From e9df8a6e76b2a18f89295a5d92a62177bbf0f762 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sat, 2 Jul 2022 07:59:50 +0200
Subject: [PATCH] pass through streaming: only allow from privileged local
 pvedaemon

Ensures that no external request can control streaming on proxying
requests as safety net for when we'd have another issue in the
request handling part.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/APIServer/AnyEvent.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 8533c2f..dc12e7b 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -710,10 +710,12 @@ sub proxy_request {
 	    return;
 	}
 
+	my $may_stream_file;
 	if ($host eq 'localhost') {
 	    $target = "http://$host:85$uri";
 	    # keep alive for localhost is not worth (connection setup is about 0.2ms)
 	    $keep_alive = 0;
+	    $may_stream_file = 1;
 	} elsif (Net::IP::ip_is_ipv6($host)) {
 	    $target = "https://[$host]:8006$uri";
 	} else {
@@ -799,6 +801,10 @@ sub proxy_request {
 			$header->header(Location => $location);
 		    }
 		    if ($stream) {
+			if (!$may_stream_file) {
+			    $self->error($reqstate, 403, 'streaming denied');
+			    return;
+			}
 			sysopen(my $fh, "$stream", O_NONBLOCK | O_RDONLY)
 			    or die "open stream path '$stream' for forwarding failed: $!\n";
 			my $resp = HTTP::Response->new($code, $msg, $header, undef);
-- 
2.39.2