From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Thu, 3 Oct 2019 08:33:28 +0000 (+0200)
Subject: parse_user_cfg: correctly parse group names in ACLs
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=508e11f1845d235cf9ad83ea8b60d52f62e47856

parse_user_cfg: correctly parse group names in ACLs

usernames are allowed to start with '@', so adding a user '@test@pve'
and adding it to an ACL should work, instead of ignoring that part of
the ACL entry.

So use verify_groupname to additionally enforce that the group name we
extracted does not include an additional @, as then it cannot be a
group.

note: there is no potential for user and group to be confused, since a
username must end with '@REALM', and a group reference in an ACL can
only contain one '@' (as first character).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 44f4a01..6ea0b85 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -974,8 +974,9 @@ sub parse_user_config {
 		    }
 
 		    foreach my $ug (split_list($uglist)) {
-			if ($ug =~ m/^@(\S+)$/) {
-			    my $group = $1;
+			my ($group) = $ug =~ m/^@(\S+)$/;
+
+			if ($group && verify_groupname($group, 1)) {
 			    if ($cfg->{groups}->{$group}) { # group exists
 				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
 			    } else {