[pve-devel] r5751 - in pve-access-control/trunk: . PVE PVE/API2

svn-commits at proxmox.com svn-commits at proxmox.com
Thu Mar 24 10:03:09 CET 2011 

Author: dietmar
Date: 2011-03-24 10:03:09 +0100 (Thu, 24 Mar 2011)
New Revision: 5751

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/AccessControl.pm
   pve-access-control/trunk/PVE/AccessControl.pm
Log:
add CSRF code


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-03-24 08:51:03 UTC (rev 5750)
+++ pve-access-control/trunk/ChangeLog	2011-03-24 09:03:09 UTC (rev 5751)
@@ -1,3 +1,8 @@
+2011-03-24  Proxmox Support Team  <support at proxmox.com>
+
+	* PVE/AccessControl.pm (verify_csrf_prevention_token): add CSRF
+	prevention code
+
 2011-03-23  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/RPCEnvironment.pm (active_workers): simple log rotation when

Modified: pve-access-control/trunk/PVE/API2/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/AccessControl.pm	2011-03-24 08:51:03 UTC (rev 5750)
+++ pve-access-control/trunk/PVE/API2/AccessControl.pm	2011-03-24 09:03:09 UTC (rev 5751)
@@ -123,6 +123,7 @@
 	type => "object",
 	properties => {
 	    ticket => { type => 'string' },
+	    CSRFPreventionToken => { type => 'string' },
 	}
     },
     code => sub {
@@ -135,6 +136,7 @@
 	my $clientip = $rpcenv->get_client_ip() || '';
 
 	my $ticket;
+	my $token;
 	eval {
 
 	    if ($param->{path} && $param->{privs}) {
@@ -153,6 +155,7 @@
 		$username = PVE::AccessControl::authenticate_user($username, $param->{password});
 	    }
 	    $ticket = PVE::AccessControl::assemble_ticket($username);
+	    $token = PVE::AccessControl::assemble_csrf_prevention_token($ticket);
 	};
 	if (my $err = $@) {
 	    syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
@@ -163,6 +166,7 @@
 
 	return {
 	    ticket => $ticket,
+	    CSRFPreventionToken => $token,
 	};
     }});
 

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-03-24 08:51:03 UTC (rev 5750)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-03-24 09:03:09 UTC (rev 5751)
@@ -23,6 +23,7 @@
 my $authpubkeyfn = "$confdir/authkey.pub";
 my $shadowconfigfile = "priv/shadow.cfg";
 my $domainconfigfile = "domains.cfg";
+my $pve_www_key_fn = "$confdir/pve-www.key";
 
 my $ticket_lifetime = 3600*2; # 2 hours
 
@@ -89,6 +90,31 @@
     return $pve_auth_pub_key;
 }
 
+my $csrf_prevention_secret;
+my $get_csrfr_secret = sub {
+    if (!$csrf_prevention_secret) {
+	my $input = PVE::Tools::file_get_contents($pve_www_key_fn); 
+	$csrf_prevention_secret = Digest::SHA::sha1_base64($input);
+    }
+    return $csrf_prevention_secret;
+};
+
+sub assemble_csrf_prevention_token {
+    my ($ticket) = @_;
+    return Digest::SHA::sha1_base64($ticket, &$get_csrfr_secret());
+}
+
+sub verify_csrf_prevention_token {
+    my ($ticket, $token, $noerr) = @_;
+
+    my $digest = Digest::SHA::sha1_base64($ticket, &$get_csrfr_secret());
+    return if $digest eq $token;
+
+    die "Permission denied - invalid csrf token\n" if !$noerr;
+
+    return undef;
+}
+
 my $pve_auth_priv_key;
 sub get_privkey {

More information about the pve-devel mailing list