From 6b833faf931262fc7cd71c2048c6cc0e28811648 Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Thu, 23 Mar 2023 14:14:29 +0100 Subject: [PATCH] fix #4609: allow valid DN in ldap/ad realm config We previously added support for ',' in the DNS attribute through allowing a quoted format, but the regex used was made too restrictive. In the new quoted attribute we'd only allow \w (alphanumeric and _) and the restricted characters. This patch now changes that to allow everything except the quotation mark " itself, which is again closer to the original regex which did not care for quotation and allowed everything aside from ','. The unquoted attributes did not allow spaces anymore, but the RFC [0] actually makes it clear that spaces are only forbidden at the beginning and the end (same for #). So, fix the regex to accommodate for that and allow space and # characters again if not at the end or beginning. 0: https://www.ietf.org/rfc/rfc2253.txt Fixes: 1aa2355 ("ldap: Allow quoted values for DN attribute values") Signed-off-by: Dominik Csapak Tested-by: Friedrich Weber [ T: make fixes a trailer and rework commit message ] Signed-off-by: Thomas Lamprecht --- src/PVE/Auth/LDAP.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm index 4d771e7..fc82a17 100755 --- a/src/PVE/Auth/LDAP.pm +++ b/src/PVE/Auth/LDAP.pm @@ -10,7 +10,8 @@ use PVE::Tools; use base qw(PVE::Auth::Plugin); -our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!; +my $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!; +our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!; sub type { return 'ldap'; -- 2.39.5