github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-08-22 22:33:34 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Set HTTP method restriction on WebAPI actions

Browse source
This commit is contained in:
Chocobo1 2022-08-06 15:54:07 +08:00
commit 99b5983143
2 changed files with 30 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/webui/webapplication.cpp
View file

@ -276,6 +276,20 @@ void WebApplication::doProcessRequest()
if (!session() && !isPublicAPI(scope, action)) if (!session() && !isPublicAPI(scope, action))
throw ForbiddenHTTPError(); throw ForbiddenHTTPError();
// Filter HTTP methods
const auto allowedMethodIter = m_allowedMethod.find({scope, action});
if (allowedMethodIter == m_allowedMethod.end())
{
// by default allow both GET, POST methods
if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
throw MethodNotAllowedHTTPError();
}
else
{
if (*allowedMethodIter != m_request.method)
throw MethodNotAllowedHTTPError();
}
DataMap data; DataMap data;
for (const Http::UploadedFile &torrent : request().files) for (const Http::UploadedFile &torrent : request().files)
data[torrent.filename] = torrent.data; data[torrent.filename] = torrent.data;

16
src/webui/webapplication.h
View file

@ -28,6 +28,8 @@
#pragma once #pragma once
#include <utility>
#include <QDateTime> #include <QDateTime>
#include <QElapsedTimer> #include <QElapsedTimer>
#include <QHash> #include <QHash>
@ -130,6 +132,20 @@ private:
QHash<QString, APIController *> m_apiControllers; QHash<QString, APIController *> m_apiControllers;
QSet<QString> m_publicAPIs; QSet<QString> m_publicAPIs;
const QHash<std::pair<QString, QString>, QString> m_allowedMethod =
{
// <<controller name, action name>, HTTP method>
// TODO: this list is incomplete
{{QLatin1String("app"), QLatin1String("setPreferences")}, Http::METHOD_POST},
{{QLatin1String("app"), QLatin1String("shutdown")}, Http::METHOD_POST},
{{QLatin1String("auth"), QLatin1String("login")}, Http::METHOD_POST},
{{QLatin1String("auth"), QLatin1String("logout")}, Http::METHOD_POST},
{{QLatin1String("rss"), QLatin1String("addFeed")}, Http::METHOD_POST},
{{QLatin1String("search"), QLatin1String("installPlugin")}, Http::METHOD_POST},
{{QLatin1String("torrents"), QLatin1String("add")}, Http::METHOD_POST},
{{QLatin1String("torrents"), QLatin1String("addPeers")}, Http::METHOD_POST},
{{QLatin1String("torrents"), QLatin1String("addTrackers")}, Http::METHOD_POST}
};
bool m_isAltUIUsed = false; bool m_isAltUIUsed = false;
QString m_rootFolder; QString m_rootFolder;