From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7ECB8986D0 for ; Wed, 15 Nov 2023 14:28:03 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 62C0B682D for ; Wed, 15 Nov 2023 14:28:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 15 Nov 2023 14:28:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3BF174309D for ; Wed, 15 Nov 2023 14:28:02 +0100 (CET) Message-ID: <2a01ac45-0918-4973-b20d-8f21cf1dd99c@proxmox.com> Date: Wed, 15 Nov 2023 14:28:01 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox VE development discussion , Markus Frank References: <20231115122334.157407-1-m.frank@proxmox.com> Content-Language: en-US From: Stefan Sterz In-Reply-To: <20231115122334.157407-1-m.frank@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.087 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [jsonschema.pm] Subject: Re: [pve-devel] [PATCH common] fix #5034 ldap attribute regex X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2023 13:28:03 -0000 On 15.11.23 13:23, Markus Frank wrote: > Change regex from "m/^[a-zA-Z0-9]+$/" to "m/^[a-zA-Z0-9\-]+$/" > to allow hyphen in ldap attribute names for pve & pmg. > > Signed-off-by: Markus Frank > --- > There does not seem to be a regex for LDAP attributes in pbs. > Should a regex be added for this? > we recently moved away from using regex for validating a LDAP configuration, for two reasons: 1. turns out finding a regex that validates all possible valid LDAP DNs is pretty hard and fixing this often comes along with breaking older setups 2. even a valid *looking* DN may not actual work against a real LDAP server. so instead we now actually try to query an LDAP server with the provided config and see if that returns anything. thus, users are more likely to get what they want, and we don't have to validate for every possible case. i guess there could be an argument why a regex here makes sense. however, i'd imagine it's a little odd for users that we are stricter here than we are with DNs. > src/PVE/JSONSchema.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm > index 49e0d7a..ef58b62 100644 > --- a/src/PVE/JSONSchema.pm > +++ b/src/PVE/JSONSchema.pm > @@ -408,7 +408,7 @@ PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr); > sub verify_ldap_simple_attr { > my ($attr, $noerr) = @_; > > - if ($attr =~ m/^[a-zA-Z0-9]+$/) { > + if ($attr =~ m/^[a-zA-Z0-9\-]+$/) { if i'm not mistaken, this regex should try to filter an `AttributeValue` [1]. in case we do stick with this regex approach here, you may want to relax this even further, as per the standard: > If that UTF-8-encoded Unicode string does not have any of the > following characters that need escaping, then that string can be used > as the string representation > of the value. > > - a space (' ' U+0020) or number sign ('#' U+0023) occurring at > the beginning of the string; > > - a space (' ' U+0020) character occurring at the end of the > string; > > - one of the characters '"', '+', ',', ';', '<', '>', or '\' > (U+0022, U+002B, U+002C, U+003B, U+003C, U+003E, or U+005C, > respectively); > > - the null (U+0000) character. > > Other characters may be escaped. > return $attr; > } >