From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sat, 2 Jul 2022 05:56:12 +0000 (+0200)
Subject: proxy request: assert that API url starts with a slash
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;ds=sidebyside;h=580d540ea907ba15f64379c5bb69ecf1a49a875f;p=pve-http-server.git

proxy request: assert that API url starts with a slash

We implicitly assume that to be the case when assembling the target
URL, so assert it explicitly as it's user controlled input.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24b2002..8533c2f 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -702,6 +702,14 @@ sub proxy_request {
     eval {
 	my $target;
 	my $keep_alive = 1;
+
+	# stringify URI object and verify it starts with a slash
+	$uri = "$uri";
+	if ($uri !~ m@^/@) {
+	    $self->error($reqstate, 400, "invalid proxy uri");
+	    return;
+	}
+
 	if ($host eq 'localhost') {
 	    $target = "http://$host:85$uri";
 	    # keep alive for localhost is not worth (connection setup is about 0.2ms)