +1141,11 @@ sub pmg_verify_transport_domain_or_nexthop {
>  	    $nexthop = $1;
>  	}
>  	return $name if pmg_verify_transport_address($nexthop, 1);
> -    } else {
> -	   return undef if $noerr;
> -	   die "value does not look like a valid domain or next-hop\n";
> +	# else fall through, because it is a failure
>      }
> +
> +    return undef if $noerr;
> +    die "value does not look like a valid domain or next-hop\n";
>  }
>  
>  sub read_tls_policy {



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel