From 508e11f1845d235cf9ad83ea8b60d52f62e47856 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 3 Oct 2019 10:33:28 +0200 Subject: [PATCH] parse_user_cfg: correctly parse group names in ACLs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit usernames are allowed to start with '@', so adding a user '@test@pve' and adding it to an ACL should work, instead of ignoring that part of the ACL entry. So use verify_groupname to additionally enforce that the group name we extracted does not include an additional @, as then it cannot be a group. note: there is no potential for user and group to be confused, since a username must end with '@REALM', and a group reference in an ACL can only contain one '@' (as first character). Signed-off-by: Fabian Grünbichler --- PVE/AccessControl.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 44f4a01..6ea0b85 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -974,8 +974,9 @@ sub parse_user_config { } foreach my $ug (split_list($uglist)) { - if ($ug =~ m/^@(\S+)$/) { - my $group = $1; + my ($group) = $ug =~ m/^@(\S+)$/; + + if ($group && verify_groupname($group, 1)) { if ($cfg->{groups}->{$group}) { # group exists $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate; } else { -- 2.39.2