From: Dominik Csapak <d.csapak@proxmox.com>
Date: Thu, 23 Mar 2023 13:14:29 +0000 (+0100)
Subject: fix #4609: allow valid DN in ldap/ad realm config
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=6b833faf931262fc7cd71c2048c6cc0e28811648;hp=a23eaa1a12c7170ef36f8508abbf23bcacfc0e7a;p=pve-access-control.git

fix #4609: allow valid DN in ldap/ad realm config

We previously added support for ',' in the DNS attribute through
allowing a quoted format, but the regex used was made too
restrictive.

In the new quoted attribute we'd only allow \w (alphanumeric and _)
and the restricted characters. This patch now changes that to allow
everything except the quotation mark " itself, which is again closer
to the original regex which did not care for quotation and allowed
everything aside from ','.

The unquoted attributes did not allow spaces anymore, but the RFC [0]
actually makes it clear that spaces are only forbidden at the
beginning and the end (same for #). So, fix the regex to accommodate
for that and allow space and # characters again if not at the end or
beginning.

0: https://www.ietf.org/rfc/rfc2253.txt

Fixes: 1aa2355 ("ldap: Allow quoted values for DN attribute values")
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Friedrich Weber <f.weber@proxmox.com>
 [ T: make fixes a trailer and rework commit message ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 4d771e7..fc82a17 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -10,7 +10,8 @@ use PVE::Tools;
 
 use base qw(PVE::Auth::Plugin);
 
-our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
+my  $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!;
+our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
 
 sub type {
     return 'ldap';