openid: make groups-claim RE more restrictive

always possible to lift, but hard to lock down after the fact.. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-08-11 01:20:16 +00:00 · 2025-04-04 15:11:07 +02:00 · 2025-04-04 15:11:07 +02:00 · e80f840ccc
commit e80f840ccc
parent d9582bb9b8
1 changed files with 2 additions and 2 deletions
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@ -9,8 +9,8 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file

 use base qw(PVE::Auth::Plugin);

-# include all printable ascii characters
-my $openid_claim_regex = qr/[ -~]+/;
+# FIXME: restrict username-claim as well?
+my $openid_claim_regex = qr/A-Za-z0-9\.\-_/;

 sub type {
    return 'openid';