proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-07-05 17:40:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

explicitly disallow tmpfilename parameter in query URL

Browse Source 
This is an internal parameter and we pass the actual internal one
around via the $reqstate variable, so avoid confusion and return a
clear error if a POST request sets this query parameter.

Reported-by: Friedrich Weber <f.weber@proxmox.com>
Suggested-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2023-04-14 16:09:07 +02:00
parent a2a3d17be8
commit cb53bd6861
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/PVE/APIServer/AnyEvent.pm
View File

@ -1571,6 +1571,10 @@ sub authenticate_and_handle_request {
starttime => [gettimeofday], starttime => [gettimeofday],
outfh => $outfh, outfh => $outfh,
}; };
die "'tmpfilename' query parameter is not allowed for file uploads\n"
if exists $state->{params}->{tmpfilename};
$reqstate->{tmpfilename} = $tmpfilename; $reqstate->{tmpfilename} = $tmpfilename;
$reqstate->{hdl}->on_read(sub { $reqstate->{hdl}->on_read(sub {
$self->file_upload_multipart($reqstate, $auth, $method, $path, $state); $self->file_upload_multipart($reqstate, $auth, $method, $path, $state);