Re: [pmg-devel] [PATCH pmg-api 3/4] utils: user schema: explicitly forbid @ in user-names

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

Am 26.02.25 um 20:17 schrieb Stoiko Ivanov:
> PMGs terms are:
> * 'userid' consists of 'username'@'realm'
> 
> without this patch it was possible to create a user through the api,
> with @ in the username ('foo@bar@pmg'), and it got written to the
> user-conf.
> Reading that entry was not possible, as the verification on read was
> stricter.
> 
> This patch forbids '@' in usernames, and additionally drops the
> maxLength of 64, as 60 are already enforced by the regex pattern match
> (leaving 4 as minimal length for '@pmg'/'@pam').
> 
> Potential for regression should be minimal (the users could not be
> read-back from the config).
> 
> Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/PMG/Utils.pm | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> index 9a50de2..7e4b70b 100644
> --- a/src/PMG/Utils.pm
> +++ b/src/PMG/Utils.pm
> @@ -50,7 +50,7 @@ postgres_admin_cmd
>  try_decode_utf8
>  );
>  
> -my $user_regex = qr![^\s:/]+!;
> +my $user_regex = qr![^\s:@/]+!;
>  
>  sub valid_pmg_realm_regex {
>      my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());

context is now outdated so this needs rebasing

> @@ -110,7 +110,6 @@ PVE::JSONSchema::register_standard_option('username', {
>      description => "Username (without realm)",
>      type => 'string',
>      pattern => '[^\s:\/\@]{1,60}',
> -    maxLength => 64,
>  });
>  
>  PVE::JSONSchema::register_standard_option('pmg-email-address', {



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel