fix #1500: permission path syntax check for access control

Syntax for permission paths is now checked on API calls for
creation or update on permissions.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index c3402673a8fba6bdf93350c8fa37012a44515294..857c6727d225285b06fd8d97fe4a1d1df413b2e8 100644 (file)
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
        my $path = PVE::AccessControl::normalize_path($param->{path});
        raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
 
+       if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
+           raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
+       }
+
        PVE::AccessControl::lock_user_config(
            sub {
 

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 8b5be1e03c570eab4c381c75ccac3111ba19ffdd..4ef1080d10b5965faf68587c34086c0afd070ed1 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -929,6 +929,24 @@ sub normalize_path {
     return $path;
 }
 
+sub check_path {
+    return shift =~ m!^(
+       /
+       |/access
+       |/access/groups
+       |/access/realm
+       |/nodes
+       |/nodes/[[:alnum:]\.\-\_]+
+       |/pool
+       |/pool/[[:alnum:]\.\-\_]+
+       |/sdn
+       |/storage
+       |/storage/[[:alnum:]\.\-\_]+
+       |/vms
+       |/vms/\d{3,}
+    )$!xs;
+}
+
 PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
 sub verify_groupname {
     my ($groupname, $noerr) = @_;