[pve-devel] r5742 - in pve-manager/trunk: . debian lib/PVE www/root www/root/server www/root/vmlist

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Mar 23 07:52:28 CET 2011


Author: dietmar
Date: 2011-03-23 07:52:28 +0100 (Wed, 23 Mar 2011)
New Revision: 5742

Modified:
   pve-manager/trunk/ChangeLog
   pve-manager/trunk/configure.in
   pve-manager/trunk/debian/changelog.Debian
   pve-manager/trunk/lib/PVE/HTMLDropDown.pm
   pve-manager/trunk/lib/PVE/HTMLForm.pm
   pve-manager/trunk/lib/PVE/HTMLUtils.pm
   pve-manager/trunk/lib/PVE/Utils.pm
   pve-manager/trunk/www/root/base.epl
   pve-manager/trunk/www/root/server/reboot.htm
   pve-manager/trunk/www/root/vmlist/index.htm
Log:
add anti CSRF tokens


Modified: pve-manager/trunk/ChangeLog
===================================================================
--- pve-manager/trunk/ChangeLog	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/ChangeLog	2011-03-23 06:52:28 UTC (rev 5742)
@@ -1,3 +1,19 @@
+2011-03-23  Proxmox Support Team  <support at proxmox.com>
+
+	* lib/PVE/HTMLForm.pm (create_footer): add anti CSRF token
+
+	* lib/PVE/HTMLDropDown.pm (add_item): add anti CSRF token
+
+	* www/root/vmlist/index.htm: add anti CSRF token
+
+	* lib/PVE/HTMLUtils.pm: add anti CSRF token
+
+	* www/root/server/reboot.htm: add anti CSRF token
+
+	* lib/PVE/Utils.pm (sign_soap_ticket): moved to PVE::Utils
+	(get_page_token): used to prevent CSRF
+	(verify_page_token): used to prevent CSRF
+
 2011-03-15  Proxmox Support Team  <support at proxmox.com>
 
 	* bin/cron/daily/pve: use http_proxy if configured.

Modified: pve-manager/trunk/configure.in
===================================================================
--- pve-manager/trunk/configure.in	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/configure.in	2011-03-23 06:52:28 UTC (rev 5742)
@@ -4,7 +4,7 @@
 
 prefix=/usr
 
-PACKAGERELEASE=13
+PACKAGERELEASE=14
 AC_SUBST(PACKAGERELEASE)
 
 REPOID=`svnversion .`

Modified: pve-manager/trunk/debian/changelog.Debian
===================================================================
--- pve-manager/trunk/debian/changelog.Debian	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/debian/changelog.Debian	2011-03-23 06:52:28 UTC (rev 5742)
@@ -1,3 +1,9 @@
+pve-manager (1.8-14) unstable; urgency=low
+
+  * protect against Cross Site Request Forgery (added anti-CSRF tokens)
+
+ -- Proxmox Support Team <support at proxmox.com>  Wed, 23 Mar 2011 07:49:34 +0100
+
 pve-manager (1.8-13) unstable; urgency=low
 
   *  use http_proxy in cron APL download if configured.

Modified: pve-manager/trunk/lib/PVE/HTMLDropDown.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLDropDown.pm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLDropDown.pm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
 
 use strict;
 use vars qw(@ISA);
+use PVE::Utils;
 
 my $umenuid = 0;
 
@@ -19,6 +20,12 @@
 sub add_item {
 	my ($self,$name,$link,$text,$img) = @_;
 	if (!(defined($self->{$name}->{count}))) { $self->{$name}->{count}=0; }
+
+	if ($link =~ m/(\?|\&|\&amp\;)action=/) {
+	    my $ptoken = PVE::Utils::get_page_token();
+	    $link .= "&ptoken=$ptoken";
+	} 
+
 	$self->{$name}->{$self->{$name}->{count}}->{link} = $link;
 	$self->{$name}->{$self->{$name}->{count}}->{text} = $text;
 	$self->{$name}->{$self->{$name}->{count}}->{image} = $img;

Modified: pve-manager/trunk/lib/PVE/HTMLForm.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLForm.pm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLForm.pm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -383,7 +383,10 @@
 sub create_footer {
     my $self = shift;
 
-    my $out = $self->create_element("form_$self->{name}_submit", 'hidden', 'post');
+    my $ptoken = PVE::Utils::get_page_token();
+    my $out = $self->create_element("ptoken", 'hidden', $ptoken);
+
+    $out .= $self->create_element("form_$self->{name}_submit", 'hidden', 'post');
     $out .= "</form>";
 
     return $out;

Modified: pve-manager/trunk/lib/PVE/HTMLUtils.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLUtils.pm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/HTMLUtils.pm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -559,8 +559,9 @@
 sub action_button {
     my ($text, $action, $disabled) = @_;
 
+    my $ptoken = PVE::Utils::get_page_token();
     my $dtext = $disabled ? 'disabled' : '';
-    my $loc = "?action=$action";
+    my $loc = "?action=$action&ptoken=$ptoken";
     return "<button $dtext type=button onclick='location=\"$loc\"'>$text</button>";
 }
 
@@ -880,7 +881,8 @@
     $html .= "<tr><td colspan=2><tr><td colspan=2>";
 
     if ($download) {
-	$html .= "<tr><td><td><a class=cmd href='?action=download&aa=$d->{template}'>start download</a>";
+	my $ptoken = PVE::Utils::get_page_token();
+	$html .= "<tr><td><td><a class=cmd href='?action=download&ptoken=$ptoken&aa=$d->{template}'>start download</a>";
     }
 
     $html .= "</table>";

Modified: pve-manager/trunk/lib/PVE/Utils.pm
===================================================================
--- pve-manager/trunk/lib/PVE/Utils.pm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/lib/PVE/Utils.pm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -54,6 +54,40 @@
 
 # authentication tickets
 
+my $page_token_cache;
+my $page_token_cache_time = 0;
+
+sub get_page_token {
+
+    my $ctime = time();
+
+    if (!$page_token_cache || (($ctime - $page_token_cache_time) > (60*30))) {
+	my $data = sprintf("%08x", $ctime);
+	my $digest = substr(Digest::SHA1::sha1_hex($data, $soap_secret), 0, 12);
+	$page_token_cache = "$data$digest";
+	$page_token_cache_time = $ctime;
+    }
+
+    return $page_token_cache;
+}
+
+sub verify_page_token {
+    my ($token) = @_;
+
+    return 0 if length($token) != 20;
+
+    my $ctime = time();
+    my $data = substr($token, 0, 8);
+    my $ttime = hex($data);
+
+    return 0 if ($ctime - $ttime) > (60*60*5); # 5 hours
+
+    my $tdigest = substr($token, 8);
+    my $digest = substr(Digest::SHA1::sha1_hex($data, $soap_secret), 0, 12);
+
+    return $tdigest eq $digest;
+}
+
 sub sign_soap_ticket {
     my ($ticket) = @_;
 

Modified: pve-manager/trunk/www/root/base.epl
===================================================================
--- pve-manager/trunk/www/root/base.epl	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/base.epl	2011-03-23 06:52:28 UTC (rev 5742)
@@ -72,6 +72,10 @@
 	       admin => __("Administration"),
 	      };
 
+ if ($fdat{action} || ($req_rec->method ne 'GET')) {
+   die "permission denied" if !$fdat{ptoken} || !PVE::Utils::verify_page_token($fdat{ptoken});
+ }
+
  if ($fdat{action}) {
    $args{action} = undef;
    $args{aa} = undef;

Modified: pve-manager/trunk/www/root/server/reboot.htm
===================================================================
--- pve-manager/trunk/www/root/server/reboot.htm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/server/reboot.htm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
  use strict;
  use PVE::I18N;
  use PVE::ConfigServer;
+ use PVE::Utils;
  use PVE::HTMLUtils;
 !]
 
@@ -29,7 +30,8 @@
  }
 
  if ($fdat{state} eq 'confirm') {
-   my $ref = "reboot.htm?m3=0&action=reboot";
+   my $ptoken = PVE::Utils::get_page_token();
+   my $ref = "reboot.htm?m3=0&action=reboot&ptoken=$ptoken";
    if ($fdat{poweroff}) {
      $ref .= "&poweroff=1";
      my $msg =  __("Do you really want to shutdown the Server?");

Modified: pve-manager/trunk/www/root/vmlist/index.htm
===================================================================
--- pve-manager/trunk/www/root/vmlist/index.htm	2011-03-23 05:23:37 UTC (rev 5741)
+++ pve-manager/trunk/www/root/vmlist/index.htm	2011-03-23 06:52:28 UTC (rev 5742)
@@ -2,6 +2,7 @@
  use strict;
  use PVE::pvecfg;
  use PVE::I18N;
+ use PVE::Utils;
  use PVE::ConfigServer;
  use PVE::HTMLTable;
  use PVE::Config;
@@ -49,7 +50,8 @@
    my $msg = PVE::HTMLUtils::msg ('confirm_remove');
    $msg = sprintf ($msg, $fdat{veid});
 
-   my $href = "?action=destroy&cid=$fdat{cid}&veid=$fdat{veid}&type=$fdat{type}";
+   my $ptoken = PVE::Utils::get_page_token();
+   my $href = "?action=destroy&ptoken=$ptoken&cid=$fdat{cid}&veid=$fdat{veid}&type=$fdat{type}";
 
    print OUT PVE::HTMLUtils::create_confirmframe ($msg, __("Remove"), $href, $fdat{__uri});
 



More information about the pve-devel mailing list