do not allow user names including slash

2025-08-05 20:44:43 +00:00 · 2012-04-24 10:10:35 +02:00 · 2012-04-24 10:10:35 +02:00 · 3030a17643
commit 3030a17643
parent 3036e8b1be
3 changed files with 19 additions and 4 deletions
--- a/2
+++ b/2
@ -2,7 +2,7 @@ RELEASE=2.0

 VERSION=1.0
 PACKAGE=libpve-access-control
-PKGREL=19
+PKGREL=21

 DESTDIR=
 PREFIX=/usr
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@ -732,9 +732,12 @@ sub verify_username {
 	return undef;
    }

-    # we only allow a limited set of characters (colon is not allowed,
-    # because we store usernames in colon separated lists)!
-    if ($username =~ m/^([^\s:]+)\@(${realm_regex})$/) {
+    # we only allow a limited set of characters
+    # colon is not allowed, because we store usernames in 
+    # colon separated lists)!
+    # slash is not allowed because it is used as pve API delimiter
+    # also see "man useradd" 
+    if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
 	return wantarray ? ($username, $1, $2) : $username;
    }

--- a/changelog.Debian
+++ b/changelog.Debian
@ -1,3 +1,15 @@
+libpve-access-control (1.0-21) unstable; urgency=low
+
+  * do not allow user names including slash
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Apr 2012 10:07:47 +0200
+
+libpve-access-control (1.0-20) unstable; urgency=low
+
+  * add ability to fork cli workers in background
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 18 Apr 2012 08:28:20 +0200
+
 libpve-access-control (1.0-19) unstable; urgency=low

  * return set of privileges on login - can be used to adopt GUI