all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager] http-server: fix for api token csrf token check
@ 2021-04-22  8:46 Lorenz Stechauner
  2021-04-22  9:29 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Lorenz Stechauner @ 2021-04-22  8:46 UTC (permalink / raw)
  To: pve-devel

Do not check any csrf tokens for auth with api tokens.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/HTTPServer.pm | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb..7a3bf72b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
 	    $isUpload = 1;
 	}
 
-	# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-	# with native html forms, and it should not be necessary at all.
-	my $euid = $>;
-	PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-	    if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	if (!$api_token) {
+	    # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
+	    # with native html forms, and it should not be necessary at all.
+	    my $euid = $>;
+	    PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+		if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	}
     }
 
     return {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH manager] http-server: fix for api token csrf token check
  2021-04-22  8:46 [pve-devel] [PATCH manager] http-server: fix for api token csrf token check Lorenz Stechauner
@ 2021-04-22  9:29 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-04-22  9:29 UTC (permalink / raw)
  To: Proxmox VE development discussion, Lorenz Stechauner

On 22.04.21 10:46, Lorenz Stechauner wrote:
> Do not check any csrf tokens for auth with api tokens.
> 
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  PVE/HTTPServer.pm | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
>

applied, thanks! Added an actual comment explaining this and the why
in a followup commit...




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-22  9:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-22  8:46 [pve-devel] [PATCH manager] http-server: fix for api token csrf token check Lorenz Stechauner
2021-04-22  9:29 ` [pve-devel] applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal