proxy request: assert that API url starts with a slash

[pve-http-server.git] / src / PVE / APIServer / AnyEvent.pm

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24b2002879f1585d1dfbb985d3015553e193d25a..8533c2f239db819d425b5fe462ab65f5d75be7af 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -702,6 +702,14 @@ sub proxy_request {
     eval {
        my $target;
        my $keep_alive = 1;
+
+       # stringify URI object and verify it starts with a slash
+       $uri = "$uri";
+       if ($uri !~ m@^/@) {
+           $self->error($reqstate, 400, "invalid proxy uri");
+           return;
+       }
+
        if ($host eq 'localhost') {
            $target = "http://$host:85$uri";
            # keep alive for localhost is not worth (connection setup is about 0.2ms)