* [pve-devel] [PATCH pve-access-control] fix #5190: access-control: openid acr format regex
@ 2024-02-06 10:11 Gabriel Goller
2024-02-08 17:27 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Gabriel Goller @ 2024-02-06 10:11 UTC (permalink / raw)
To: pve-devel
Restrict the acr-value regex a little bit so as to align the behavior
with PBS. The openid documentation says that the acr-value *should* be
an URI [0]. Added a regex that loosely disallows some of the reserved URI
characters specified in the RFC [1].
Values like:
* "urn:mace:incommon:iap:silver"
* "urn:comsolve.nl:idp:contract:rba:location"
SHOULD work, but values like:
* "urn:#ace:incommon:iap:silver"
* "urn:"omsolve.nl:idp:contract:rba:location"
should NOT work.
[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
src/PVE/Auth/OpenId.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 56904e6..c8e4db9 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -59,7 +59,8 @@ sub properties {
'acr-values' => {
description => "Specifies the Authentication Context Class Reference values that the"
."Authorization Server is being requested to use for the Auth Request.",
- type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+ type => 'string',
+ pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
optional => 1,
},
};
--
2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread* [pve-devel] applied: [PATCH pve-access-control] fix #5190: access-control: openid acr format regex
2024-02-06 10:11 [pve-devel] [PATCH pve-access-control] fix #5190: access-control: openid acr format regex Gabriel Goller
@ 2024-02-08 17:27 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-02-08 17:27 UTC (permalink / raw)
To: Proxmox VE development discussion, Gabriel Goller
Am 06/02/2024 um 11:11 schrieb Gabriel Goller:
> Restrict the acr-value regex a little bit so as to align the behavior
> with PBS. The openid documentation says that the acr-value *should* be
> an URI [0]. Added a regex that loosely disallows some of the reserved URI
> characters specified in the RFC [1].
>
> Values like:
> * "urn:mace:incommon:iap:silver"
> * "urn:comsolve.nl:idp:contract:rba:location"
> SHOULD work, but values like:
> * "urn:#ace:incommon:iap:silver"
> * "urn:"omsolve.nl:idp:contract:rba:location"
> should NOT work.
>
> [0]: https://openid.net/specs/openid-connect-core-1_0.html
> [1]: https://www.rfc-editor.org/rfc/rfc2396.txt
>
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
> src/PVE/Auth/OpenId.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>
applied, thanks!
But I had to reword the commit message to actually mention the PBS fix,
I also moved the reference to the bug #5190 down in the commit message
body, as we do not fix that bug here so it doesn't make sense to state
so in the subject.
I also dropped the "access-control" tag from the commit subject, we're
already in the pve-**access-control** repo, so that's a given, see:
> Don't add tags for things that are already clear from context, for
> example, adding a qemu tag for a patch in the qemu-server repository
> has no use.
-- https://pve.proxmox.com/wiki/Developer_Documentation#Commits_and_Commit_Messages
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-02-08 17:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 10:11 [pve-devel] [PATCH pve-access-control] fix #5190: access-control: openid acr format regex Gabriel Goller
2024-02-08 17:27 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox