]> git.proxmox.com Git - pve-access-control.git/blobdiff - PVE/API2/ACL.pm
projects / pve-access-control.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix #1500: permission path syntax check for access control
[pve-access-control.git] / PVE / API2 / ACL.pm
diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index c3402673a8fba6bdf93350c8fa37012a44515294..857c6727d225285b06fd8d97fe4a1d1df413b2e8 100644 (file)
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
        my $path = PVE::AccessControl::normalize_path($param->{path});
        raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
 
+       if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
+           raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
+       }
+
        PVE::AccessControl::lock_user_config(
            sub {
 
Access control framework