Commit c598d9e1 authored by Dietmar Maurer's avatar Dietmar Maurer

fix file upload permission checks

parent 598cccb5
...@@ -321,10 +321,9 @@ sub rest_handler { ...@@ -321,10 +321,9 @@ sub rest_handler {
if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) { if ($method eq 'POST' && $rel_uri =~ m|^/nodes/([^/]+)/storage/([^/]+)/upload$|) {
my ($node, $storeid) = ($1, $2); my ($node, $storeid) = ($1, $2);
my $perm = { # we disable CSRF checks if $isUpload is set,
path => "/storage/$storeid", # to improve security we check user upload permission here
privs => [ 'Datastore.AllocateSpace' ], my $perm = { check => ['perm', "/storage/$storeid", ['Datastore.AllocateTemplate']] };
};
$rpcenv->check_api2_permissions($perm, $username, {}); $rpcenv->check_api2_permissions($perm, $username, {});
$isUpload = 1; $isUpload = 1;
} }
......
pve-manager (2.0-33) unstable; urgency=low
* fix file upload permission checks
-- Proxmox Support Team <support@proxmox.com> Wed, 22 Feb 2012 09:14:05 +0100
pve-manager (2.0-32) unstable; urgency=low pve-manager (2.0-32) unstable; urgency=low
* added French translation * added French translation
......
...@@ -2,7 +2,7 @@ RELEASE=2.0 ...@@ -2,7 +2,7 @@ RELEASE=2.0
VERSION=2.0 VERSION=2.0
PACKAGE=pve-manager PACKAGE=pve-manager
PACKAGERELEASE=32 PACKAGERELEASE=33
BINDIR=${DESTDIR}/usr/bin BINDIR=${DESTDIR}/usr/bin
PERLLIBDIR=${DESTDIR}/usr/share/perl5 PERLLIBDIR=${DESTDIR}/usr/share/perl5
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment