Proxmox/pve-manager
5
0
Fork 0
Code Pull Requests Releases Activity

http server: comment and refactor CSRF skip-check logic

Browse Source 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2021-04-22 11:10:48 +02:00
parent 7d11059e2d
commit 736b919d04
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
PVE/HTTPServer.pm
View File

@ -104,12 +104,13 @@ sub auth_handler {
$isUpload = 1; $isUpload = 1;
} }
if (!$api_token) { # Skip CSRF check for file upload (difficult to pass CSRF header with native html forms).
# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers # Also skip the check with API tokens, as one of the design goals of API tokens was to
# with native html forms, and it should not be necessary at all. # provide stateless API access without requiring round-trips to get such CSRF tokens.
# CSRF-prevention also does not make much sense outside of the browser context.
if ($method ne 'GET' && !($api_token || $isUpload)) {
my $euid = $>; my $euid = $>;
PVE::AccessControl::verify_csrf_prevention_token($username, $token) PVE::AccessControl::verify_csrf_prevention_token($username, $token) if $euid != 0;
if !$isUpload && ($euid != 0) && ($method ne 'GET');
} }
} }