From: Christoph Heiss <c.heiss@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Markus Frank <m.frank@proxmox.com>
Subject: Re: [pve-devel] [PATCH common] fix #5034 ldap attribute regex
Date: Tue, 21 Nov 2023 13:55:31 +0100 [thread overview]
Message-ID: <b7ls244pewer7icd6uajes44uxfburotbwjg4xwew6b6vdhrz5@gag5c4nir4bx> (raw)
In-Reply-To: <d9236181-d6a7-451d-bb76-3b5eebf906e5@proxmox.com>
On Wed, Nov 15, 2023 at 02:30:06PM +0100, Thomas Lamprecht wrote:
>
> Am 15/11/2023 um 13:23 schrieb Markus Frank:
> > Change regex from "m/^[a-zA-Z0-9]+$/" to "m/^[a-zA-Z0-9\-]+$/"
> > to allow hyphen in ldap attribute names for pve & pmg.
> > [..]
> > --- a/src/PVE/JSONSchema.pm
> > +++ b/src/PVE/JSONSchema.pm
> > @@ -408,7 +408,7 @@ PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr);
> > sub verify_ldap_simple_attr {
> > my ($attr, $noerr) = @_;
> >
> > - if ($attr =~ m/^[a-zA-Z0-9]+$/) {
> > + if ($attr =~ m/^[a-zA-Z0-9\-]+$/) {
>
> Pre-existing, but shouldn't the regex actually be?
>
> $attr =~ m/^[a-zA-Z][a-zA-Z0-9\-]*$/
>
> I.e., start with a letter and then be any of letter, digit or hyphen (minus).
>
> CCing Christoph, you did a bit more LDAP stuff recently - opinions?
Sorry for the late reply, just saw this now.
I'd definitely agree with Stefan here, that moving away from regex's for
validating LDAP DNs/attributes/etc is the right way, instead of
continuously having to fix them up.
Even if we try to follow the RFCs as closely as possible, that does
unfortunaly still not really guarantee that it is indeed valid and will
be _accepted by the server_.
Just doing a basic sanity check (e.g. not empty, no spaces) and then
querying the actual LDAP server whether that accepts it or not would be
IMHO preferable. Plus, it's less work on our side in the long run.
PBS does it no differently too, so I'd go the same way here too. Being
overly strict does not help anyone, especially with LDAP, which does a
lot of weird things.
prev parent reply other threads:[~2023-11-21 12:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-15 12:23 Markus Frank
2023-11-15 13:28 ` Stefan Sterz
2023-11-15 14:49 ` Thomas Lamprecht
2023-11-15 15:12 ` Stefan Sterz
2023-11-15 15:48 ` Thomas Lamprecht
2023-11-15 15:02 ` Stefan Sterz
2023-11-15 13:30 ` Thomas Lamprecht
2023-11-21 12:55 ` Christoph Heiss [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7ls244pewer7icd6uajes44uxfburotbwjg4xwew6b6vdhrz5@gag5c4nir4bx \
--to=c.heiss@proxmox.com \
--cc=m.frank@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox