From 736b919d044254bc50cfde058eeb2c6ac783c68f Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Thu, 22 Apr 2021 11:10:48 +0200
Subject: [PATCH] http server: comment and refactor CSRF skip-check logic

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/HTTPServer.pm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 7a3bf72b..636b562b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,12 +104,13 @@ sub auth_handler {
 	    $isUpload = 1;
 	}
 
-	if (!$api_token) {
-	    # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-	    # with native html forms, and it should not be necessary at all.
+	# Skip CSRF check for file upload (difficult to pass CSRF header with native html forms).
+	# Also skip the check with API tokens, as one of the design goals of API tokens was to
+	# provide stateless API access without requiring round-trips to get such CSRF tokens.
+	# CSRF-prevention also does not make much sense outside of the browser context.
+	if ($method ne 'GET' && !($api_token || $isUpload)) {
 	    my $euid = $>;
-	    PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-		if !$isUpload && ($euid != 0) && ($method ne 'GET');
+	    PVE::AccessControl::verify_csrf_prevention_token($username, $token) if $euid != 0;
 	}
     }