From e149b1c6c9954c07672d63f23f696d5b1e6c11d4 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Wed, 26 Jun 2019 19:34:13 +0200 Subject: [PATCH] improve CSRF compat with older PVE Signed-off-by: Thomas Lamprecht --- PVE/AccessControl.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index e3f90ee..44f4a01 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -212,10 +212,12 @@ sub rotate_authkey { } my $csrf_prevention_secret; +my $csrf_prevention_secret_legacy; my $get_csrfr_secret = sub { if (!$csrf_prevention_secret) { my $input = PVE::Tools::file_get_contents($pve_www_key_fn); $csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input); + $csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input); } return $csrf_prevention_secret; }; @@ -231,7 +233,16 @@ sub assemble_csrf_prevention_token { sub verify_csrf_prevention_token { my ($username, $token, $noerr) = @_; - my $secret = &$get_csrfr_secret(); + my $secret = $get_csrfr_secret->(); + + # FIXME: remove with PVE 7 and/or refactor all into PVE::Ticket ? + if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) { + my $sig = $2; + if (length($sig) == 27) { + # the legacy secret got populated by above get_csrfr_secret call + $secret = $csrf_prevention_secret_legacy; + } + } return PVE::Ticket::verify_csrf_prevention_token( $secret, $username, $token, -300, $ticket_lifetime, $noerr); -- 2.39.2