REST handler: make API return validation opt-in

[pve-common.git] / src / PVE / Ticket.pm

diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
index 5935ba52b6f795503c281b791137ca5ced5efd26..d522401436f9873f7cc07d07b86ce1d09adc0ffc 100644 (file)
--- a/src/PVE/Ticket.pm
+++ b/src/PVE/Ticket.pm
@@ -20,7 +20,7 @@ sub assemble_csrf_prevention_token {
 
     my $timestamp = sprintf("%08X", time());
 
-    my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+    my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
 
     return "$timestamp:$digest";
 }
@@ -33,7 +33,13 @@ sub verify_csrf_prevention_token {
        my $timestamp = $1;
        my $ttime = hex($timestamp);
 
-       my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+       my $digest;
+       if (length($sig) == 27) {
+           # detected sha1 csrf token from older proxy, fallback. FIXME: remove with 7.0
+           $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+       } else {
+           $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
+       }
 
        my $age = time() - $ttime;
        return 1 if ($digest eq $sig) && ($age > $min_age) &&