Ignore:
Timestamp:
May 8, 2009, 2:35:02 PM (13 years ago)
Author:
charles
Message:

(trunk) revert r8351; it's not a sufficient fix

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/libtransmission/rpc-server.c

    r8351 r8356  
    5757    struct evhttp *    httpd;
    5858    tr_session *       session;
    59     char *             sessionId;
    6059    char *             username;
    6160    char *             password;
     
    452451}
    453452
    454 static char*
    455 session_id_new( void )
    456 {
    457     int i;
    458     const int n = 48;
    459     const char * pool = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    460     const size_t pool_size = strlen( pool );
    461     char * buf = tr_new( char, n+1 );
    462     for( i=0; i<n; ++i )
    463         buf[i] = pool[ tr_cryptoRandInt( pool_size ) ];
    464     buf[n] = '\0';
    465     return buf;
    466 }
    467 
    468 static tr_bool
    469 test_session_id( struct tr_rpc_server * server, struct evhttp_request * req )
    470 {
    471     char * needle = tr_strdup_printf( "session_id=%s", server->sessionId );
    472     const char * haystack = evhttp_find_header( req->input_headers, "Cookie" );
    473     const tr_bool success = (haystack!=NULL) && (strstr(haystack,needle)!=NULL);
    474     tr_free( needle );
    475     return success;
    476 }
    477 
    478 static void
    479 handle_request( struct evhttp_request * req, void * arg )
     453static void
     454handle_request( struct evhttp_request * req,
     455                void *                  arg )
    480456{
    481457    struct tr_rpc_server * server = arg;
     
    484460    {
    485461        const char * auth;
    486         char * user = NULL;
    487         char * pass = NULL;
    488         char * cookie;
     462        char *       user = NULL;
     463        char *       pass = NULL;
    489464
    490465        evhttp_add_header( req->output_headers, "Server", MY_REALM );
    491         cookie = tr_strdup_printf( "session_id=%s;Path=/;Discard", server->sessionId );
    492         evhttp_add_header( req->output_headers, "Set-Cookie", cookie );
    493         tr_free( cookie );
    494466
    495467        auth = evhttp_find_header( req->input_headers, "Authorization" );
     468
    496469        if( auth && !strncasecmp( auth, "basic ", 6 ) )
    497470        {
     
    507480        if( !isAddressAllowed( server, req->remote_host ) )
    508481        {
    509             send_simple_response( req, 403,
     482            send_simple_response( req, 401,
    510483                "<p>Unauthorized IP Address.</p>"
    511484                "<p>Either disable the IP address whitelist or add your address to it.</p>"
     
    538511        {
    539512            handle_clutch( req, server );
    540         }
    541         else if( !test_session_id( server, req ) )
    542         {
    543             send_simple_response( req, 409, "<p>Invalid session_id cookie.</p>" );
    544513        }
    545514        else if( !strncmp( req->uri, "/transmission/rpc", 17 ) )
     
    798767    s = tr_new0( tr_rpc_server, 1 );
    799768    s->session = session;
    800     s->sessionId = session_id_new( );
    801769
    802770    found = tr_bencDictFindBool( settings, TR_PREFS_KEY_RPC_ENABLED, &boolVal );
Note: See TracChangeset for help on using the changeset viewer.