[pve-devel] [PATCH manager] http-server: fix for api token csrf token check

Lorenz Stechauner l.stechauner at proxmox.com
Thu Apr 22 10:46:34 CEST 2021


Do not check any csrf tokens for auth with api tokens.

Signed-off-by: Lorenz Stechauner <l.stechauner at proxmox.com>
---
 PVE/HTTPServer.pm | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb..7a3bf72b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
 	    $isUpload = 1;
 	}
 
-	# we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-	# with native html forms, and it should not be necessary at all.
-	my $euid = $>;
-	PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-	    if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	if (!$api_token) {
+	    # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
+	    # with native html forms, and it should not be necessary at all.
+	    my $euid = $>;
+	    PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+		if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	}
     }
 
     return {
-- 
2.20.1




More information about the pve-devel mailing list