Do not check any csrf tokens for auth with api tokens.
Signed-off-by: Lorenz Stechauner <l.stechau...@proxmox.com>
---
PVE/HTTPServer.pm | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb..7a3bf72b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
$isUpload = 1;
}
- # we skip CSRF check for file upload, because it is difficult to pass
CSRF HTTP headers
- # with native html forms, and it should not be necessary at all.
- my $euid = $>;
- PVE::AccessControl::verify_csrf_prevention_token($username, $token)
- if !$isUpload && ($euid != 0) && ($method ne 'GET');
+ if (!$api_token) {
+ # we skip CSRF check for file upload, because it is difficult to
pass CSRF HTTP headers
+ # with native html forms, and it should not be necessary at all.
+ my $euid = $>;
+ PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+ if !$isUpload && ($euid != 0) && ($method ne 'GET');
+ }
}
return {
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
