From 3967071623e54c622fb4e22d094936ded10c263f Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sat, 2 Jul 2022 07:59:50 +0200
Subject: [PATCH] pass through streaming: only allow from privileged local
 pvedaemon

Ensures that no external request can control streaming on proxying
requests as safety net for when we'd have another issue in the
request handling part.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/APIServer/AnyEvent.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 618f236..8afe142 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -699,10 +699,12 @@ sub proxy_request {
 	    return;
 	}
 
+	my $may_stream_file;
 	if ($host eq 'localhost') {
 	    $target = "http://$host:85$uri";
 	    # keep alive for localhost is not worth (connection setup is about 0.2ms)
 	    $keep_alive = 0;
+	    $may_stream_file = 1;
 	} elsif (Net::IP::ip_is_ipv6($host)) {
 	    $target = "https://[$host]:8006$uri";
 	} else {
@@ -788,6 +790,10 @@ sub proxy_request {
 			$header->header(Location => $location);
 		    }
 		    if ($stream) {
+			if (!$may_stream_file) {
+			    $self->error($reqstate, 403, 'streaming denied');
+			    return;
+			}
 			sysopen(my $fh, "$stream", O_NONBLOCK | O_RDONLY)
 			    or die "open stream path '$stream' for forwarding failed: $!\n";
 			my $resp = HTTP::Response->new($code, $msg, $header, undef);