proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-27 08:54:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

return correct 401 status code for unauthorized calls

Browse Source 
New HTTP::Server will delay the call by 3 seconds.
This commit is contained in:
Dietmar Maurer 2013-11-18 11:23:50 +01:00
parent 0baedcf727
commit fe2defd9d5
1 changed files with 1 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
PVE/API2/AccessControl.pm
View File

@ -2,7 +2,6 @@ package PVE::API2::AccessControl;
use strict;
use warnings;
use Time::HiRes qw(usleep gettimeofday tv_interval);
use PVE::Exception qw(raise raise_perm_exc);
use PVE::SafeSyslog;
@ -265,9 +264,6 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $res;
my $starttime = [gettimeofday];
eval {
# test if user exists and is enabled
$rpcenv->check_user_enabled($username);
@ -283,12 +279,7 @@ __PACKAGE__->register_method ({
my $clientip = $rpcenv->get_client_ip() || '';
syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
# do not return any info to prevent user enumeration attacks
# always try to delay exactly 3 seconds to prevent timing attacks
my $elapsed;
while (($elapsed = tv_interval($starttime)) < 3) {
usleep(int((3 - $elapsed)*1000000));
}
die "authentication failure\n";
die PVE::Exception->new("authentication failure\n", code => 401);
}
$res->{cap} = &$compute_api_permission($rpcenv, $username);