proxy request: assert that API url starts with a slash

We implicitly assume that to be the case when assembling the target
URL, so assert it explicitly as it's user controlled input.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24b2002879f1585d1dfbb985d3015553e193d25a..8533c2f239db819d425b5fe462ab65f5d75be7af 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -702,6 +702,14 @@ sub proxy_request {
     eval {
        my $target;
        my $keep_alive = 1;
     eval {
        my $target;
        my $keep_alive = 1;

+
+       # stringify URI object and verify it starts with a slash
+       $uri = "$uri";
+       if ($uri !~ m@^/@) {
+           $self->error($reqstate, 400, "invalid proxy uri");
+           return;
+       }
+

        if ($host eq 'localhost') {
            $target = "http://$host:85$uri";
            # keep alive for localhost is not worth (connection setup is about 0.2ms)
        if ($host eq 'localhost') {
            $target = "http://$host:85$uri";
            # keep alive for localhost is not worth (connection setup is about 0.2ms)