this patch follows the code in pve-access-control
e149b1c6c9954c07672d63f23f696d5b1e6c11d4)
and should enable us to update pve-common in PMG 5.x along with PVE again.
Tested by:
* logging into PMG (get csrf token)
a) installing only the previous patch:
* POSTing (with the previously obtained token) -> 401
b) installing previous and this patch
* POSTing (with the previously obtained token) -> 200
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
$read_rsa_pub_key, undef, undef,
noclone => 1);
$read_rsa_pub_key, undef, undef,
noclone => 1);
+my $csrf_prevention_secret_legacy;
+
my $read_csrf_secret = sub {
my ($filename, $fh) = @_;
my $read_csrf_secret = sub {
my ($filename, $fh) = @_;
+ $csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input);
+
return Digest::SHA::hmac_sha256_base64($input);
};
return Digest::SHA::hmac_sha256_base64($input);
};
my $secret = PVE::INotify::read_file('csrf_secret');
my $secret = PVE::INotify::read_file('csrf_secret');
+ # FIXME: remove with PMG 7
+ if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+ my $sig = $2;
+ if (length($sig) == 27) {
+ # the legacy secret got populated by read_file above
+ $secret = $csrf_prevention_secret_legacy;
+ }
+ }
+
return PVE::Ticket::verify_csrf_prevention_token(
$secret, $username, $token, $min_ticket_lifetime,
$max_ticket_lifetime, $noerr);
return PVE::Ticket::verify_csrf_prevention_token(
$secret, $username, $token, $min_ticket_lifetime,
$max_ticket_lifetime, $noerr);