From e934e958adfa97a13f4e841e6239b32577fa3c14 Mon Sep 17 00:00:00 2001 From: Gabriel Goller Date: Tue, 6 Feb 2024 11:11:01 +0100 Subject: [PATCH] oidc: enforce generic URI regex for the ACR value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the acr-value regex a little bit so as to align the behavior with PBS. The openid documentation says that the acr-value *should* be an URI [0]. Added a regex that loosely disallows some of the reserved URI characters specified in the RFC [1]. Values like: * "urn:mace:incommon:iap:silver" * "urn:comsolve.nl:idp:contract:rba:location" SHOULD work, but values like: * "urn:#ace:incommon:iap:silver" * "urn:"omsolve.nl:idp:contract:rba:location" should NOT work. This is related to the fix [2] for bug #5190 in PBS, but different as there we had to make the verifier more flexible, whereas here we make it stricter – mostly to have both projects aligned to avoid confusion. [0]: https://openid.net/specs/openid-connect-core-1_0.html [1]: https://www.rfc-editor.org/rfc/rfc2396.txt [2]: https://git.proxmox.com/?p=proxmox-backup.git;a=commit;h=e0222ce83c28397d493c70825e873943c1223c67 Signed-off-by: Gabriel Goller (cherry picked from commit b543394c937049265bac20c2ddb1fde0662f6a73) Signed-off-by: Thomas Lamprecht --- src/PVE/Auth/OpenId.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm index 56904e6..c8e4db9 100755 --- a/src/PVE/Auth/OpenId.pm +++ b/src/PVE/Auth/OpenId.pm @@ -59,7 +59,8 @@ sub properties { 'acr-values' => { description => "Specifies the Authentication Context Class Reference values that the" ."Authorization Server is being requested to use for the Auth Request.", - type => 'string', # format => 'some-safe-id-list', # FIXME: TODO + type => 'string', + pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396. optional => 1, }, };