2014-08-22 23:08:44 +04:00
|
|
|
/*
|
|
|
|
* Bittorrent Client using Qt and libtorrent.
|
|
|
|
* Copyright (C) 2014 Vladimir Golovnev <glassez@yandex.ru>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
*
|
|
|
|
* In addition, as a special exception, the copyright holders give permission to
|
|
|
|
* link this program with the OpenSSL project's "OpenSSL" library (or with
|
|
|
|
* modified versions of it that use the same license as the "OpenSSL" library),
|
|
|
|
* and distribute the linked executables. You must obey the GNU General Public
|
|
|
|
* License in all respects for all of the code used other than "OpenSSL". If you
|
|
|
|
* modify file(s), you may extend this exception to your version of the file(s),
|
|
|
|
* but you are not obligated to do so. If you do not wish to do so, delete this
|
|
|
|
* exception statement from your version.
|
|
|
|
*/
|
|
|
|
|
2017-09-07 03:00:04 +03:00
|
|
|
#include "webapplication.h"
|
2017-07-04 12:54:43 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
#include <algorithm>
|
2015-09-25 11:10:05 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
#include <QDateTime>
|
2017-09-07 03:00:04 +03:00
|
|
|
#include <QDebug>
|
2017-10-14 16:27:21 +03:00
|
|
|
#include <QFile>
|
|
|
|
#include <QFileInfo>
|
|
|
|
#include <QJsonDocument>
|
|
|
|
#include <QMimeDatabase>
|
|
|
|
#include <QMimeType>
|
2019-05-16 08:41:29 +03:00
|
|
|
#include <QNetworkCookie>
|
2017-10-14 16:27:21 +03:00
|
|
|
#include <QRegExp>
|
|
|
|
#include <QUrl>
|
2017-09-07 03:00:04 +03:00
|
|
|
|
2019-05-12 08:26:06 +03:00
|
|
|
#include "base/algorithm.h"
|
2018-03-01 16:57:44 +03:00
|
|
|
#include "base/global.h"
|
2017-10-14 16:27:21 +03:00
|
|
|
#include "base/http/httperror.h"
|
2017-08-06 12:04:39 +03:00
|
|
|
#include "base/logger.h"
|
2017-09-19 08:41:57 +03:00
|
|
|
#include "base/preferences.h"
|
2018-03-01 16:57:44 +03:00
|
|
|
#include "base/utils/bytearray.h"
|
2015-09-25 11:10:05 +03:00
|
|
|
#include "base/utils/fs.h"
|
2017-09-19 08:41:57 +03:00
|
|
|
#include "base/utils/misc.h"
|
2017-10-14 16:27:21 +03:00
|
|
|
#include "base/utils/random.h"
|
2015-09-25 11:10:05 +03:00
|
|
|
#include "base/utils/string.h"
|
2017-10-14 16:27:21 +03:00
|
|
|
#include "api/apierror.h"
|
|
|
|
#include "api/appcontroller.h"
|
|
|
|
#include "api/authcontroller.h"
|
|
|
|
#include "api/logcontroller.h"
|
|
|
|
#include "api/rsscontroller.h"
|
2018-06-07 03:47:27 +03:00
|
|
|
#include "api/searchcontroller.h"
|
2017-10-14 16:27:21 +03:00
|
|
|
#include "api/synccontroller.h"
|
|
|
|
#include "api/torrentscontroller.h"
|
|
|
|
#include "api/transfercontroller.h"
|
|
|
|
|
|
|
|
constexpr int MAX_ALLOWED_FILESIZE = 10 * 1024 * 1024;
|
|
|
|
|
2018-05-17 04:50:58 +03:00
|
|
|
const QString PATH_PREFIX_IMAGES {QStringLiteral("/images/")};
|
|
|
|
const QString WWW_FOLDER {QStringLiteral(":/www")};
|
|
|
|
const QString PUBLIC_FOLDER {QStringLiteral("/public")};
|
|
|
|
const QString PRIVATE_FOLDER {QStringLiteral("/private")};
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-09-19 08:41:57 +03:00
|
|
|
namespace
|
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
QStringMap parseCookie(const QString &cookieStr)
|
2017-09-19 08:41:57 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
// [rfc6265] 4.2.1. Syntax
|
|
|
|
QStringMap ret;
|
|
|
|
const QVector<QStringRef> cookies = cookieStr.splitRef(';', QString::SkipEmptyParts);
|
|
|
|
|
|
|
|
for (const auto &cookie : cookies) {
|
|
|
|
const int idx = cookie.indexOf('=');
|
|
|
|
if (idx < 0)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
const QString name = cookie.left(idx).trimmed().toString();
|
|
|
|
const QString value = Utils::String::unquote(cookie.mid(idx + 1).trimmed()).toString();
|
|
|
|
ret.insert(name, value);
|
|
|
|
}
|
|
|
|
return ret;
|
2017-09-19 08:41:57 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
inline QUrl urlFromHostHeader(const QString &hostHeader)
|
|
|
|
{
|
|
|
|
if (!hostHeader.contains(QLatin1String("://")))
|
2019-02-14 20:16:42 +03:00
|
|
|
return {QLatin1String("http://") + hostHeader};
|
2017-10-14 16:27:21 +03:00
|
|
|
return hostHeader;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2018-05-28 07:32:31 +03:00
|
|
|
|
|
|
|
QString getCachingInterval(QString contentType)
|
|
|
|
{
|
|
|
|
contentType = contentType.toLower();
|
|
|
|
|
|
|
|
if (contentType.startsWith(QLatin1String("image/")))
|
|
|
|
return QLatin1String("private, max-age=604800"); // 1 week
|
|
|
|
|
|
|
|
if ((contentType == Http::CONTENT_TYPE_CSS)
|
|
|
|
|| (contentType == Http::CONTENT_TYPE_JS)) {
|
|
|
|
// short interval in case of program update
|
|
|
|
return QLatin1String("private, max-age=43200"); // 12 hrs
|
|
|
|
}
|
|
|
|
|
|
|
|
return QLatin1String("no-store");
|
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
WebApplication::WebApplication(QObject *parent)
|
|
|
|
: QObject(parent)
|
2019-04-17 15:09:03 +03:00
|
|
|
, m_cacheID {QString::number(Utils::Random::rand(), 36)}
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
registerAPIController(QLatin1String("app"), new AppController(this, this));
|
|
|
|
registerAPIController(QLatin1String("auth"), new AuthController(this, this));
|
|
|
|
registerAPIController(QLatin1String("log"), new LogController(this, this));
|
|
|
|
registerAPIController(QLatin1String("rss"), new RSSController(this, this));
|
2018-06-07 03:47:27 +03:00
|
|
|
registerAPIController(QLatin1String("search"), new SearchController(this, this));
|
2017-10-14 16:27:21 +03:00
|
|
|
registerAPIController(QLatin1String("sync"), new SyncController(this, this));
|
|
|
|
registerAPIController(QLatin1String("torrents"), new TorrentsController(this, this));
|
|
|
|
registerAPIController(QLatin1String("transfer"), new TransferController(this, this));
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
declarePublicAPI(QLatin1String("auth/login"));
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
configure();
|
|
|
|
connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
|
2015-06-12 18:52:01 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
WebApplication::~WebApplication()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
// cleanup sessions data
|
|
|
|
qDeleteAll(m_sessions);
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::sendWebUIFile()
|
2014-12-21 16:00:00 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
const QStringList pathItems {request().path.split('/', QString::SkipEmptyParts)};
|
|
|
|
if (pathItems.contains(".") || pathItems.contains(".."))
|
|
|
|
throw InternalServerErrorHTTPError();
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (!m_isAltUIUsed) {
|
|
|
|
if (request().path.startsWith(PATH_PREFIX_IMAGES)) {
|
|
|
|
const QString imageFilename {request().path.mid(PATH_PREFIX_IMAGES.size())};
|
|
|
|
sendFile(QLatin1String(":/icons/") + imageFilename);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const QString path {
|
|
|
|
(request().path != QLatin1String("/")
|
|
|
|
? request().path
|
2019-04-13 13:41:29 +03:00
|
|
|
: QLatin1String("/index.html"))
|
2017-10-14 16:27:21 +03:00
|
|
|
};
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QString localPath {
|
|
|
|
m_rootFolder
|
|
|
|
+ (session() ? PRIVATE_FOLDER : PUBLIC_FOLDER)
|
|
|
|
+ path
|
|
|
|
};
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QFileInfo fileInfo {localPath};
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (!fileInfo.exists() && session()) {
|
|
|
|
// try to send public file if there is no private one
|
|
|
|
localPath = m_rootFolder + PUBLIC_FOLDER + path;
|
|
|
|
fileInfo.setFile(localPath);
|
|
|
|
}
|
2014-12-21 16:00:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (m_isAltUIUsed) {
|
|
|
|
#ifdef Q_OS_UNIX
|
|
|
|
if (!Utils::Fs::isRegularFile(localPath)) {
|
|
|
|
status(500, "Internal Server Error");
|
|
|
|
print(tr("Unacceptable file type, only regular file is allowed."), Http::CONTENT_TYPE_TXT);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
#endif
|
2017-04-05 19:36:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
while (fileInfo.filePath() != m_rootFolder) {
|
|
|
|
if (fileInfo.isSymLink())
|
|
|
|
throw InternalServerErrorHTTPError(tr("Symlinks inside alternative UI folder are forbidden."));
|
2017-04-05 19:36:00 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
fileInfo.setFile(fileInfo.path());
|
|
|
|
}
|
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
sendFile(localPath);
|
2015-11-12 22:19:44 +03:00
|
|
|
}
|
|
|
|
|
2018-06-07 20:07:28 +03:00
|
|
|
void WebApplication::translateDocument(QString &data)
|
|
|
|
{
|
|
|
|
const QRegularExpression regex("QBT_TR\\((([^\\)]|\\)(?!QBT_TR))+)\\)QBT_TR\\[CONTEXT=([a-zA-Z_][a-zA-Z0-9_]*)\\]");
|
|
|
|
|
|
|
|
int i = 0;
|
|
|
|
bool found = true;
|
|
|
|
while (i < data.size() && found) {
|
|
|
|
QRegularExpressionMatch regexMatch;
|
|
|
|
i = data.indexOf(regex, i, ®exMatch);
|
|
|
|
if (i >= 0) {
|
2018-11-23 18:37:03 +03:00
|
|
|
const QString sourceText = regexMatch.captured(1);
|
2018-06-07 20:07:28 +03:00
|
|
|
const QString context = regexMatch.captured(3);
|
|
|
|
|
2018-12-08 07:03:43 +03:00
|
|
|
const QString loadedText = m_translationFileLoaded
|
|
|
|
? m_translator.translate(context.toUtf8().constData(), sourceText.toUtf8().constData())
|
|
|
|
: QString();
|
|
|
|
// `loadedText` is empty when translation is not provided
|
|
|
|
// it should fallback to `sourceText`
|
|
|
|
QString translation = loadedText.isEmpty() ? sourceText : loadedText;
|
2018-06-07 20:07:28 +03:00
|
|
|
|
|
|
|
// Use HTML code for quotes to prevent issues with JS
|
|
|
|
translation.replace('\'', "'");
|
|
|
|
translation.replace('\"', """);
|
|
|
|
|
|
|
|
data.replace(i, regexMatch.capturedLength(), translation);
|
|
|
|
i += translation.length();
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
found = false; // no more translatable strings
|
|
|
|
}
|
|
|
|
|
|
|
|
data.replace(QLatin1String("${LANG}"), m_currentLocale.left(2));
|
2019-04-17 15:09:03 +03:00
|
|
|
data.replace(QLatin1String("${CACHEID}"), m_cacheID);
|
2018-06-07 20:07:28 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
WebSession *WebApplication::session()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return m_currentSession;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const Http::Request &WebApplication::request() const
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return m_request;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const Http::Environment &WebApplication::env() const
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return m_env;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::doProcessRequest()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2019-01-10 20:16:06 +03:00
|
|
|
const QRegularExpressionMatch match = m_apiPathPattern.match(request().path);
|
|
|
|
if (!match.hasMatch()) {
|
|
|
|
sendWebUIFile();
|
|
|
|
return;
|
|
|
|
}
|
2017-10-14 16:27:21 +03:00
|
|
|
|
2019-01-10 20:16:06 +03:00
|
|
|
const QString action = match.captured(QLatin1String("action"));
|
|
|
|
const QString scope = match.captured(QLatin1String("scope"));
|
2017-10-14 16:27:21 +03:00
|
|
|
|
|
|
|
APIController *controller = m_apiControllers.value(scope);
|
2019-01-10 20:16:06 +03:00
|
|
|
if (!controller)
|
|
|
|
throw NotFoundHTTPError();
|
|
|
|
|
|
|
|
if (!session() && !isPublicAPI(scope, action))
|
|
|
|
throw ForbiddenHTTPError();
|
|
|
|
|
|
|
|
DataMap data;
|
|
|
|
for (const Http::UploadedFile &torrent : request().files)
|
|
|
|
data[torrent.filename] = torrent.data;
|
|
|
|
|
|
|
|
try {
|
|
|
|
const QVariant result = controller->run(action, m_params, data);
|
|
|
|
switch (result.userType()) {
|
|
|
|
case QMetaType::QString:
|
|
|
|
print(result.toString(), Http::CONTENT_TYPE_TXT);
|
|
|
|
break;
|
|
|
|
case QMetaType::QJsonDocument:
|
|
|
|
print(result.toJsonDocument().toJson(QJsonDocument::Compact), Http::CONTENT_TYPE_JSON);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
print(result.toString(), Http::CONTENT_TYPE_TXT);
|
|
|
|
break;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2017-10-14 16:27:21 +03:00
|
|
|
}
|
2019-01-10 20:16:06 +03:00
|
|
|
catch (const APIError &error) {
|
|
|
|
// re-throw as HTTPError
|
|
|
|
switch (error.type()) {
|
|
|
|
case APIErrorType::AccessDenied:
|
|
|
|
throw ForbiddenHTTPError(error.message());
|
|
|
|
case APIErrorType::BadData:
|
|
|
|
throw UnsupportedMediaTypeHTTPError(error.message());
|
|
|
|
case APIErrorType::BadParams:
|
|
|
|
throw BadRequestHTTPError(error.message());
|
|
|
|
case APIErrorType::Conflict:
|
|
|
|
throw ConflictHTTPError(error.message());
|
|
|
|
case APIErrorType::NotFound:
|
|
|
|
throw NotFoundHTTPError(error.message());
|
|
|
|
default:
|
|
|
|
Q_ASSERT(false);
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::configure()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2018-10-28 19:27:45 +03:00
|
|
|
const auto *pref = Preferences::instance();
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2018-10-28 19:27:45 +03:00
|
|
|
const bool isAltUIUsed = pref->isAltWebUiEnabled();
|
2017-10-14 16:27:21 +03:00
|
|
|
const QString rootFolder = Utils::Fs::expandPathAbs(
|
2018-10-28 19:27:45 +03:00
|
|
|
!isAltUIUsed ? WWW_FOLDER : pref->getWebUiRootFolder());
|
|
|
|
if ((isAltUIUsed != m_isAltUIUsed) || (rootFolder != m_rootFolder)) {
|
|
|
|
m_isAltUIUsed = isAltUIUsed;
|
2017-10-14 16:27:21 +03:00
|
|
|
m_rootFolder = rootFolder;
|
2018-10-28 19:27:45 +03:00
|
|
|
m_translatedFiles.clear();
|
|
|
|
if (!m_isAltUIUsed)
|
|
|
|
LogMsg(tr("Using built-in Web UI."));
|
|
|
|
else
|
|
|
|
LogMsg(tr("Using custom Web UI. Location: \"%1\".").arg(m_rootFolder));
|
2017-10-14 16:27:21 +03:00
|
|
|
}
|
2018-05-11 15:45:00 +03:00
|
|
|
|
|
|
|
const QString newLocale = pref->getLocale();
|
|
|
|
if (m_currentLocale != newLocale) {
|
|
|
|
m_currentLocale = newLocale;
|
|
|
|
m_translatedFiles.clear();
|
2018-12-08 07:03:43 +03:00
|
|
|
|
|
|
|
m_translationFileLoaded = m_translator.load(m_rootFolder + QLatin1String("/translations/webui_") + newLocale);
|
|
|
|
if (m_translationFileLoaded) {
|
|
|
|
LogMsg(tr("Web UI translation for selected locale (%1) has been successfully loaded.")
|
|
|
|
.arg(newLocale));
|
2018-06-07 20:07:28 +03:00
|
|
|
}
|
|
|
|
else {
|
2018-12-08 07:03:43 +03:00
|
|
|
LogMsg(tr("Couldn't load Web UI translation for selected locale (%1).").arg(newLocale), Log::WARNING);
|
2018-06-07 20:07:28 +03:00
|
|
|
}
|
2018-05-11 15:45:00 +03:00
|
|
|
}
|
2018-05-21 18:33:44 +03:00
|
|
|
|
2018-07-14 10:47:34 +03:00
|
|
|
m_isLocalAuthEnabled = pref->isWebUiLocalAuthEnabled();
|
|
|
|
m_isAuthSubnetWhitelistEnabled = pref->isWebUiAuthSubnetWhitelistEnabled();
|
|
|
|
m_authSubnetWhitelist = pref->getWebUiAuthSubnetWhitelist();
|
2019-06-13 17:43:34 +03:00
|
|
|
m_sessionTimeout = pref->getWebUISessionTimeout();
|
2018-07-14 10:47:34 +03:00
|
|
|
|
|
|
|
m_domainList = pref->getServerDomains().split(';', QString::SkipEmptyParts);
|
|
|
|
std::for_each(m_domainList.begin(), m_domainList.end(), [](QString &entry) { entry = entry.trimmed(); });
|
|
|
|
|
2018-05-21 18:33:44 +03:00
|
|
|
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
|
2018-05-21 19:43:33 +03:00
|
|
|
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
2018-11-16 08:41:27 +03:00
|
|
|
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
|
2018-05-31 07:44:48 +03:00
|
|
|
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
|
2018-12-10 17:26:46 +03:00
|
|
|
|
|
|
|
m_contentSecurityPolicy =
|
|
|
|
(m_isAltUIUsed
|
|
|
|
? QLatin1String("")
|
|
|
|
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
|
|
|
|
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
|
|
|
|
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
Q_ASSERT(controller);
|
|
|
|
Q_ASSERT(!m_apiControllers.value(scope));
|
2015-04-19 18:17:47 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
m_apiControllers[scope] = controller;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::declarePublicAPI(const QString &apiPath)
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
m_publicAPIs << apiPath;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::sendFile(const QString &path)
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
const QDateTime lastModified {QFileInfo(path).lastModified()};
|
2015-04-19 18:17:47 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// find translated file in cache
|
|
|
|
auto it = m_translatedFiles.constFind(path);
|
|
|
|
if ((it != m_translatedFiles.constEnd()) && (lastModified <= (*it).lastModified)) {
|
2018-05-28 07:32:31 +03:00
|
|
|
const QString mimeName {QMimeDatabase().mimeTypeForFileNameAndData(path, (*it).data).name()};
|
|
|
|
print((*it).data, mimeName);
|
|
|
|
header(Http::HEADER_CACHE_CONTROL, getCachingInterval(mimeName));
|
2017-10-14 16:27:21 +03:00
|
|
|
return;
|
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QFile file {path};
|
|
|
|
if (!file.open(QIODevice::ReadOnly)) {
|
|
|
|
qDebug("File %s was not found!", qUtf8Printable(path));
|
|
|
|
throw NotFoundHTTPError();
|
|
|
|
}
|
2018-03-06 18:49:12 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (file.size() > MAX_ALLOWED_FILESIZE) {
|
|
|
|
qWarning("%s: exceeded the maximum allowed file size!", qUtf8Printable(path));
|
|
|
|
throw InternalServerErrorHTTPError(tr("Exceeded the maximum allowed file size (%1)!")
|
|
|
|
.arg(Utils::Misc::friendlyUnit(MAX_ALLOWED_FILESIZE)));
|
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QByteArray data {file.readAll()};
|
|
|
|
file.close();
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2018-05-28 07:32:31 +03:00
|
|
|
const QMimeType mimeType {QMimeDatabase().mimeTypeForFileNameAndData(path, data)};
|
|
|
|
const bool isTranslatable {mimeType.inherits(QLatin1String("text/plain"))};
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// Translate the file
|
|
|
|
if (isTranslatable) {
|
|
|
|
QString dataStr {data};
|
2018-06-07 20:07:28 +03:00
|
|
|
translateDocument(dataStr);
|
2017-10-14 16:27:21 +03:00
|
|
|
data = dataStr.toUtf8();
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
m_translatedFiles[path] = {data, lastModified}; // caching translated file
|
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2018-05-28 07:32:31 +03:00
|
|
|
print(data, mimeType.name());
|
|
|
|
header(Http::HEADER_CACHE_CONTROL, getCachingInterval(mimeType.name()));
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
Http::Response WebApplication::processRequest(const Http::Request &request, const Http::Environment &env)
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
m_currentSession = nullptr;
|
|
|
|
m_request = request;
|
|
|
|
m_env = env;
|
2018-03-01 16:57:44 +03:00
|
|
|
m_params.clear();
|
2019-05-09 06:17:41 +03:00
|
|
|
|
2018-03-01 16:57:44 +03:00
|
|
|
if (m_request.method == Http::METHOD_GET) {
|
2019-05-09 06:52:58 +03:00
|
|
|
for (auto iter = m_request.query.cbegin(); iter != m_request.query.cend(); ++iter)
|
|
|
|
m_params[iter.key()] = QString::fromUtf8(iter.value());
|
2018-03-01 16:57:44 +03:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
m_params = m_request.posts;
|
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// clear response
|
|
|
|
clear();
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
try {
|
2018-05-21 19:43:33 +03:00
|
|
|
// block suspicious requests
|
|
|
|
if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
|
2018-11-16 08:41:27 +03:00
|
|
|
|| (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList))) {
|
2017-10-14 16:27:21 +03:00
|
|
|
throw UnauthorizedHTTPError();
|
2018-05-21 19:43:33 +03:00
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
sessionInitialize();
|
|
|
|
doProcessRequest();
|
2015-02-01 20:08:45 +03:00
|
|
|
}
|
2017-10-14 16:27:21 +03:00
|
|
|
catch (const HTTPError &error) {
|
|
|
|
status(error.statusCode(), error.statusText());
|
|
|
|
if (!error.message().isEmpty())
|
|
|
|
print(error.message(), Http::CONTENT_TYPE_TXT);
|
2015-02-01 20:45:37 +03:00
|
|
|
}
|
2015-01-28 12:03:22 +03:00
|
|
|
|
2018-12-10 17:26:46 +03:00
|
|
|
header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
|
|
|
|
header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
|
2018-05-21 18:33:44 +03:00
|
|
|
|
2018-12-10 17:26:46 +03:00
|
|
|
if (m_isClickjackingProtectionEnabled)
|
|
|
|
header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
|
2018-05-29 08:40:52 +03:00
|
|
|
|
2018-12-10 17:14:53 +03:00
|
|
|
if (!m_isAltUIUsed)
|
2018-12-10 17:26:46 +03:00
|
|
|
header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
|
|
|
|
|
|
|
|
if (!m_contentSecurityPolicy.isEmpty())
|
|
|
|
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
|
2018-12-10 17:14:53 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
return response();
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QString WebApplication::clientId() const
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return env().clientAddress.toString();
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::sessionInitialize()
|
2014-08-22 23:08:44 +04:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
Q_ASSERT(!m_currentSession);
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const QString sessionId {parseCookie(m_request.headers.value(QLatin1String("cookie"))).value(C_SID)};
|
2015-01-30 23:58:27 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// TODO: Additional session check
|
|
|
|
|
|
|
|
if (!sessionId.isEmpty()) {
|
|
|
|
m_currentSession = m_sessions.value(sessionId);
|
|
|
|
if (m_currentSession) {
|
2019-06-13 17:43:34 +03:00
|
|
|
if (m_currentSession->hasExpired(m_sessionTimeout)) {
|
2017-10-14 16:27:21 +03:00
|
|
|
// session is outdated - removing it
|
|
|
|
delete m_sessions.take(sessionId);
|
|
|
|
m_currentSession = nullptr;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
m_currentSession->updateTimestamp();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
qDebug() << Q_FUNC_INFO << "session does not exist!";
|
|
|
|
}
|
2015-04-15 20:13:18 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (!m_currentSession && !isAuthNeeded())
|
|
|
|
sessionStart();
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QString WebApplication::generateSid() const
|
2014-08-22 23:08:44 +04:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
QString sid;
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
do {
|
2019-02-13 17:45:54 +03:00
|
|
|
const quint32 tmp[] = {Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()
|
|
|
|
, Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()};
|
|
|
|
sid = QByteArray::fromRawData(reinterpret_cast<const char *>(tmp), sizeof(tmp)).toBase64();
|
2015-04-03 18:51:26 +03:00
|
|
|
}
|
2017-10-14 16:27:21 +03:00
|
|
|
while (m_sessions.contains(sid));
|
2015-04-03 18:51:26 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
return sid;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
bool WebApplication::isAuthNeeded()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2018-07-14 10:47:34 +03:00
|
|
|
if (!m_isLocalAuthEnabled && Utils::Net::isLoopbackAddress(m_env.clientAddress))
|
2017-10-14 16:27:21 +03:00
|
|
|
return false;
|
2018-07-14 10:47:34 +03:00
|
|
|
if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInRange(m_env.clientAddress, m_authSubnetWhitelist))
|
2017-10-14 16:27:21 +03:00
|
|
|
return false;
|
|
|
|
return true;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
bool WebApplication::isPublicAPI(const QString &scope, const QString &action) const
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2018-03-06 18:49:12 +03:00
|
|
|
return m_publicAPIs.contains(QString::fromLatin1("%1/%2").arg(scope, action));
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::sessionStart()
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
Q_ASSERT(!m_currentSession);
|
2015-04-03 18:51:26 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// remove outdated sessions
|
2019-06-13 17:43:34 +03:00
|
|
|
Algorithm::removeIf(m_sessions, [this](const QString &, const WebSession *session)
|
2019-05-12 08:26:06 +03:00
|
|
|
{
|
2019-06-13 17:43:34 +03:00
|
|
|
if (session->hasExpired(m_sessionTimeout)) {
|
|
|
|
delete session;
|
|
|
|
return true;
|
|
|
|
}
|
2019-05-12 08:26:06 +03:00
|
|
|
|
2019-06-13 17:43:34 +03:00
|
|
|
return false;
|
2019-05-12 08:26:06 +03:00
|
|
|
});
|
2015-04-03 18:51:26 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
m_currentSession = new WebSession(generateSid());
|
|
|
|
m_sessions[m_currentSession->id()] = m_currentSession;
|
|
|
|
|
|
|
|
QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
|
|
|
|
cookie.setHttpOnly(true);
|
|
|
|
cookie.setPath(QLatin1String("/"));
|
2018-11-20 10:56:30 +03:00
|
|
|
QByteArray cookieRawForm = cookie.toRawForm();
|
|
|
|
if (m_isCSRFProtectionEnabled)
|
|
|
|
cookieRawForm.append("; SameSite=Strict");
|
|
|
|
header(Http::HEADER_SET_COOKIE, cookieRawForm);
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebApplication::sessionEnd()
|
2017-08-06 12:04:39 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
Q_ASSERT(m_currentSession);
|
2017-08-06 12:04:39 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QNetworkCookie cookie(C_SID);
|
|
|
|
cookie.setPath(QLatin1String("/"));
|
|
|
|
cookie.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
|
2017-08-06 12:04:39 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
delete m_sessions.take(m_currentSession->id());
|
|
|
|
m_currentSession = nullptr;
|
2017-08-06 12:04:39 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
header(Http::HEADER_SET_COOKIE, cookie.toRawForm());
|
2017-08-06 12:04:39 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
bool WebApplication::isCrossSiteRequest(const Http::Request &request) const
|
2017-07-04 12:54:43 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
// https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
|
2017-07-04 12:54:43 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const auto isSameOrigin = [](const QUrl &left, const QUrl &right) -> bool
|
|
|
|
{
|
|
|
|
// [rfc6454] 5. Comparing Origins
|
|
|
|
return ((left.port() == right.port())
|
|
|
|
// && (left.scheme() == right.scheme()) // not present in this context
|
|
|
|
&& (left.host() == right.host()));
|
|
|
|
};
|
2017-07-04 12:54:43 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
const QString targetOrigin = request.headers.value(Http::HEADER_X_FORWARDED_HOST, request.headers.value(Http::HEADER_HOST));
|
|
|
|
const QString originValue = request.headers.value(Http::HEADER_ORIGIN);
|
|
|
|
const QString refererValue = request.headers.value(Http::HEADER_REFERER);
|
|
|
|
|
|
|
|
if (originValue.isEmpty() && refererValue.isEmpty()) {
|
|
|
|
// owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
|
|
|
|
// so lets be permissive here
|
|
|
|
return false;
|
2017-07-04 12:54:43 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// sent with CORS requests, as well as with POST requests
|
|
|
|
if (!originValue.isEmpty()) {
|
|
|
|
const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), originValue);
|
|
|
|
if (isInvalid)
|
|
|
|
LogMsg(tr("WebUI: Origin header & Target origin mismatch! Source IP: '%1'. Origin header: '%2'. Target origin: '%3'")
|
2018-03-06 18:49:12 +03:00
|
|
|
.arg(m_env.clientAddress.toString(), originValue, targetOrigin)
|
2017-10-14 16:27:21 +03:00
|
|
|
, Log::WARNING);
|
|
|
|
return isInvalid;
|
2017-07-05 08:47:23 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (!refererValue.isEmpty()) {
|
|
|
|
const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), refererValue);
|
|
|
|
if (isInvalid)
|
|
|
|
LogMsg(tr("WebUI: Referer header & Target origin mismatch! Source IP: '%1'. Referer header: '%2'. Target origin: '%3'")
|
2018-03-06 18:49:12 +03:00
|
|
|
.arg(m_env.clientAddress.toString(), refererValue, targetOrigin)
|
2017-10-14 16:27:21 +03:00
|
|
|
, Log::WARNING);
|
|
|
|
return isInvalid;
|
|
|
|
}
|
2015-04-19 18:17:47 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
return true;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|
2014-08-22 23:08:44 +04:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
bool WebApplication::validateHostHeader(const QStringList &domains) const
|
2015-02-27 04:52:38 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
const QUrl hostHeader = urlFromHostHeader(m_request.headers[Http::HEADER_HOST]);
|
|
|
|
const QString requestHost = hostHeader.host();
|
|
|
|
|
|
|
|
// (if present) try matching host header's port with local port
|
|
|
|
const int requestPort = hostHeader.port();
|
|
|
|
if ((requestPort != -1) && (m_env.localPort != requestPort)) {
|
|
|
|
LogMsg(tr("WebUI: Invalid Host header, port mismatch. Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
|
|
|
|
.arg(m_env.clientAddress.toString()).arg(m_env.localPort)
|
|
|
|
.arg(m_request.headers[Http::HEADER_HOST])
|
|
|
|
, Log::WARNING);
|
|
|
|
return false;
|
2015-02-27 04:52:38 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// try matching host header with local address
|
|
|
|
const bool sameAddr = m_env.localAddress.isEqual(QHostAddress(requestHost));
|
2016-01-21 15:32:13 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
if (sameAddr)
|
|
|
|
return true;
|
2016-01-21 15:32:13 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// try matching host header with domain list
|
|
|
|
for (const auto &domain : domains) {
|
|
|
|
QRegExp domainRegex(domain, Qt::CaseInsensitive, QRegExp::Wildcard);
|
|
|
|
if (requestHost.contains(domainRegex))
|
|
|
|
return true;
|
2016-01-21 15:32:13 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
LogMsg(tr("WebUI: Invalid Host header. Request source IP: '%1'. Received Host header: '%2'")
|
2018-03-06 18:49:12 +03:00
|
|
|
.arg(m_env.clientAddress.toString(), m_request.headers[Http::HEADER_HOST])
|
2017-10-14 16:27:21 +03:00
|
|
|
, Log::WARNING);
|
|
|
|
return false;
|
2016-01-21 15:32:13 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
// WebSession
|
2016-01-21 16:42:20 +03:00
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
WebSession::WebSession(const QString &sid)
|
|
|
|
: m_sid {sid}
|
|
|
|
{
|
|
|
|
updateTimestamp();
|
2016-01-21 16:42:20 +03:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QString WebSession::id() const
|
2015-10-22 07:36:36 +03:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return m_sid;
|
2015-10-22 07:36:36 +03:00
|
|
|
}
|
|
|
|
|
2019-06-13 17:43:34 +03:00
|
|
|
bool WebSession::hasExpired(const qint64 seconds) const
|
2015-01-28 12:03:22 +03:00
|
|
|
{
|
2019-06-13 17:43:34 +03:00
|
|
|
if (seconds <= 0)
|
|
|
|
return false;
|
|
|
|
return m_timer.hasExpired(seconds * 1000);
|
|
|
|
}
|
|
|
|
|
|
|
|
void WebSession::updateTimestamp()
|
|
|
|
{
|
|
|
|
m_timer.start();
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
QVariant WebSession::getData(const QString &id) const
|
2014-08-22 23:08:44 +04:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
return m_data.value(id);
|
2014-08-22 23:08:44 +04:00
|
|
|
}
|
|
|
|
|
2017-10-14 16:27:21 +03:00
|
|
|
void WebSession::setData(const QString &id, const QVariant &data)
|
2014-08-22 23:08:44 +04:00
|
|
|
{
|
2017-10-14 16:27:21 +03:00
|
|
|
m_data[id] = data;
|
2015-01-28 12:03:22 +03:00
|
|
|
}
|