On 4/29/21 15:22, Thomas Lamprecht wrote:
On 29.04.21 13:54, Dominik Csapak wrote:
On 4/28/21 16:13, Lorenz Stechauner wrote:
+__PACKAGE__->register_method({
+ name => 'retrieve',
+ path => '{storage}/retrieve',
+ method => 'POST',
+ description => "Download templates and ISO images by using an URL.",
+ permissions => {
+ check => ['perm', '/storage/{storage}', ['Datastore.AllocateTemplate']],
+ },
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ node => get_standard_option('pve-node'),
+ storage => get_standard_option('pve-storage-id'),
+ url => {
+ description => "The URL to retrieve the file from.",
+ type => 'string',
+ },
i am not quite sure if it is a good idea to have this feature
unrestricted for everybody who can download a template
it possibly gives access to an internal network to which
the users does not have access otherwise...
maybe we want to give the admin control over allow- and/or blocklists ?
I do not want such lists, PITA to manage for everybody.
understandable, was just the first thing that came to my mind
Maybe we can just allow it only for users with Sys.Modify + Sys.Audit on / ?
We could also enforce that it needs to be a hostname (no IP) and/or resolve
to something out of the priv. network ranges, at least if the aforementioned
privs are not set.
yes, sounds good, but then we have to disallow redirects
Another idea would be enforcing the URL to match something like /\.(iso|img)$/
and being not to informative on errors to avoid allowing to see which hsot are
on/off line in a network. With that one could make this pretty safe I think.
mhmm.. could work, but then we'd have to use a fixed timeout
(like on authentication) to avoid timing based probes
+ insecure => {
+ description => "Allow TLS certificates to be invalid.",
+ type => 'boolean',
+ optional => 1,
+ } > + },
+ },
+ returns => {
+ type => "object",
+ properties => {
+ filename => { type => 'string' },
+ upid => { type => 'string' },
+ size => {
+ type => 'integer',
+ renderer => 'bytes',
+ },
+ },
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my @hash_algs = ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'];
as written above, can be handled by api
and could be actually auto-detected too, at least optionally? All those are
pretty
much unique already in length, IIRC.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
