proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-04-30 21:00:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

handler: only allow downloads for annotated endpoints

Browse Source 
only a few API endpoints should allow downloads, mark them explicitly and
forbid downloading for the rest.

Fixes: 6d832db ("allow 'download' to be passed from API handler")

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2024-09-19 15:19:44 +02:00 committed by Thomas Lamprecht
parent 9ecc949c68
commit e1f830d1e3
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/PVE/APIServer/AnyEvent.pm
View File

@ -989,8 +989,12 @@ sub handle_api2_request {
$download //= $res->{data}->{download}
if defined($res->{data}) && ref($res->{data}) eq 'HASH';
if (defined($download)) {
send_file_start($self, $reqstate, $download);
return;
if ($res->{info}->{download}) {
send_file_start($self, $reqstate, $download);
return;
} else {
warn "Download attempted for non-marked API endpoint '$path'\n";
}
}
my ($raw, $ct, $nocomp) = $formatter->($res, $res->{data}, $params, $path,