http server: comment and refactor CSRF skip-check logic

[pve-manager.git] / PVE / HTTPServer.pm

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 7a3bf72b085c09724b2b605a489e608ddf7c636b..636b562bac04b0ae2f94c767be4c1a57bff0504f 100755 (executable)
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -104,12 +104,13 @@ sub auth_handler {
            $isUpload = 1;
        }
 
-       if (!$api_token) {
-           # we skip CSRF check for file upload, because it is difficult to pass CSRF HTTP headers
-           # with native html forms, and it should not be necessary at all.
+       # Skip CSRF check for file upload (difficult to pass CSRF header with native html forms).
+       # Also skip the check with API tokens, as one of the design goals of API tokens was to
+       # provide stateless API access without requiring round-trips to get such CSRF tokens.
+       # CSRF-prevention also does not make much sense outside of the browser context.
+       if ($method ne 'GET' && !($api_token || $isUpload)) {
            my $euid = $>;
-           PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-               if !$isUpload && ($euid != 0) && ($method ne 'GET');
+           PVE::AccessControl::verify_csrf_prevention_token($username, $token) if $euid != 0;
        }
     }