proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-05-01 06:09:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

handler: only allow downloads for annotated endpoints

Browse Source 
only a few API endpoints should allow downloads, mark them explicitly and
forbid downloading for the rest.

Fixes: 6d832db ("allow 'download' to be passed from API handler")

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit bbe9b072516730890531a94c3b65024198df0188)
This commit is contained in:
Fabian Grünbichler 2024-09-20 13:42:30 +02:00 committed by Thomas Lamprecht
parent 459297a597
commit 67b08d684c
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/PVE/APIServer/AnyEvent.pm
View File

@ -963,8 +963,12 @@ sub handle_api2_request {
$download //= $res->{data}->{download}
if defined($res->{data}) && ref($res->{data}) eq 'HASH';
if (defined($download)) {
send_file_start($self, $reqstate, $download);
return;
if ($res->{info}->{download}) {
send_file_start($self, $reqstate, $download);
return;
} else {
warn "Download attempted for non-marked API endpoint '$path'\n";
}
}
my ($raw, $ct, $nocomp) = $formatter->($res, $res->{data}, $params, $path,