]> git.proxmox.com Git - pve-manager.git/commitdiff
projects / pve-manager.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 45284c0)
fix file upload permission checks
authorDietmar Maurer <dietmar@proxmox.com>
Wed, 22 Feb 2012 08:14:24 +0000 (09:14 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Wed, 22 Feb 2012 08:14:24 +0000 (09:14 +0100)
PVE/REST.pm patch | blob | blame | history
debian/changelog.Debian patch | blob | blame | history
defines.mk patch | blob | blame | history

diff --git a/PVE/REST.pm b/PVE/REST.pm
index 9a0f4f760502ef8c983930cc496e5b23379a38c5..46b6178327f9db82e50e8679162361d6b6e76ef8 100644 (file)
--- a/PVE/REST.pm
+++ b/PVE/REST.pm
@@ -321,10 +321,9 @@ sub rest_handler {
 
            if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) {
                my ($node, $storeid) = ($1, $2);
-               my $perm = {
-                   path => "/storage/$storeid",
-                   privs => [ 'Datastore.AllocateSpace' ],
-               };
+               # we disable CSRF checks if $isUpload is set,
+               # to improve security we check user upload permission here
+               my $perm = { check => ['perm', "/storage/$storeid", ['Datastore.AllocateTemplate']] };
                $rpcenv->check_api2_permissions($perm, $username, {});
                $isUpload = 1;
            }
diff --git a/debian/changelog.Debian b/debian/changelog.Debian
index afb7700c72383afa381e9ed5c5c9b43d4e80fba9..b797382f8cde6438e946849e8958aaca7a47699c 100644 (file)
--- a/debian/changelog.Debian
+++ b/debian/changelog.Debian
@@ -1,3 +1,9 @@
+pve-manager (2.0-33) unstable; urgency=low
+
+  * fix file upload permission checks
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 22 Feb 2012 09:14:05 +0100
+
 pve-manager (2.0-32) unstable; urgency=low
 
   * added French translation
diff --git a/defines.mk b/defines.mk
index a277c1fcab499ef5d7ea57abde75f0b9c4bc9f11..55fb17fa065a42626a364321ddb9957435ee2343 100644 (file)
--- a/defines.mk
+++ b/defines.mk
@@ -2,7 +2,7 @@ RELEASE=2.0
 
 VERSION=2.0
 PACKAGE=pve-manager
-PACKAGERELEASE=32
+PACKAGERELEASE=33
 
 BINDIR=${DESTDIR}/usr/bin
 PERLLIBDIR=${DESTDIR}/usr/share/perl5
The Proxmox VE Management API and Web UI