improve CSRF compat with older PVE

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-06-14 05:56:27 +00:00 · 2019-06-26 19:34:13 +02:00 · 2019-06-26 19:34:13 +02:00 · e149b1c6c9
commit e149b1c6c9
parent a237dc2e76
1 changed files with 12 additions and 1 deletions
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@ -212,10 +212,12 @@ sub rotate_authkey {
 }

 my $csrf_prevention_secret;
+my $csrf_prevention_secret_legacy;
 my $get_csrfr_secret = sub {
    if (!$csrf_prevention_secret) {
 	my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
 	$csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input);
+	$csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input);
    }
    return $csrf_prevention_secret;
 };
@ -231,7 +233,16 @@ sub assemble_csrf_prevention_token {
 sub verify_csrf_prevention_token {
    my ($username, $token, $noerr) = @_;

-    my $secret =  &$get_csrfr_secret();
+    my $secret = $get_csrfr_secret->();
+
+    # FIXME: remove with PVE 7 and/or refactor all into PVE::Ticket ?
+    if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+	my $sig = $2;
+	if (length($sig) == 27) {
+	    # the legacy secret got populated by above get_csrfr_secret call
+	    $secret = $csrf_prevention_secret_legacy;
+	}
+    }

    return PVE::Ticket::verify_csrf_prevention_token(
 	$secret, $username, $token, -300, $ticket_lifetime, $noerr);