mirror of
https://github.com/qbittorrent/qBittorrent.git
synced 2024-11-27 07:00:04 +08:00
Use HTTP digest mode for Web UI authentication (instead of Basic)
This commit is contained in:
parent
4522174555
commit
c7ca51f950
@ -19,6 +19,8 @@
|
||||
- BUGFIX: Use XDG folders (.cache, .local) instead of .qbittorrent
|
||||
- BUGFIX: Added legal notice on startup that the user must accept
|
||||
- BUGFIX: Protect Web UI authentication against brute forcing
|
||||
- BUGFIX: Use HTTP digest mode for Web UI authentication (instead of Basic)
|
||||
- BUGFIX: Properly display torrents with one file in subfolder(s)
|
||||
- COSMETIC: Use checkboxes to filter torrent content instead of comboboxes
|
||||
- COSMETIC: Use alternating row colors in transfer list (set in program preferences)
|
||||
- COSMETIC: Added a spin box to speed limiting dialog for manual input
|
||||
|
@ -137,14 +137,14 @@ void HttpConnection::respond() {
|
||||
write();
|
||||
return;
|
||||
}
|
||||
QStringList auth = parser.value("Authorization").split(" ", QString::SkipEmptyParts);
|
||||
if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit())) {
|
||||
QString auth = parser.value("Authorization");
|
||||
if (QString::compare(auth.split(" ").first(), "Digest", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth.toLocal8Bit(), parser.method())) {
|
||||
// Update failed attempt counter
|
||||
parent->client_failed_attempts.insert(socket->peerAddress().toString(), nb_fail+1);
|
||||
qDebug("client IP: %s (%d failed attempts)", socket->peerAddress().toString().toLocal8Bit().data(), nb_fail);
|
||||
// Return unauthorized header
|
||||
generator.setStatusLine(401, "Unauthorized");
|
||||
generator.setValue("WWW-Authenticate", "Basic realm=\"you know what\"");
|
||||
generator.setValue("WWW-Authenticate", "Digest realm=\""+QString(QBT_REALM)+"\", nonce=\""+parent->generateNonce()+"\", algorithm=\"MD5\", qop=\"auth\"");
|
||||
write();
|
||||
return;
|
||||
}
|
||||
|
@ -33,13 +33,14 @@
|
||||
#include "httpconnection.h"
|
||||
#include "eventmanager.h"
|
||||
#include "bittorrent.h"
|
||||
#include "preferences.h"
|
||||
#include <QTimer>
|
||||
#include <QCryptographicHash>
|
||||
#include <QTime>
|
||||
#include <QRegExp>
|
||||
|
||||
HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent) {
|
||||
username = Preferences::getWebUiUsername().toLocal8Bit();
|
||||
password_md5 = Preferences::getWebUiPassword().toLocal8Bit();
|
||||
password_ha1 = Preferences::getWebUiPassword().toLocal8Bit();
|
||||
connect(this, SIGNAL(newConnection()), this, SLOT(newHttpConnection()));
|
||||
BTSession = _BTSession;
|
||||
manager = new EventManager(this, BTSession);
|
||||
@ -118,21 +119,110 @@ void HttpServer::onTimer() {
|
||||
}
|
||||
}
|
||||
|
||||
void HttpServer::setAuthorization(QString _username, QString _password_md5) {
|
||||
username = _username.toLocal8Bit();
|
||||
password_md5 = _password_md5.toLocal8Bit();
|
||||
QString HttpServer::generateNonce() const {
|
||||
QCryptographicHash md5(QCryptographicHash::Md5);
|
||||
md5.addData(QTime::currentTime().toString("hhmmsszzz").toLocal8Bit());
|
||||
md5.addData(":");
|
||||
md5.addData(QBT_REALM);
|
||||
return md5.result().toHex();
|
||||
}
|
||||
|
||||
bool HttpServer::isAuthorized(QByteArray auth) const {
|
||||
// Decode Auth
|
||||
QByteArray decoded = QByteArray::fromBase64(auth);
|
||||
QList<QByteArray> creds = decoded.split(':');
|
||||
if(creds.size() != 2) return false;
|
||||
QByteArray prop_username = creds.first();
|
||||
if(prop_username != username) return false;
|
||||
QCryptographicHash md5(QCryptographicHash::Md5);
|
||||
md5.addData(creds.last());
|
||||
return (password_md5 == md5.result().toHex());
|
||||
void HttpServer::setAuthorization(QString _username, QString _password_ha1) {
|
||||
username = _username.toLocal8Bit();
|
||||
password_ha1 = _password_ha1.toLocal8Bit();
|
||||
}
|
||||
|
||||
// AUTH string is: Digest username="chris",
|
||||
// realm="Web UI Access",
|
||||
// nonce="570d04de93444b7fd3eaeaecb00e635e",
|
||||
// uri="/", algorithm=MD5,
|
||||
// response="ba886766d19b45313c0e2195e4344264",
|
||||
// qop=auth, nc=00000001, cnonce="e8ac970779c17075"
|
||||
bool HttpServer::isAuthorized(QByteArray auth, QString method) const {
|
||||
qDebug("AUTH string is %s", auth.data());
|
||||
// Get user name
|
||||
QRegExp regex_user(".*username=\"([^\"]+)\".*");
|
||||
if(regex_user.indexIn(auth) < 0) return false;
|
||||
QString prop_user = regex_user.cap(1);
|
||||
qDebug("AUTH: Proposed username is %s, real username is %s", prop_user.toLocal8Bit().data(), username.data());
|
||||
if(prop_user != username) {
|
||||
// User name is invalid, we can reject already
|
||||
qDebug("AUTH-PROB: Username is invalid");
|
||||
return false;
|
||||
}
|
||||
// Get realm
|
||||
QRegExp regex_realm(".*realm=\"([^\"]+)\".*");
|
||||
if(regex_realm.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: Missing realm");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_realm = regex_realm.cap(1).toLocal8Bit();
|
||||
if(prop_realm != QBT_REALM) {
|
||||
qDebug("AUTH-PROB: Wrong realm");
|
||||
return false;
|
||||
}
|
||||
// get nonce
|
||||
QRegExp regex_nonce(".*nonce=\"([^\"]+)\".*");
|
||||
if(regex_nonce.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: missing nonce");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_nonce = regex_nonce.cap(1).toLocal8Bit();
|
||||
qDebug("prop nonce is: %s", prop_nonce.data());
|
||||
// get uri
|
||||
QRegExp regex_uri(".*uri=\"([^\"]+)\".*");
|
||||
if(regex_uri.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: Missing uri");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_uri = regex_uri.cap(1).toLocal8Bit();
|
||||
qDebug("prop uri is: %s", prop_uri.data());
|
||||
// get response
|
||||
QRegExp regex_response(".*response=\"([^\"]+)\".*");
|
||||
if(regex_response.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: Missing response");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_response = regex_response.cap(1).toLocal8Bit();
|
||||
qDebug("prop response is: %s", prop_response.data());
|
||||
// Compute correct reponse
|
||||
QCryptographicHash md5_ha2(QCryptographicHash::Md5);
|
||||
md5_ha2.addData(method.toLocal8Bit() + ":" + prop_uri);
|
||||
QByteArray ha2 = md5_ha2.result().toHex();
|
||||
QByteArray response = "";
|
||||
if(auth.contains("qop=")) {
|
||||
QCryptographicHash md5_ha(QCryptographicHash::Md5);
|
||||
// Get nc
|
||||
QRegExp regex_nc(".*nc=(\\w+).*");
|
||||
if(regex_nc.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: qop but missing nc");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_nc = regex_nc.cap(1).toLocal8Bit();
|
||||
qDebug("prop nc is: %s", prop_nc.data());
|
||||
QRegExp regex_cnonce(".*cnonce=\"([^\"]+)\".*");
|
||||
if(regex_cnonce.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: qop but missing cnonce");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_cnonce = regex_cnonce.cap(1).toLocal8Bit();
|
||||
qDebug("prop cnonce is: %s", prop_cnonce.data());
|
||||
QRegExp regex_qop(".*qop=(\\w+).*");
|
||||
if(regex_qop.indexIn(auth) < 0) {
|
||||
qDebug("AUTH-PROB: missing qop");
|
||||
return false;
|
||||
}
|
||||
QByteArray prop_qop = regex_qop.cap(1).toLocal8Bit();
|
||||
qDebug("prop qop is: %s", prop_qop.data());
|
||||
md5_ha.addData(password_ha1+":"+prop_nonce+":"+prop_nc+":"+prop_cnonce+":"+prop_qop+":"+ha2);
|
||||
response = md5_ha.result().toHex();
|
||||
} else {
|
||||
QCryptographicHash md5_ha(QCryptographicHash::Md5);
|
||||
md5_ha.addData(password_ha1+":"+prop_nonce+":"+ha2);
|
||||
response = md5_ha.result().toHex();
|
||||
}
|
||||
qDebug("AUTH: comparing reponses");
|
||||
return prop_response == response;
|
||||
}
|
||||
|
||||
EventManager* HttpServer::eventManager() const
|
||||
|
@ -36,6 +36,7 @@
|
||||
#include <QTcpServer>
|
||||
#include <QByteArray>
|
||||
#include <QHash>
|
||||
#include "preferences.h"
|
||||
|
||||
class Bittorrent;
|
||||
class QTimer;
|
||||
@ -46,7 +47,7 @@ class HttpServer : public QTcpServer {
|
||||
|
||||
private:
|
||||
QByteArray username;
|
||||
QByteArray password_md5;
|
||||
QByteArray password_ha1;
|
||||
Bittorrent *BTSession;
|
||||
EventManager *manager;
|
||||
QTimer *timer;
|
||||
@ -54,9 +55,10 @@ class HttpServer : public QTcpServer {
|
||||
public:
|
||||
HttpServer(Bittorrent *BTSession, int msec, QObject* parent = 0);
|
||||
~HttpServer();
|
||||
void setAuthorization(QString username, QString password_md5);
|
||||
bool isAuthorized(QByteArray auth) const;
|
||||
void setAuthorization(QString username, QString password_ha1);
|
||||
bool isAuthorized(QByteArray auth, QString method) const;
|
||||
EventManager *eventManager() const;
|
||||
QString generateNonce() const;
|
||||
QHash<QString, int> client_failed_attempts;
|
||||
|
||||
private slots:
|
||||
|
@ -36,6 +36,8 @@
|
||||
#include <QPair>
|
||||
#include <QDir>
|
||||
|
||||
#define QBT_REALM "Web UI Access"
|
||||
|
||||
class Preferences {
|
||||
public:
|
||||
// General options
|
||||
@ -708,9 +710,10 @@ public:
|
||||
if(current_pass_md5 == new_password) return;
|
||||
// Encode to md5 and save
|
||||
QCryptographicHash md5(QCryptographicHash::Md5);
|
||||
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
|
||||
md5.addData(new_password.toLocal8Bit());
|
||||
QSettings settings("qBittorrent", "qBittorrent");
|
||||
settings.setValue("Preferences/WebUI/Password_md5", md5.result().toHex());
|
||||
settings.setValue("Preferences/WebUI/Password_ha1", md5.result().toHex());
|
||||
}
|
||||
|
||||
static QString getWebUiPassword() {
|
||||
@ -720,18 +723,20 @@ public:
|
||||
QString clear_pass = settings.value("Preferences/WebUI/Password", "adminadmin").toString();
|
||||
settings.remove("Preferences/WebUI/Password");
|
||||
QCryptographicHash md5(QCryptographicHash::Md5);
|
||||
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
|
||||
md5.addData(clear_pass.toLocal8Bit());
|
||||
QString pass_md5(md5.result().toHex());
|
||||
settings.setValue("Preferences/WebUI/Password_md5", pass_md5);
|
||||
settings.setValue("Preferences/WebUI/Password_ha1", pass_md5);
|
||||
return pass_md5;
|
||||
}
|
||||
QString pass_md5 = settings.value("Preferences/WebUI/Password_md5", "").toString();
|
||||
if(pass_md5.isEmpty()) {
|
||||
QString pass_ha1 = settings.value("Preferences/WebUI/Password_ha1", "").toString();
|
||||
if(pass_ha1.isEmpty()) {
|
||||
QCryptographicHash md5(QCryptographicHash::Md5);
|
||||
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
|
||||
md5.addData("adminadmin");
|
||||
pass_md5 = md5.result().toHex();
|
||||
pass_ha1 = md5.result().toHex();
|
||||
}
|
||||
return pass_md5;
|
||||
return pass_ha1;
|
||||
}
|
||||
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user