X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=3e52c5f5389ae6b5c7d3216a3f014535b37119b8;hp=013226819579cb79be45d8749f478a5d88bc21e3;hb=93c7e9c3d0e016eed2e5d11912d347cd6357503a;hpb=e770e6672fdb54c30a787d71043a84b010a8e67f

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 0132268..3e52c5f 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -171,6 +171,7 @@ sub rotate_authkey {
 	if ($old) {
 	    eval {
 		my $pem = $old->get_public_key_x509_string();
+		# mtime is used for caching and ticket age range calculation
 		PVE::Tools::file_set_contents($pve_auth_key_files->{pubold}, $pem);
 	    };
 	    die "Failed to store old auth key: $@\n" if $@;
@@ -178,6 +179,8 @@ sub rotate_authkey {
 
 	eval {
 	    my $pem = $new->get_public_key_x509_string();
+	    # mtime is used for caching and ticket age range calculation,
+	    # should be close to that of pubold above
 	    PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
 	};
 	if ($@) {
@@ -209,10 +212,12 @@ sub rotate_authkey {
 }
 
 my $csrf_prevention_secret;
+my $csrf_prevention_secret_legacy;
 my $get_csrfr_secret = sub {
     if (!$csrf_prevention_secret) {
 	my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
-	$csrf_prevention_secret = Digest::SHA::sha1_base64($input);
+	$csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input);
+	$csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input);
     }
     return $csrf_prevention_secret;
 };
@@ -228,7 +233,16 @@ sub assemble_csrf_prevention_token {
 sub verify_csrf_prevention_token {
     my ($username, $token, $noerr) = @_;
 
-    my $secret =  &$get_csrfr_secret();
+    my $secret = $get_csrfr_secret->();
+
+    # FIXME: remove with PVE 7 and/or refactor all into PVE::Ticket ?
+    if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+	my $sig = $2;
+	if (length($sig) == 27) {
+	    # the legacy secret got populated by above get_csrfr_secret call
+	    $secret = $csrf_prevention_secret_legacy;
+	}
+    }
 
     return PVE::Ticket::verify_csrf_prevention_token(
 	$secret, $username, $token, -300, $ticket_lifetime, $noerr);
@@ -960,8 +974,9 @@ sub parse_user_config {
 		    }
 
 		    foreach my $ug (split_list($uglist)) {
-			if ($ug =~ m/^@(\S+)$/) {
-			    my $group = $1;
+			my ($group) = $ug =~ m/^@(\S+)$/;
+
+			if ($group && verify_groupname($group, 1)) {
 			    if ($cfg->{groups}->{$group}) { # group exists
 				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
 			    } else {
@@ -1034,7 +1049,7 @@ sub write_user_config {
 
     my $data = '';
 
-    foreach my $user (keys %{$cfg->{users}}) {
+    foreach my $user (sort keys %{$cfg->{users}}) {
 	my $d = $cfg->{users}->{$user};
 	my $firstname = $d->{firstname} ? PVE::Tools::encode_text($d->{firstname}) : '';
 	my $lastname = $d->{lastname} ? PVE::Tools::encode_text($d->{lastname}) : '';
@@ -1048,7 +1063,7 @@ sub write_user_config {
 
     $data .= "\n";
 
-    foreach my $group (keys %{$cfg->{groups}}) {
+    foreach my $group (sort keys %{$cfg->{groups}}) {
 	my $d = $cfg->{groups}->{$group};
 	my $list = join (',', keys %{$d->{users}});
 	my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
@@ -1057,7 +1072,7 @@ sub write_user_config {
 
     $data .= "\n";
 
-    foreach my $pool (keys %{$cfg->{pools}}) {
+    foreach my $pool (sort keys %{$cfg->{pools}}) {
 	my $d = $cfg->{pools}->{$pool};
 	my $vmlist = join (',', keys %{$d->{vms}});
 	my $storelist = join (',', keys %{$d->{storage}});
@@ -1067,7 +1082,7 @@ sub write_user_config {
 
     $data .= "\n";
 
-    foreach my $role (keys %{$cfg->{roles}}) {
+    foreach my $role (sort keys %{$cfg->{roles}}) {
 	next if $special_roles->{$role};
 
 	my $d = $cfg->{roles}->{$role};