protect websocket API with vncticket

2025-12-31 18:31:40 +00:00 · 2014-06-24 16:10:30 +02:00 · 2014-06-24 16:10:30 +02:00 · c422ce9347
commit c422ce9347
parent 4d00f52fbb
1 changed files with 10 additions and 0 deletions
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@ -1371,6 +1371,7 @@ __PACKAGE__->register_method({
    path => '{vmid}/vncwebsocket',
    method => 'GET',
    permissions => {
+	description => "You also need to pass a valid ticket (vncticket).",
 	check => ['perm', '/vms/{vmid}', [ 'VM.Console' ]],
    },
    description => "Opens a weksocket for VNC traffic.",
@ -1379,6 +1380,11 @@ __PACKAGE__->register_method({
 	properties => {
 	    node => get_standard_option('pve-node'),
 	    vmid => get_standard_option('pve-vmid'),
+	    vncticket => {
+		description => "Ticket from previous call to vncproxy.",
+		type => 'string',
+		maxLength => 512,
+	    },
 	    port => {
 		description => "Port number returned by previous vncproxy call.",
 		type => 'integer',
@ -1403,6 +1409,10 @@ __PACKAGE__->register_method({
 	my $vmid = $param->{vmid};
 	my $node = $param->{node};

+	my $authpath = "/vms/$vmid";
+
+	PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $authuser, $authpath);
+
 	my $conf = PVE::QemuServer::load_config($vmid, $node); # VM exists ?

 	# Note: VNC ports are acessible from outside, so we do not gain any