proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-04-30 17:27:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

proxy request: assert that API url starts with a slash

Browse Source 
We implicitly assume that to be the case when assembling the target
URL, so assert it explicitly as it's user controlled input.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-07-02 07:56:12 +02:00
parent f325788131
commit 42bb4f3725
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/PVE/APIServer/AnyEvent.pm
View File

@ -691,6 +691,14 @@ sub proxy_request {
eval { eval {
my $target; my $target;
my $keep_alive = 1; my $keep_alive = 1;
# stringify URI object and verify it starts with a slash
$uri = "$uri";
if ($uri !~ m@^/@) {
$self->error($reqstate, 400, "invalid proxy uri");
return;
}
if ($host eq 'localhost') { if ($host eq 'localhost') {
$target = "http://$host:85$uri"; $target = "http://$host:85$uri";
# keep alive for localhost is not worth (connection setup is about 0.2ms) # keep alive for localhost is not worth (connection setup is about 0.2ms)