From e80f840ccc3c469b05cd34d9a9987de293862c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Fri, 4 Apr 2025 15:11:07 +0200
Subject: [PATCH] openid: make groups-claim RE more restrictive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

always possible to lift, but hard to lock down after the fact..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/PVE/Auth/OpenId.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 4c52adc..7becd91 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -9,8 +9,8 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file
 
 use base qw(PVE::Auth::Plugin);
 
-# include all printable ascii characters
-my $openid_claim_regex = qr/[ -~]+/;
+# FIXME: restrict username-claim as well?
+my $openid_claim_regex = qr/A-Za-z0-9\.\-_/;
 
 sub type {
     return 'openid';