From e1f830d1e3666cd38fa90a3ca2fb2b66f7187bad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Thu, 19 Sep 2024 15:19:44 +0200
Subject: [PATCH] handler: only allow downloads for annotated endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

only a few API endpoints should allow downloads, mark them explicitly and
forbid downloading for the rest.

Fixes: 6d832db ("allow 'download' to be passed from API handler")

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/PVE/APIServer/AnyEvent.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index a8d60c1..943d6cc 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -989,8 +989,12 @@ sub handle_api2_request {
 	$download //= $res->{data}->{download}
 	    if defined($res->{data}) && ref($res->{data}) eq 'HASH';
 	if (defined($download)) {
-	    send_file_start($self, $reqstate, $download);
-	    return;
+	    if ($res->{info}->{download}) {
+		send_file_start($self, $reqstate, $download);
+		return;
+	    } else {
+		warn "Download attempted for non-marked API endpoint '$path'\n";
+	    }
 	}
 
 	my ($raw, $ct, $nocomp) = $formatter->($res, $res->{data}, $params, $path,