implement file upload

And remove CGI.pm dependency (because we want nonblocking upload).

PVE/REST.pm

@@ -2,6 +2,7 @@ package PVE::REST;
 
 use warnings;
 use strict;
+use English;
 use PVE::Cluster;
 use PVE::SafeSyslog;
 use PVE::Tools;
@@ -19,22 +20,8 @@ use URI::Escape;
 
 use Data::Dumper; # fixme: remove
 
-# my $MaxRequestsPerChild = 200;
-
 my $cookie_name = 'PVEAuthCookie';
 
-my $baseuri = "/api2";
-
-my $debug_enabled;
-sub enable_debug {
-    $debug_enabled = 1;
-}
-
-sub debug_msg {
-    return if !$debug_enabled;
-    syslog('info', @_);
-}
-
 sub extract_auth_cookie {
     my ($cookie) = @_;
 
@@ -184,15 +171,14 @@ my $exc_to_res = sub {
     return $resp;
 };
 
-sub rest_handler {
-    my ($rpcenv, $clientip, $method, $abs_uri, $rel_uri, $ticket, $token) = @_;
+sub auth_handler {
+    my ($rpcenv, $clientip, $method, $rel_uri, $ticket, $token) = @_;
     
     # set environment variables
+    $rpcenv->set_user(undef);
     $rpcenv->set_language('C'); # fixme:
     $rpcenv->set_client_ip($clientip);
 
-    my $euid = $>;
-
     my $require_auth = 1;
 
     # explicitly allow some calls without auth
@@ -207,7 +193,6 @@ sub rest_handler {
 
     if ($require_auth) {
 
-	eval {
 	die "No ticket\n" if !$ticket;
 
 	($username, $age) = PVE::AccessControl::verify_ticket($ticket);
@@ -227,38 +212,30 @@ sub rest_handler {
 	# difficult to pass CSRF HTTP headers with native html forms,
 	# and it should not be necessary at all.
 	PVE::AccessControl::verify_csrf_prevention_token($username, $token)
-		if !$isUpload && ($euid != 0) && ($method ne 'GET');
-	};
-	if (my $err = $@) {
-	    return &$exc_to_res($err, HTTP_UNAUTHORIZED);
-	}
+	    if !$isUpload && ($EUID != 0) && ($method ne 'GET');
     }
 
-    # we are authenticated now
+    return {
+	ticket => $ticket,
+	token => $token,
+	userid => $username,
+	age => $age,
+	isUpload => $isUpload,
+    };
+}
+
+sub rest_handler {
+    my ($rpcenv, $clientip, $method, $rel_uri, $auth, $params) = @_;
 
     my $uri_param = {};
     my ($handler, $info) = PVE::API2->find_handler($method, $rel_uri, $uri_param);
     if (!$handler || !$info) {
 	return {
 	    status => HTTP_NOT_IMPLEMENTED,
-	    message => "Method '$method $abs_uri' not implemented",
+	    message => "Method '$method $rel_uri' not implemented",
 	};
     }
 
-    # Note: we need to delay CGI parameter parsing until
-    # we are authenticated (avoid DOS (file upload) attacs)
-
-    my $params;
-    eval { $params = $rpcenv->parse_params($isUpload); };
-    if (my $err = $@) {
-	return { 
-	    status => HTTP_BAD_REQUEST, 
-	    message => "parameter parser failed: $err",
-	};   
-    }
-
-    delete $params->{_dc}; # remove disable cache parameter
-
     foreach my $p (keys %{$params}) {
 	if (defined($uri_param->{$p})) {
 	    return {
@@ -270,7 +247,7 @@ sub rest_handler {
     }
 
     # check access permissions
-    eval { $rpcenv->check_api2_permissions($info->{permissions}, $username, $uri_param); };
+    eval { $rpcenv->check_api2_permissions($info->{permissions}, $auth->{userid}, $uri_param); };
     if (my $err = $@) {
 	return &$exc_to_res($err, HTTP_FORBIDDEN);
     }
@@ -283,7 +260,7 @@ sub rest_handler {
 	    die "proxy parameter '$pn' does not exists" if !$node;
 
 	    if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
-		die "unable to proxy file uploads" if $isUpload; 
+		die "unable to proxy file uploads" if $auth->{isUpload}; 
 		$remip = PVE::Cluster::remote_node_ip($node);
 	    }
 	};
@@ -295,11 +272,7 @@ sub rest_handler {
 	}
     } 
 
-    if ($info->{protected} && ($euid != 0)) {
-	if ($isUpload) {
-	    my $uinfo = $rpcenv->get_upload_info('filename');
-	    $params->{tmpfilename} = $uinfo->{tmpfilename};
-	}
+    if ($info->{protected} && ($EUID != 0)) {
 	return { proxy => 'localhost' , proxy_params => $params }
     }
 
@@ -325,13 +298,4 @@ sub rest_handler {
     return $resp;
 }
 
-sub split_abs_uri {
-    my ($abs_uri) = @_;
-
-    my ($format, $rel_uri) = $abs_uri =~ m/^\Q$baseuri\E\/+(html|text|json|extjs|png|htmljs)(\/.*)?$/;
-    $rel_uri = '/' if !$rel_uri;
- 
-    return wantarray ? ($rel_uri, $format) : $rel_uri;
-}
-
 1;

bin/pveproxy

@@ -165,7 +165,7 @@ exit (0);
 # so we must be very careful here 
 
 sub get_index {
-    my ($server, $r, $params) = @_;
+    my ($server, $r, $args) = @_;
 
     my $lang = 'en';
     my $username;
@@ -183,8 +183,6 @@ sub get_index {
 	}
     }
 
-    my $args = $r->url->query_form_hash();
-
     my $workspace = defined($args->{console}) ?
 	"PVE.ConsoleWorkspace" : "PVE.StdWorkspace";