From 5bb966fe5d6f3f6a30e86724c024f80ebebacfba Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 19 Jun 2019 11:46:17 +0200 Subject: [PATCH] ticket: properly verify exactly 5min old tickets MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit to fix an issue where valid tickets could be rejected 5 minutes after a key rotation, where the minimum age is exactly 0 seconds. thanks Dominik for triaging! Signed-off-by: Fabian Grünbichler --- PVE/AccessControl.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 5de060d..fff2df2 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -283,7 +283,7 @@ sub verify_ticket { return undef if !$rsa_pub; my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old); - return undef if !$min; + return undef if !defined($min); return PVE::Ticket::verify_rsa_ticket( $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1); -- 2.39.2