github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-16 02:03:07 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Expose SSRF mitigation (#15247)

Browse source
This commit is contained in:
Sylvain Finot 2021-08-04 05:28:36 +02:00 committed by GitHub
parent 11a063ea66
commit e87f8f5b93
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 43 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/base/bittorrent/session.cpp
View file

@ -388,6 +388,7 @@ Session::Session(QObject *parent)
, m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false) , m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false)
, m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false) , m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false)
, m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true) , m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true)
, m_SSRFMitigationEnabled(BITTORRENT_SESSION_KEY("SSRFMitigation"), true)
, m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false) , m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false)
, m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false) , m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false)
, m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers")) , m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers"))
@ -1381,6 +1382,8 @@ void Session::loadLTSettings(lt::settings_pack &settingsPack)
settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate()); settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate());
settingsPack.set_bool(lt::settings_pack::ssrf_mitigation, isSSRFMitigationEnabled());
settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts()); settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts());
settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled()); settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled());
@ -3748,6 +3751,19 @@ void Session::setValidateHTTPSTrackerCertificate(const bool enabled)
configureDeferred(); configureDeferred();
} }
bool Session::isSSRFMitigationEnabled() const
{
return m_SSRFMitigationEnabled;
}
void Session::setSSRFMitigationEnabled(const bool enabled)
{
if (enabled == m_SSRFMitigationEnabled) return;
m_SSRFMitigationEnabled = enabled;
configureDeferred();
}
bool Session::blockPeersOnPrivilegedPorts() const bool Session::blockPeersOnPrivilegedPorts() const
{ {
return m_blockPeersOnPrivilegedPorts; return m_blockPeersOnPrivilegedPorts;

3
src/base/bittorrent/session.h
View file

@ -427,6 +427,8 @@ namespace BitTorrent
void setMultiConnectionsPerIpEnabled(bool enabled); void setMultiConnectionsPerIpEnabled(bool enabled);
bool validateHTTPSTrackerCertificate() const; bool validateHTTPSTrackerCertificate() const;
void setValidateHTTPSTrackerCertificate(bool enabled); void setValidateHTTPSTrackerCertificate(bool enabled);
bool isSSRFMitigationEnabled() const;
void setSSRFMitigationEnabled(bool enabled);
bool blockPeersOnPrivilegedPorts() const; bool blockPeersOnPrivilegedPorts() const;
void setBlockPeersOnPrivilegedPorts(bool enabled); void setBlockPeersOnPrivilegedPorts(bool enabled);
bool isTrackerFilteringEnabled() const; bool isTrackerFilteringEnabled() const;
@ -700,6 +702,7 @@ namespace BitTorrent
CachedSettingValue<bool> m_IDNSupportEnabled; CachedSettingValue<bool> m_IDNSupportEnabled;
CachedSettingValue<bool> m_multiConnectionsPerIpEnabled; CachedSettingValue<bool> m_multiConnectionsPerIpEnabled;
CachedSettingValue<bool> m_validateHTTPSTrackerCertificate; CachedSettingValue<bool> m_validateHTTPSTrackerCertificate;
CachedSettingValue<bool> m_SSRFMitigationEnabled;
CachedSettingValue<bool> m_blockPeersOnPrivilegedPorts; CachedSettingValue<bool> m_blockPeersOnPrivilegedPorts;
CachedSettingValue<bool> m_isAddTrackersEnabled; CachedSettingValue<bool> m_isAddTrackersEnabled;
CachedSettingValue<QString> m_additionalTrackers; CachedSettingValue<QString> m_additionalTrackers;

8
src/gui/advancedsettings.cpp
View file

@ -126,6 +126,7 @@ namespace
IDN_SUPPORT, IDN_SUPPORT,
MULTI_CONNECTIONS_PER_IP, MULTI_CONNECTIONS_PER_IP,
VALIDATE_HTTPS_TRACKER_CERTIFICATE, VALIDATE_HTTPS_TRACKER_CERTIFICATE,
SSRF_MITIGATION,
BLOCK_PEERS_ON_PRIVILEGED_PORTS, BLOCK_PEERS_ON_PRIVILEGED_PORTS,
// seeding // seeding
CHOKING_ALGORITHM, CHOKING_ALGORITHM,
@ -246,6 +247,8 @@ void AdvancedSettings::saveAdvancedSettings()
session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked()); session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked());
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked()); session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked());
// SSRF mitigation
session->setSSRFMitigationEnabled(m_checkBoxSSRFMitigation.isChecked());
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked()); session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked());
// Recheck torrents on completion // Recheck torrents on completion
@ -599,6 +602,11 @@ void AdvancedSettings::loadAdvancedSettings()
addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates") addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates")
+ ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)")) + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)"))
, &m_checkBoxValidateHTTPSTrackerCertificate); , &m_checkBoxValidateHTTPSTrackerCertificate);
// SSRF mitigation
m_checkBoxSSRFMitigation.setChecked(session->isSSRFMitigationEnabled());
addRow(SSRF_MITIGATION, (tr("Server-side request forgery (SSRF) mitigation")
+ ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation", "(?)"))
, &m_checkBoxSSRFMitigation);
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts()); m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts());
addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts); addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts);

2
src/gui/advancedsettings.h
View file

@ -68,7 +68,7 @@ private:
QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts, QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts,
m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxReannounceWhenAddressChanged, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus, m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxReannounceWhenAddressChanged, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus,
m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers, m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers,
m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity, m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxSSRFMitigation, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity,
m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport; m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport;
QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm, QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm,
m_comboBoxSeedChokingAlgorithm, m_comboBoxResumeDataStorage; m_comboBoxSeedChokingAlgorithm, m_comboBoxResumeDataStorage;

5
src/webui/api/appcontroller.cpp
View file

@ -335,6 +335,8 @@ void AppController::preferencesAction()
data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled(); data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled();
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate(); data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate();
// SSRF mitigation
data["ssrf_mitigation"] = session->isSSRFMitigationEnabled();
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts(); data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts();
// Embedded tracker // Embedded tracker
@ -819,6 +821,9 @@ void AppController::setPreferencesAction()
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
if (hasKey("validate_https_tracker_certificate")) if (hasKey("validate_https_tracker_certificate"))
session->setValidateHTTPSTrackerCertificate(it.value().toBool()); session->setValidateHTTPSTrackerCertificate(it.value().toBool());
// SSRF mitigation
if (hasKey("ssrf_mitigation"))
session->setSSRFMitigationEnabled(it.value().toBool());
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
if (hasKey("block_peers_on_privileged_ports")) if (hasKey("block_peers_on_privileged_ports"))
session->setBlockPeersOnPrivilegedPorts(it.value().toBool()); session->setBlockPeersOnPrivilegedPorts(it.value().toBool());

10
src/webui/www/private/views/preferences.html
View file

@ -1151,6 +1151,14 @@
<input type="checkbox" id="validateHTTPSTrackerCertificate" /> <input type="checkbox" id="validateHTTPSTrackerCertificate" />
</td> </td>
</tr> </tr>
<tr>
<td>
<label for="mitigateSSRF">QBT_TR(Server-side request forgery (SSRF) mitigation:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation" target="_blank">(?)</a></label>
</td>
<td>
<input type="checkbox" id="mitigateSSRF" />
</td>
</tr>
<tr> <tr>
<td> <td>
<label for="blockPeersOnPrivilegedPorts">QBT_TR(Disallow connection to peers on privileged ports:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports" target="_blank">(?)</a></label> <label for="blockPeersOnPrivilegedPorts">QBT_TR(Disallow connection to peers on privileged ports:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports" target="_blank">(?)</a></label>
@ -1940,6 +1948,7 @@
$('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled); $('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled);
$('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip); $('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip);
$('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate); $('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate);
$('mitigateSSRF').setProperty('checked', pref.ssrf_mitigation);
$('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports); $('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports);
$('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker); $('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker);
$('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port); $('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port);
@ -2334,6 +2343,7 @@
settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked')); settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked'));
settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked')); settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked'));
settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked')); settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked'));
settings.set('ssrf_mitigation', $('mitigateSSRF').getProperty('checked'));
settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked')); settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked'));
settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked')); settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked'));
settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value')); settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value'));