[pmg-devel] [PATCH pmg-api 2/2] improve csrf backward compatibility

Stoiko Ivanov s.ivanov at proxmox.com
Fri Aug 16 16:02:23 CEST 2019


this patch follows the code in pve-access-control
e149b1c6c9954c07672d63f23f696d5b1e6c11d4)

and should enable us to update pve-common in PMG 5.x along with PVE again.

Tested by:
* logging into PMG (get csrf token)
a) installing only the previous patch:
   * POSTing (with the previously obtained token) -> 401
b) installing previous and this patch
   * POSTing (with the previously obtained token) -> 200

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PMG/Ticket.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/PMG/Ticket.pm b/src/PMG/Ticket.pm
index b1408da..1cef4a9 100644
--- a/src/PMG/Ticket.pm
+++ b/src/PMG/Ticket.pm
@@ -132,6 +132,8 @@ PVE::INotify::register_file('auth_pub_key', $authpubkeyfn,
 			    $read_rsa_pub_key, undef, undef,
 			    noclone => 1);
 
+my $csrf_prevention_secret_legacy;
+
 my $read_csrf_secret = sub {
    my ($filename, $fh) = @_;
 
@@ -139,6 +141,8 @@ my $read_csrf_secret = sub {
 
    my $input = <$fh>;
 
+   $csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input);
+
    return Digest::SHA::hmac_sha256_base64($input);
 };
 
@@ -151,6 +155,15 @@ sub verify_csrf_prevention_token {
 
     my $secret = PVE::INotify::read_file('csrf_secret');
 
+    # FIXME: remove with PMG 7
+    if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+        my $sig = $2;
+        if (length($sig) == 27) {
+            # the legacy secret got populated by read_file above
+            $secret = $csrf_prevention_secret_legacy;
+        }
+    }
+
     return PVE::Ticket::verify_csrf_prevention_token(
 	$secret, $username, $token, $min_ticket_lifetime,
 	$max_ticket_lifetime, $noerr);
-- 
2.20.1




More information about the pmg-devel mailing list