From cb53bd68615f8119c8915608455df63951abc26f Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Fri, 14 Apr 2023 16:09:07 +0200
Subject: [PATCH] explicitly disallow tmpfilename parameter in query URL

This is an internal parameter and we pass the actual internal one
around via the $reqstate variable, so avoid confusion and return a
clear error if a POST request sets this query parameter.

Reported-by: Friedrich Weber <f.weber@proxmox.com>
Suggested-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/PVE/APIServer/AnyEvent.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 2fa74d2..5cd8afb 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -1571,6 +1571,10 @@ sub authenticate_and_handle_request {
 		starttime => [gettimeofday],
 		outfh => $outfh,
 	    };
+
+	    die "'tmpfilename' query parameter is not allowed for file uploads\n"
+		if exists $state->{params}->{tmpfilename};
+
 	    $reqstate->{tmpfilename} = $tmpfilename;
 	    $reqstate->{hdl}->on_read(sub {
 		$self->file_upload_multipart($reqstate, $auth, $method, $path, $state);