explicitly disallow tmpfilename parameter in query URL

This is an internal parameter and we pass the actual internal one
around via the $reqstate variable, so avoid confusion and return a
clear error if a POST request sets this query parameter.

Reported-by: Friedrich Weber <f.weber@proxmox.com>
Suggested-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 2fa74d28ad7001e53c112809ae4ba3223027cae5..5cd8afbd1e6724bcc9c590d56f4cafc22a1f3efc 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -1571,6 +1571,10 @@ sub authenticate_and_handle_request {
                starttime => [gettimeofday],
                outfh => $outfh,
            };
+
+           die "'tmpfilename' query parameter is not allowed for file uploads\n"
+               if exists $state->{params}->{tmpfilename};
+
            $reqstate->{tmpfilename} = $tmpfilename;
            $reqstate->{hdl}->on_read(sub {
                $self->file_upload_multipart($reqstate, $auth, $method, $path, $state);