fix bug #151: corretly parse username inside ticket

2025-07-27 04:44:57 +00:00 · 2012-04-11 10:21:15 +02:00 · 2012-04-11 10:21:15 +02:00 · 533219a122
commit 533219a122
parent 1cf154b72f
2 changed files with 7 additions and 4 deletions
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@ -156,14 +156,15 @@ sub verify_ticket {

 	my $rsa_pub = get_pubkey();
 	if ($rsa_pub->verify($plain, decode_base64($sig))) {
-	    if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):([A-Z0-9]{8})$/) {
+	    if ($plain =~ m/^PVE:(\S+):([A-Z0-9]{8})$/) {
 		my $username = $1;
-		my $timestamp = $5;
+		my $timestamp = $2;
 		my $ttime = hex($timestamp);

 		my $age = time() - $ttime;

-		if (($age > -300) && ($age < $ticket_lifetime)) {
+		if (verify_username($username, 1) &&
+		    ($age > -300) && ($age < $ticket_lifetime)) {
 		    return wantarray ? ($username, $age) : $username;
 		}
 	    }
--- a/changelog.Debian
+++ b/changelog.Debian
@ -1,6 +1,8 @@
 libpve-access-control (1.0-18) unstable; urgency=low

-  * allow user to change his own password
+  * fix bug #151: corretly parse username inside ticket
+  
+  * fix bug #152: allow user to change his own password

 -- Proxmox Support Team <support@proxmox.com>  Wed, 11 Apr 2012 09:40:15 +0200