[pve-devel] [PATCH manager] http-server: fix for api token csrf token check
Lorenz Stechauner
l.stechauner at proxmox.com
Thu Apr 22 10:46:34 CEST 2021
Do not check any csrf tokens for auth with api tokens.
Signed-off-by: Lorenz Stechauner <l.stechauner at proxmox.com>
---
PVE/HTTPServer.pm | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb..7a3bf72b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
$isUpload = 1;
}
- # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
- # with native html forms, and it should not be necessary at all.
- my $euid = $>;
- PVE::AccessControl::verify_csrf_prevention_token($username, $token)
- if !$isUpload && ($euid != 0) && ($method ne 'GET');
+ if (!$api_token) {
+ # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
+ # with native html forms, and it should not be necessary at all.
+ my $euid = $>;
+ PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+ if !$isUpload && ($euid != 0) && ($method ne 'GET');
+ }
}
return {
--
2.20.1
More information about the pve-devel
mailing list