Proxmox/pve-manager
5
0
Fork 0
Code Pull Requests Releases Activity

http-server: fix for api token csrf token check

Browse Source 
Do not check any csrf tokens for auth with api tokens.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
This commit is contained in:
Lorenz Stechauner 2021-04-22 10:46:34 +02:00 committed by Thomas Lamprecht
parent e45f98ef8b
commit 7d11059e2d
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
PVE/HTTPServer.pm
View File

@ -104,11 +104,13 @@ sub auth_handler {
$isUpload = 1;
}
# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
# with native html forms, and it should not be necessary at all.
my $euid = $>;
PVE::AccessControl::verify_csrf_prevention_token($username, $token)
if !$isUpload && ($euid != 0) && ($method ne 'GET');
if (!$api_token) {
# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
# with native html forms, and it should not be necessary at all.
my $euid = $>;
PVE::AccessControl::verify_csrf_prevention_token($username, $token)
if !$isUpload && ($euid != 0) && ($method ne 'GET');
}
}
return {