No longer allow passing the api-key as a query argument.

This feature had never been documented anyway and is considered bad security
practice nowadays.

Fixes: #16785
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/pdns/recursordist/rec-rust-lib/rust/src/web.rs b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
index bb6c91b9e070b1f9f8ab0bc47903ff56481ce183..681addad37deb8b3de90f15d59e31a45f667877f 100644 (file)
--- a/pdns/recursordist/rec-rust-lib/rust/src/web.rs
+++ b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
@@ -192,18 +192,6 @@ fn api_wrapper(
         }
     }
 
-    if !auth_ok && !ctx.api_ch.is_null() {
-        if let Some(pw) = ctx.api_ch.as_ref() {
-            for kv in &request.vars {
-                cxx::let_cxx_string!(s = &kv.value);
-                if kv.key == "api-key" && pw.matches(&s) {
-                    auth_ok = true;
-                    break;
-                }
-            }
-        }
-    }
-
     if !auth_ok && allow_password {
         auth_ok = compare_authorization(ctx, reqheaders);
         if !auth_ok {

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index b460af629bc2a6522acae3625cbb7d06a916e62e..597bb91cad4cde54c6de288699c5f79cd12da1ef 100644 (file)
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -166,7 +166,7 @@ void WebServer::apiWrapper(const WebServer::HandlerFunction& handler, HttpReques
     throw HttpUnauthorizedException("X-API-Key");
   }
 
-  bool auth_ok = req->compareHeader("x-api-key", *d_apikey) || d_apikey->matches(req->getvars["api-key"]);
+  bool auth_ok = req->compareHeader("x-api-key", *d_apikey);
 
   if (!auth_ok && allowPassword) {
     if (d_webserverPassword) {