proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-06-30 21:12:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add new hook function to generate CSRF token

Browse Source 
This avoid the reference to PVE::AccessControl.
This commit is contained in:
Dietmar Maurer 2017-01-14 13:16:59 +01:00
parent 8001eb275f
commit a3bb607024
4 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
PVE/APIServer/AnyEvent.pm
View File

@ -738,7 +738,8 @@ sub handle_api2_request {
$delay = 0 if $delay < 0; $delay = 0 if $delay < 0;
} }
my ($raw, $ct, $nocomp) = &$formatter($res, $res->{data}, $params, $path, $auth); my $csrfgen_func = $self->can('generate_csrf_prevention_token');
my ($raw, $ct, $nocomp) = &$formatter($res, $res->{data}, $params, $path, $auth, $csrfgen_func);
my $resp; my $resp;
if (ref($raw) && (ref($raw) eq 'HTTP::Response')) { if (ref($raw) && (ref($raw) eq 'HTTP::Response')) {
@ -1658,6 +1659,13 @@ sub verify_spice_connect_url {
#return ($vmid, $node, $port); #return ($vmid, $node, $port);
} }
# formatters can call this when the generate a new page
sub generate_csrf_prevention_token {
my ($username) = @_;
return undef; # do nothing by default
}
sub auth_handler { sub auth_handler {
my ($self, $method, $rel_uri, $ticket, $token) = @_; my ($self, $method, $rel_uri, $ticket, $token) = @_;
@ -1673,7 +1681,6 @@ sub auth_handler {
#}; #};
} }
sub rest_handler { sub rest_handler {
my ($self, $clientip, $method, $rel_uri, $auth, $params) = @_; my ($self, $clientip, $method, $rel_uri, $auth, $params) = @_;

8
PVE/APIServer/Formatter/Bootstrap.pm
View File

@ -6,8 +6,6 @@ use URI::Escape;
use HTML::Entities; use HTML::Entities;
use JSON; use JSON;
use PVE::AccessControl; # to generate CSRF token
# Helpers to generate simple html pages using Bootstrap markup. # Helpers to generate simple html pages using Bootstrap markup.
my $jssrc = <<_EOJS; my $jssrc = <<_EOJS;
@ -64,15 +62,15 @@ PVE = {
_EOJS _EOJS
sub new { sub new {
my ($class, $res, $url, $auth) = @_; my ($class, $res, $url, $auth, $csrfgen_func) = @_;
my $self = bless { my $self = bless {
url => $url, url => $url,
js => '', js => '',
}; };
if (my $username = $res->{auth}->{userid}) { if (my $username = $auth->{userid}) {
$self->{csrftoken} = PVE::AccessControl::assemble_csrf_prevention_token($username); $self->{csrftoken} = &$csrfgen_func($username);
} }
return $self; return $self;

12
PVE/APIServer/Formatter/HTML.pm
View File

@ -167,14 +167,14 @@ PVE::APIServer::Formatter::register_login_formatter($portal_format, sub {
}); });
PVE::APIServer::Formatter::register_formatter($portal_format, sub { PVE::APIServer::Formatter::register_formatter($portal_format, sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
# fixme: clumsy! # fixme: clumsy!
PVE::APIServer::Formatter::Standard::prepare_response_data($portal_format, $res); PVE::APIServer::Formatter::Standard::prepare_response_data($portal_format, $res);
$data = $res->{data}; $data = $res->{data};
my $html = ''; my $html = '';
my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth); my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
if (!HTTP::Status::is_success($res->{status})) { if (!HTTP::Status::is_success($res->{status})) {
$html .= $doc->alert(text => "Error $res->{status}: $res->{message}"); $html .= $doc->alert(text => "Error $res->{status}: $res->{message}");
@ -248,9 +248,9 @@ PVE::APIServer::Formatter::register_page_formatter(
method => 'GET', method => 'GET',
path => "/access/ticket", path => "/access/ticket",
code => sub { code => sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth); my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
my $html = &$login_form($doc); my $html = &$login_form($doc);
@ -263,7 +263,7 @@ PVE::APIServer::Formatter::register_page_formatter(
method => 'POST', method => 'POST',
path => "/access/ticket", path => "/access/ticket",
code => sub { code => sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
if (HTTP::Status::is_success($res->{status})) { if (HTTP::Status::is_success($res->{status})) {
my $cookie = PVE::APIServer::Formatter::create_auth_cookie( my $cookie = PVE::APIServer::Formatter::create_auth_cookie(
@ -277,7 +277,7 @@ PVE::APIServer::Formatter::register_page_formatter(
# Note: HTTP server redirects to 'GET /access/ticket', so below # Note: HTTP server redirects to 'GET /access/ticket', so below
# output is not really visible. # output is not really visible.
my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth); my $doc = PVE::APIServer::Formatter::Bootstrap->new($res, $path, $auth, $csrfgen_func);
my $html = &$login_form($doc); my $html = &$login_form($doc);

10
PVE/APIServer/Formatter/Standard.pm
View File

@ -47,7 +47,7 @@ sub prepare_response_data {
} }
PVE::APIServer::Formatter::register_formatter('json', sub { PVE::APIServer::Formatter::register_formatter('json', sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0; my $nocomp = 0;
@ -62,7 +62,7 @@ PVE::APIServer::Formatter::register_formatter('json', sub {
PVE::APIServer::Formatter::register_formatter('extjs', sub { PVE::APIServer::Formatter::register_formatter('extjs', sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0; my $nocomp = 0;
@ -76,7 +76,7 @@ PVE::APIServer::Formatter::register_formatter('extjs', sub {
}); });
PVE::APIServer::Formatter::register_formatter('htmljs', sub { PVE::APIServer::Formatter::register_formatter('htmljs', sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0; my $nocomp = 0;
@ -93,7 +93,7 @@ PVE::APIServer::Formatter::register_formatter('htmljs', sub {
PVE::APIServer::Formatter::register_formatter('spiceconfig', sub { PVE::APIServer::Formatter::register_formatter('spiceconfig', sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 0; my $nocomp = 0;
@ -116,7 +116,7 @@ PVE::APIServer::Formatter::register_formatter('spiceconfig', sub {
}); });
PVE::APIServer::Formatter::register_formatter('png', sub { PVE::APIServer::Formatter::register_formatter('png', sub {
my ($res, $data, $param, $path, $auth) = @_; my ($res, $data, $param, $path, $auth, $csrfgen_func) = @_;
my $nocomp = 1; my $nocomp = 1;