perm check: forbid undefined/empty ACL path

[pve-access-control.git] / src / PVE / API2 / AccessControl.pm

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 5d78c6fa0aac92b70c044cfd82b8b3346022da29..104e7e3036c7b0889c7038ba3101dc7c27614307 100644 (file)
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -115,6 +115,7 @@ my sub verify_auth : prototype($$$$$$$) {
     my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs, $new_format) = @_;
 
     my $normpath = PVE::AccessControl::normalize_path($path);
+    die "invalid path - $path\n" if defined($path) && !defined($normpath);
 
     my $ticketuser;
     if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&