From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lstechauner@dana.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 8671D752F8
 for <pve-devel@lists.proxmox.com>; Wed, 21 Apr 2021 13:59:51 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 752D9E995
 for <pve-devel@lists.proxmox.com>; Wed, 21 Apr 2021 13:59:51 +0200 (CEST)
Received: from dana.proxmox.com (unknown [94.136.29.99])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5254EE98D
 for <pve-devel@lists.proxmox.com>; Wed, 21 Apr 2021 13:59:47 +0200 (CEST)
Received: by dana.proxmox.com (Postfix, from userid 10037)
 id 395771C4D5A; Wed, 21 Apr 2021 13:59:47 +0200 (CEST)
From: Lorenz Stechauner <l.stechauner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Wed, 21 Apr 2021 13:59:43 +0200
Message-Id: <20210421115943.100078-1-l.stechauner@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  2
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 RDNS_NONE 1.274 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [httpserver.pm]
Subject: [pve-devel] [PATCH manager] fix #3389: Skip CSRF token check also
 for API tokens on file upload
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 11:59:51 -0000

On file upload, the check for CSRF tokens was already skipped
when performing user authentication.This now happens for API
tokens also.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/HTTPServer.pm | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 64976c7c..63b8583e 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -79,8 +79,8 @@ sub auth_handler {
 
     if ($require_auth) {
 	if ($api_token) {
+	    # returns tokenid actually
 	    $username = PVE::AccessControl::verify_token($api_token);
-	    $rpcenv->set_user($username); #actually tokenid in this case
 	} else {
 	    die "No ticket\n" if !$ticket;
 
@@ -94,25 +94,25 @@ sub auth_handler {
 		die "No ticket\n"
 		    if ($rel_uri ne '/access/tfa' || $method ne 'POST');
 	    }
+	}
 
-	    $rpcenv->set_user($username);
-
-	    if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) {
-		my ($node, $storeid) = ($1, $2);
-		# we disable CSRF checks if $isUpload is set,
-		# to improve security we check user upload permission here
-		my $perm = { check => ['perm', "/storage/$storeid", ['Datastore.AllocateTemplate']] };
-		$rpcenv->check_api2_permissions($perm, $username, {});
-		$isUpload = 1;
-	    }
+	$rpcenv->set_user($username);
 
-	    # we skip CSRF check for file upload, because it is
-	    # difficult to pass CSRF HTTP headers with native html forms,
-	    # and it should not be necessary at all.
-	    my $euid = $>;
-	    PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-		if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) {
+	    my ($node, $storeid) = ($1, $2);
+	    # we disable CSRF checks if $isUpload is set,
+	    # to improve security we check user upload permission here
+	    my $perm = { check => ['perm', "/storage/$storeid", ['Datastore.AllocateTemplate']] };
+	    $rpcenv->check_api2_permissions($perm, $username, {});
+	    $isUpload = 1;
 	}
+
+	# we skip CSRF check for file upload, because it is
+	# difficult to pass CSRF HTTP headers with native html forms,
+	# and it should not be necessary at all.
+	my $euid = $>;
+	PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+	    if !$isUpload && ($euid != 0) && ($method ne 'GET');
     }
 
     return {
-- 
2.20.1