Proxmox/pve-access-control
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-access-control.git synced 2025-01-07 17:17:56 +03:00
Code Releases Activity

perm check: forbid undefined/empty ACL path

Browse Source 
to detect similar issues to that fixed in the previous commit early on
and without the potential for dangerous side-effects.

root@pam is intentionally still allowed before the check in case such
situations can be triggered by misconfiguration - root@pam can then
still clean up the affected configs via the GUI/API, and not just via
manual editing.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2022-06-20 13:05:12 +02:00 committed by Thomas Lamprecht
parent 59164ff16b
commit 37d3c16b25
3 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/PVE/API2/AccessControl.pm
View File

@ -115,6 +115,7 @@ my sub verify_auth : prototype($$$$$$$) {
my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs, $new_format) = @_;
my $normpath = PVE::AccessControl::normalize_path($path);
die "invalid path - $path\n" if defined($path) && !defined($normpath);
my $ticketuser;
if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&

12
src/PVE/AccessControl.pm
View File

@ -498,6 +498,8 @@ my $assemble_short_lived_ticket = sub {
$path = normalize_path($path);
die "invalid ticket path\n" if !defined($path);
my $secret_data = "$username:$path";
return PVE::Ticket::assemble_rsa_ticket(
@ -509,6 +511,8 @@ my $verify_short_lived_ticket = sub {
$path = normalize_path($path);
die "invalid ticket path\n" if !defined($path);
my $secret_data = "$username:$path";
my ($rsa_pub, $rsa_mtime) = get_pubkey();
@ -1166,6 +1170,8 @@ sub lookup_username {
sub normalize_path {
my $path = shift;
return undef if !$path;
$path =~ s|/+|/|g;
$path =~ s|/$||;
@ -1641,6 +1647,12 @@ sub roles {
return 'Administrator' if $user eq 'root@pam'; # root can do anything
if (!defined($path)) {
# this shouldn't happen!
warn "internal error: ACL check called for undefined ACL path!\n";
return {};
}
if (pve_verify_tokenid($user, 1)) {
my $tokenid = $user;
my ($username, $token) = split_tokenid($tokenid);

13
src/PVE/RPCEnvironment.pm
View File

@ -140,6 +140,12 @@ sub permissions {
return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
}
if (!defined($path)) {
# this shouldn't happen!
warn "internal error: ACL check called for undefined ACL path!\n";
return {};
}
if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
my ($username, $token) = PVE::AccessControl::split_tokenid($user);
my $cfg = $self->{user_cfg};
@ -439,8 +445,10 @@ sub exec_api2_perm_check {
raise_perm_exc();
}
my $path = PVE::Tools::template_replace($tmplpath, $param);
$path = PVE::AccessControl::normalize_path($path);
return $self->check_full($username, $path, $privs, $any, $noerr);
my $normpath = PVE::AccessControl::normalize_path($path);
warn "Failed to normalize '$path'\n" if !defined($normpath) && defined($path);
return $self->check_full($username, $normpath, $privs, $any, $noerr);
} elsif ($test eq 'userid-group') {
my $userid = $param->{userid};
my ($t, $privs, %options) = @$check;
@ -490,6 +498,7 @@ sub exec_api2_perm_check {
my ($t, $tmplpath) = @$check;
my $path = PVE::Tools::template_replace($tmplpath, $param);
$path = PVE::AccessControl::normalize_path($path);
return 0 if !defined($path); # should already die in API2::ACL
return $self->check_perm_modify($username, $path, $noerr);
} else {
die "unknown permission test";