[pve-devel] r5742 - in pve-manager/trunk: . debian lib/PVE www/root www/root/server www/root/vmlist
svn-commits at proxmox.com
svn-commits at proxmox.com
Wed Mar 23 07:52:28 CET 2011
Author: dietmar
Date: 2011-03-23 07:52:28 +0100 (Wed, 23 Mar 2011)
New Revision: 5742
Modified:
pve-manager/trunk/ChangeLog
pve-manager/trunk/configure.in
pve-manager/trunk/debian/changelog.Debian
pve-manager/trunk/lib/PVE/HTMLDropDown.pm
pve-manager/trunk/lib/PVE/HTMLForm.pm
pve-manager/trunk/lib/PVE/HTMLUtils.pm
pve-manager/trunk/lib/PVE/Utils.pm
pve-manager/trunk/www/root/base.epl
pve-manager/trunk/www/root/server/reboot.htm
pve-manager/trunk/www/root/vmlist/index.htm
Log:
add anti CSRF tokens
Modified: pve-manager/trunk/ChangeLog
===================================================================
--- pve-manager/trunk/ChangeLog 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/ChangeLog 2011-03-23 06:52:28 UTC (rev 5742)
@@ -1,3 +1,19 @@
+2011-03-23 Proxmox Support Team <support at proxmox.com>
+
+ * lib/PVE/HTMLForm.pm (create_footer): add anti CSRF token
+
+ * lib/PVE/HTMLDropDown.pm (add_item): add anti CSRF token
+
+ * www/root/vmlist/index.htm: add anti CSRF token
+
+ * lib/PVE/HTMLUtils.pm: add anti CSRF token
+
+ * www/root/server/reboot.htm: add anti CSRF token
+
+ * lib/PVE/Utils.pm (sign_soap_ticket): moved to PVE::Utils
+ (get_page_token): used to prevent CSRF
+ (verify_page_token): used to prevent CSRF
+
2011-03-15 Proxmox Support Team <support at proxmox.com>
* bin/cron/daily/pve: use http_proxy if configured.
Modified: pve-manager/trunk/configure.in
===================================================================
--- pve-manager/trunk/configure.in 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/configure.in 2011-03-23 06:52:28 UTC (rev 5742)
@@ -4,7 +4,7 @@
prefix=/usr
-PACKAGERELEASE=13
+PACKAGERELEASE=14
AC_SUBST(PACKAGERELEASE)
REPOID=`svnversion .`
Modified: pve-manager/trunk/debian/changelog.Debian
===================================================================
--- pve-manager/trunk/debian/changelog.Debian 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/debian/changelog.Debian 2011-03-23 06:52:28 UTC (rev 5742)
@@ -1,3 +1,9 @@
+pve-manager (1.8-14) unstable; urgency=low
+
+ * protect against Cross Site Request Forgery (added anti-CSRF tokens)
+
+ -- Proxmox Support Team <support at proxmox.com> Wed, 23 Mar 2011 07:49:34 +0100
+
pve-manager (1.8-13) unstable; urgency=low
* use http_proxy in cron APL download if configured.
Modified: pve-manager/trunk/lib/PVE/HTMLDropDown.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLDropDown.pm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLDropDown.pm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
use strict;
use vars qw(@ISA);
+use PVE::Utils;
my $umenuid = 0;
@@ -19,6 +20,12 @@
sub add_item {
my ($self,$name,$link,$text,$img) = @_;
if (!(defined($self->{$name}->{count}))) { $self->{$name}->{count}=0; }
+
+ if ($link =~ m/(\?|\&|\&\;)action=/) {
+ my $ptoken = PVE::Utils::get_page_token();
+ $link .= "&ptoken=$ptoken";
+ }
+
$self->{$name}->{$self->{$name}->{count}}->{link} = $link;
$self->{$name}->{$self->{$name}->{count}}->{text} = $text;
$self->{$name}->{$self->{$name}->{count}}->{image} = $img;
Modified: pve-manager/trunk/lib/PVE/HTMLForm.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLForm.pm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLForm.pm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -383,7 +383,10 @@
sub create_footer {
my $self = shift;
- my $out = $self->create_element("form_$self->{name}_submit", 'hidden', 'post');
+ my $ptoken = PVE::Utils::get_page_token();
+ my $out = $self->create_element("ptoken", 'hidden', $ptoken);
+
+ $out .= $self->create_element("form_$self->{name}_submit", 'hidden', 'post');
$out .= "</form>";
return $out;
Modified: pve-manager/trunk/lib/PVE/HTMLUtils.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLUtils.pm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLUtils.pm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -559,8 +559,9 @@
sub action_button {
my ($text, $action, $disabled) = @_;
+ my $ptoken = PVE::Utils::get_page_token();
my $dtext = $disabled ? 'disabled' : '';
- my $loc = "?action=$action";
+ my $loc = "?action=$action&ptoken=$ptoken";
return "<button $dtext type=button onclick='location=\"$loc\"'>$text</button>";
}
@@ -880,7 +881,8 @@
$html .= "<tr><td colspan=2><tr><td colspan=2>";
if ($download) {
- $html .= "<tr><td><td><a class=cmd href='?action=download&aa=$d->{template}'>start download</a>";
+ my $ptoken = PVE::Utils::get_page_token();
+ $html .= "<tr><td><td><a class=cmd href='?action=download&ptoken=$ptoken&aa=$d->{template}'>start download</a>";
}
$html .= "</table>";
Modified: pve-manager/trunk/lib/PVE/Utils.pm
===================================================================
--- pve-manager/trunk/lib/PVE/Utils.pm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/Utils.pm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -54,6 +54,40 @@
# authentication tickets
+my $page_token_cache;
+my $page_token_cache_time = 0;
+
+sub get_page_token {
+
+ my $ctime = time();
+
+ if (!$page_token_cache || (($ctime - $page_token_cache_time) > (60*30))) {
+ my $data = sprintf("%08x", $ctime);
+ my $digest = substr(Digest::SHA1::sha1_hex($data, $soap_secret), 0, 12);
+ $page_token_cache = "$data$digest";
+ $page_token_cache_time = $ctime;
+ }
+
+ return $page_token_cache;
+}
+
+sub verify_page_token {
+ my ($token) = @_;
+
+ return 0 if length($token) != 20;
+
+ my $ctime = time();
+ my $data = substr($token, 0, 8);
+ my $ttime = hex($data);
+
+ return 0 if ($ctime - $ttime) > (60*60*5); # 5 hours
+
+ my $tdigest = substr($token, 8);
+ my $digest = substr(Digest::SHA1::sha1_hex($data, $soap_secret), 0, 12);
+
+ return $tdigest eq $digest;
+}
+
sub sign_soap_ticket {
my ($ticket) = @_;
Modified: pve-manager/trunk/www/root/base.epl
===================================================================
--- pve-manager/trunk/www/root/base.epl 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/base.epl 2011-03-23 06:52:28 UTC (rev 5742)
@@ -72,6 +72,10 @@
admin => __("Administration"),
};
+ if ($fdat{action} || ($req_rec->method ne 'GET')) {
+ die "permission denied" if !$fdat{ptoken} || !PVE::Utils::verify_page_token($fdat{ptoken});
+ }
+
if ($fdat{action}) {
$args{action} = undef;
$args{aa} = undef;
Modified: pve-manager/trunk/www/root/server/reboot.htm
===================================================================
--- pve-manager/trunk/www/root/server/reboot.htm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/server/reboot.htm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
use strict;
use PVE::I18N;
use PVE::ConfigServer;
+ use PVE::Utils;
use PVE::HTMLUtils;
!]
@@ -29,7 +30,8 @@
}
if ($fdat{state} eq 'confirm') {
- my $ref = "reboot.htm?m3=0&action=reboot";
+ my $ptoken = PVE::Utils::get_page_token();
+ my $ref = "reboot.htm?m3=0&action=reboot&ptoken=$ptoken";
if ($fdat{poweroff}) {
$ref .= "&poweroff=1";
my $msg = __("Do you really want to shutdown the Server?");
Modified: pve-manager/trunk/www/root/vmlist/index.htm
===================================================================
--- pve-manager/trunk/www/root/vmlist/index.htm 2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/vmlist/index.htm 2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
use strict;
use PVE::pvecfg;
use PVE::I18N;
+ use PVE::Utils;
use PVE::ConfigServer;
use PVE::HTMLTable;
use PVE::Config;
@@ -49,7 +50,8 @@
my $msg = PVE::HTMLUtils::msg ('confirm_remove');
$msg = sprintf ($msg, $fdat{veid});
- my $href = "?action=destroy&cid=$fdat{cid}&veid=$fdat{veid}&type=$fdat{type}";
+ my $ptoken = PVE::Utils::get_page_token();
+ my $href = "?action=destroy&ptoken=$ptoken&cid=$fdat{cid}&veid=$fdat{veid}&type=$fdat{type}";
print OUT PVE::HTMLUtils::create_confirmframe ($msg, __("Remove"), $href, $fdat{__uri});
More information about the pve-devel
mailing list