proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-07-03 21:18:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pass through streaming: only allow from privileged local pvedaemon

Browse Source 
Ensures that no external request can control streaming on proxying
requests as safety net for when we'd have another issue in the
request handling part.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-07-02 07:59:50 +02:00
parent 42bb4f3725
commit 3967071623
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/PVE/APIServer/AnyEvent.pm
View File

@ -699,10 +699,12 @@ sub proxy_request {
return; return;
} }
my $may_stream_file;
if ($host eq 'localhost') { if ($host eq 'localhost') {
$target = "http://$host:85$uri"; $target = "http://$host:85$uri";
# keep alive for localhost is not worth (connection setup is about 0.2ms) # keep alive for localhost is not worth (connection setup is about 0.2ms)
$keep_alive = 0; $keep_alive = 0;
$may_stream_file = 1;
} elsif (Net::IP::ip_is_ipv6($host)) { } elsif (Net::IP::ip_is_ipv6($host)) {
$target = "https://[$host]:8006$uri"; $target = "https://[$host]:8006$uri";
} else { } else {
@ -788,6 +790,10 @@ sub proxy_request {
$header->header(Location => $location); $header->header(Location => $location);
} }
if ($stream) { if ($stream) {
if (!$may_stream_file) {
$self->error($reqstate, 403, 'streaming denied');
return;
}
sysopen(my $fh, "$stream", O_NONBLOCK | O_RDONLY) sysopen(my $fh, "$stream", O_NONBLOCK | O_RDONLY)
or die "open stream path '$stream' for forwarding failed: $!\n"; or die "open stream path '$stream' for forwarding failed: $!\n";
my $resp = HTTP::Response->new($code, $msg, $header, undef); my $resp = HTTP::Response->new($code, $msg, $header, undef);