From 55ab21ecfcd090ef7d364be39bdbb740391138a4 Mon Sep 17 00:00:00 2001
From: Mira Limbeck <m.limbeck@proxmox.com>
Date: Tue, 8 Apr 2025 13:33:49 +0200
Subject: [PATCH] openid: fix groups-claim regex

The previous regex matched exactly that combination of characters,
rather than any combination of the specified ones.

Fixes: e80f840 ("openid: make groups-claim RE more restrictive")
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Link: https://lore.proxmox.com/20250408113349.165831-1-m.limbeck@proxmox.com
---
 src/PVE/Auth/OpenId.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 4e496f0..92d75b7 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -10,7 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file
 use base qw(PVE::Auth::Plugin);
 
 # FIXME: restrict username-claim as well?
-my $openid_claim_regex = qr/A-Za-z0-9\.\-_/;
+my $openid_claim_regex = qr/[A-Za-z0-9\.\-_]+/;
 
 sub type {
     return 'openid';