Changeset 8378 for branches/1.5x/libtransmission/rpc-server.c

Timestamp:

May 11, 2009, 5:45:00 PM (13 years ago)

Author:

charles

Message:

(1.5x) backport r8358, 8359 to 1.5x/ branch for 1.53

File:

• branches/1.5x/libtransmission/rpc-server.c (modified) (7 diffs)

branches/1.5x/libtransmission/rpc-server.c

@@ -30 +30 @@
 #include "transmission.h"
 #include "bencode.h"
+#include "crypto.h"
 #include "list.h"
 #include "platform.h"
@@ -37 +38 @@
 #include "utils.h"
 #include "web.h"
+
+/* session-id is used to make cross-site request forgery attacks difficult.
+ * Don't disable this feature unless you really know what you're doing!
+ * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ * http://shiflett.org/articles/cross-site-request-forgeries
+ * http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00037.html */
+#define REQUIRE_SESSION_ID
 
 #define MY_NAME "RPC Server"
@@ -58 +66 @@
     char *             whitelistStr;
     tr_list *          whitelist;
+
+    char *             sessionId;
+    time_t             sessionIdExpiresAt;
 
 #ifdef HAVE_ZLIB
@@ -446 +457 @@
 }
 
-static void
-handle_request( struct evhttp_request * req,
-                void *                  arg )
+static char*
+get_current_session_id( struct tr_rpc_server * server )
+{
+    const time_t now = time( NULL );
+
+    if( !server->sessionId || ( now >= server->sessionIdExpiresAt ) )
+    {
+        int i;
+        const int n = 48;
+        const char * pool = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        const size_t pool_size = strlen( pool );
+        char * buf = tr_new( char, n+1 );
+
+        for( i=0; i<n; ++i )
+            buf[i] = pool[ tr_cryptoRandInt( pool_size ) ];
+        buf[n] = '\0';
+
+        tr_free( server->sessionId );
+        server->sessionId = buf;
+        server->sessionIdExpiresAt = now + (60*60); /* expire in an hour */
+    }
+
+    return server->sessionId;
+}
+
+
+static tr_bool
+test_session_id( struct tr_rpc_server * server, struct evhttp_request * req )
+{
+    const char * ours = get_current_session_id( server );
+    const char * theirs = evhttp_find_header( req->input_headers, TR_RPC_SESSION_ID_HEADER );
+    const tr_bool success =  theirs && !strcmp( theirs, ours );
+    return success;
+}
+
+static void
+handle_request( struct evhttp_request * req, void * arg )
 {
     struct tr_rpc_server * server = arg;
@@ -455 +500 @@
     {
         const char * auth;
-        char *       user = NULL;
-        char *       pass = NULL;
+        char * user = NULL;
+        char * pass = NULL;
 
         evhttp_add_header( req->output_headers, "Server", MY_REALM );
 
         auth = evhttp_find_header( req->input_headers, "Authorization" );
-
         if( auth && !strncasecmp( auth, "basic ", 6 ) )
         {
@@ -475 +519 @@
         if( !isAddressAllowed( server, req->remote_host ) )
         {
-            send_simple_response( req, 401,
+            send_simple_response( req, 403,
                 "<p>Unauthorized IP Address.</p>"
                 "<p>Either disable the IP address whitelist or add your address to it.</p>"
@@ -506 +550 @@
             handle_clutch( req, server );
         }
+#ifdef REQUIRE_SESSION_ID
+        else if( !test_session_id( server, req ) )
+        {
+            const char * sessionId = get_current_session_id( server );
+            char * tmp = tr_strdup_printf(
+                "<p>Please add this header to your requests:</p>"
+                "<p><code>%s: %s</code></p>"
+                "<p>This requirement is to make "
+                "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a>"
+                " attacks more difficult.</p>",
+                TR_RPC_SESSION_ID_HEADER, sessionId );
+            evhttp_add_header( req->output_headers, TR_RPC_SESSION_ID_HEADER, sessionId );
+            send_simple_response( req, 409, tmp );
+            tr_free( tmp );
+        }
+#endif
         else if( !strncmp( req->uri, "/transmission/rpc", 17 ) )
         {