[pve-devel] [PATCH access-control] openid: fix groups-claim regex

Mira Limbeck Thu, 10 Apr 2025 14:43:43 -0700

The previous regex matched exactly that combination of characters,
rather than any combination of the specified ones.


Fixes: e80f840 ("openid: make groups-claim RE more restrictive")
Signed-off-by: Mira Limbeck <m.limb...@proxmox.com>
---
 src/PVE/Auth/OpenId.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 4e496f0..92d75b7 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -10,7 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file 
cfs_write_file cfs_lock_file
 use base qw(PVE::Auth::Plugin);
 
 # FIXME: restrict username-claim as well?
-my $openid_claim_regex = qr/A-Za-z0-9\.\-_/;
+my $openid_claim_regex = qr/[A-Za-z0-9\.\-_]+/;
 
 sub type {
     return 'openid';
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH access-control] openid: fix groups-claim regex

Reply via email to