public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager] http-server: fix for api token csrf token check
@ 2021-04-22  8:46 Lorenz Stechauner
  2021-04-22  9:29 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Lorenz Stechauner @ 2021-04-22  8:46 UTC (permalink / raw)
  To: pve-devel

Do not check any csrf tokens for auth with api tokens.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/HTTPServer.pm | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb..7a3bf72b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
 	    $isUpload = 1;
 	}
 
-	# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-	# with native html forms, and it should not be necessary at all.
-	my $euid = $>;
-	PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-	    if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	if (!$api_token) {
+	    # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
+	    # with native html forms, and it should not be necessary at all.
+	    my $euid = $>;
+	    PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+		if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	}
     }
 
     return {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH manager] http-server: fix for api token csrf token check
  2021-04-22  8:46 [pve-devel] [PATCH manager] http-server: fix for api token csrf token check Lorenz Stechauner
@ 2021-04-22  9:29 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-04-22  9:29 UTC (permalink / raw)
  To: Proxmox VE development discussion, Lorenz Stechauner

On 22.04.21 10:46, Lorenz Stechauner wrote:
> Do not check any csrf tokens for auth with api tokens.
> 
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  PVE/HTTPServer.pm | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
>

applied, thanks! Added an actual comment explaining this and the why
in a followup commit...




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-22  9:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-22  8:46 [pve-devel] [PATCH manager] http-server: fix for api token csrf token check Lorenz Stechauner
2021-04-22  9:29 ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal