From: Stefan Sterz <s.sterz@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Markus Frank <m.frank@proxmox.com>
Subject: Re: [pve-devel] [PATCH common] fix #5034 ldap attribute regex
Date: Wed, 15 Nov 2023 14:28:01 +0100 [thread overview]
Message-ID: <2a01ac45-0918-4973-b20d-8f21cf1dd99c@proxmox.com> (raw)
In-Reply-To: <20231115122334.157407-1-m.frank@proxmox.com>
On 15.11.23 13:23, Markus Frank wrote:
> Change regex from "m/^[a-zA-Z0-9]+$/" to "m/^[a-zA-Z0-9\-]+$/"
> to allow hyphen in ldap attribute names for pve & pmg.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> There does not seem to be a regex for LDAP attributes in pbs.
> Should a regex be added for this?
>
we recently moved away from using regex for validating a LDAP
configuration, for two reasons:
1. turns out finding a regex that validates all possible valid LDAP DNs
is pretty hard and fixing this often comes along with breaking older
setups
2. even a valid *looking* DN may not actual work against a real LDAP
server.
so instead we now actually try to query an LDAP server with the provided
config and see if that returns anything. thus, users are more likely to
get what they want, and we don't have to validate for every possible case.
i guess there could be an argument why a regex here makes sense.
however, i'd imagine it's a little odd for users that we are stricter
here than we are with DNs.
> src/PVE/JSONSchema.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
> index 49e0d7a..ef58b62 100644
> --- a/src/PVE/JSONSchema.pm
> +++ b/src/PVE/JSONSchema.pm
> @@ -408,7 +408,7 @@ PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr);
> sub verify_ldap_simple_attr {
> my ($attr, $noerr) = @_;
>
> - if ($attr =~ m/^[a-zA-Z0-9]+$/) {
> + if ($attr =~ m/^[a-zA-Z0-9\-]+$/) {
if i'm not mistaken, this regex should try to filter an `AttributeValue`
[1]. in case we do stick with this regex approach here, you may want to
relax this even further, as per the standard:
> If that UTF-8-encoded Unicode string does not have any of the
> following characters that need escaping, then that string can be used
> as the string representation
> of the value.
>
> - a space (' ' U+0020) or number sign ('#' U+0023) occurring at
> the beginning of the string;
>
> - a space (' ' U+0020) character occurring at the end of the
> string;
>
> - one of the characters '"', '+', ',', ';', '<', '>', or '\'
> (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C,
> respectively);
>
> - the null (U+0000) character.
>
> Other characters may be escaped.
> return $attr;
> }
>
next prev parent reply other threads:[~2023-11-15 13:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-15 12:23 Markus Frank
2023-11-15 13:28 ` Stefan Sterz [this message]
2023-11-15 14:49 ` Thomas Lamprecht
2023-11-15 15:12 ` Stefan Sterz
2023-11-15 15:48 ` Thomas Lamprecht
2023-11-15 15:02 ` Stefan Sterz
2023-11-15 13:30 ` Thomas Lamprecht
2023-11-21 12:55 ` Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a01ac45-0918-4973-b20d-8f21cf1dd99c@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=m.frank@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox