On file upload, the check for CSRF tokens was already skipped when
performing user authentication. This now happens for API tokens also.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
when a user is disabled, we do not touch any ACLs, and already issued
tickets are still valid (until their expiration time)
check directly after the verification of the ticket if the user
is still enabled, so that any api call fails for that user
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
to filter out API paths that are not available with API tokens for
security reasons, such as access control related endpoints.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
cfs_* methods cann now die (rightfully so) when the IPCC endpoint is
not connected, or another grave IPCC error arised.
As we did not catch those problems in the RPCEnvironments
init_request method, which loads the user config, this got
propagated to the anyevents auth_handler call in its
unshift_read_header method where then all errors where processed in
the same way => with an unauthorized response logging an logged in
user out.
So catch this error and raise an internal server errror exception
instead. Anyevent needs some minor modifiaction in a separate patch
to handle PVE::Exceptions correctly, so this is the partial fix for
bug #1589
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Instead, pass the HTTP server as last argument to the page formater,
so that we can call $server->create_auth_cookie().
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
when forwarding an API request to the responsible node,
only accept the certificate that this node should have
according to the contents of the cluster file system.
to limit performance issues, cache certificate fingerprint
on first request for each node, and only regenerate cache
(at most once per minute) if the actual encountered
fingerprint does not match or every 30 minutes (to clear out
old entries).
This patch adds curves to use with TLS_ECDHE_* ciphers
They will automatically be used be the proxy as they are
in the HIGH ciphersuite.
This patch uses the prime256v1 curve, which should be supported
by most clients. openssl 1.0.1 only supports a single curve.
This also forces the use of new DHE and ECDHE keys on every
handshake. This does not seem to have an impact on performance.
Signed-Off-By: Jos Ewert flami@flami.net
application/font-woff2 is still in discussion but works in main three browsers
This is needed for ExtJS6, which includes some woff2 fonts
ttf font mime type is taken from the official IANA assignment, and works as
well in main three browsers
