From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6904293946 for ; Tue, 6 Feb 2024 11:11:19 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 49EE631C0D for ; Tue, 6 Feb 2024 11:11:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 6 Feb 2024 11:11:18 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6F4F0448DD for ; Tue, 6 Feb 2024 11:11:18 +0100 (CET) From: Gabriel Goller To: pve-devel@lists.proxmox.com Date: Tue, 6 Feb 2024 11:11:01 +0100 Message-ID: <20240206101115.36437-1-g.goller@proxmox.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.108 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH pve-access-control] fix #5190: access-control: openid acr format regex X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2024 10:11:19 -0000 Restrict the acr-value regex a little bit so as to align the behavior with PBS. The openid documentation says that the acr-value *should* be an URI [0]. Added a regex that loosely disallows some of the reserved URI characters specified in the RFC [1]. Values like: * "urn:mace:incommon:iap:silver" * "urn:comsolve.nl:idp:contract:rba:location" SHOULD work, but values like: * "urn:#ace:incommon:iap:silver" * "urn:"omsolve.nl:idp:contract:rba:location" should NOT work. [0]: https://openid.net/specs/openid-connect-core-1_0.html [1]: https://www.rfc-editor.org/rfc/rfc2396.txt Signed-off-by: Gabriel Goller --- src/PVE/Auth/OpenId.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm index 56904e6..c8e4db9 100755 --- a/src/PVE/Auth/OpenId.pm +++ b/src/PVE/Auth/OpenId.pm @@ -59,7 +59,8 @@ sub properties { 'acr-values' => { description => "Specifies the Authentication Context Class Reference values that the" ."Authorization Server is being requested to use for the Auth Request.", - type => 'string', # format => 'some-safe-id-list', # FIXME: TODO + type => 'string', + pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396. optional => 1, }, }; -- 2.43.0