http-server: fix for api token csrf token check

Do not check any csrf tokens for auth with api tokens.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index bfb753eb8c9b845df29a8ff001b60ff52981c34b..7a3bf72b085c09724b2b605a489e608ddf7c636b 100755 (executable)
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,11 +104,13 @@ sub auth_handler {
            $isUpload = 1;
        }
 
-       # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-       # with native html forms, and it should not be necessary at all.
-       my $euid = $>;
-       PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-           if !$isUpload && ($euid != 0) && ($method ne 'GET');
+       if (!$api_token) {
+           # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
+           # with native html forms, and it should not be necessary at all.
+           my $euid = $>;
+           PVE::AccessControl::verify_csrf_prevention_token($username, $token)
+               if !$isUpload && ($euid != 0) && ($method ne 'GET');
+       }
     }
 
     return {