- Store Web UI password as md5

Changelog

@@ -45,6 +45,7 @@
     - WEB UI: Added internationalization support
     - WEB UI: Reduced computation in Javascript (do this one server side instead)
     - WEB UI: Fixed Transfer list flickering
+    - WEB UI: Password is now stored as md5
     - I18N: Added Serbian translation (By Anaximandar Milet)
     - COSMETIC: Merged download / upload lists
     - COSMETIC: Torrents can be filtered based on their status

src/httpserver.cpp

@@ -33,11 +33,13 @@
 #include "httpconnection.h"
 #include "eventmanager.h"
 #include "bittorrent.h"
+#include "preferences.h"
 #include <QTimer>
+#include <QCryptographicHash>
 
-HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent)
+HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent) {
-{
+  username = Preferences::getWebUiUsername().toLocal8Bit();
-	base64 = QByteArray(":").toBase64();
+  password_md5 = Preferences::getWebUiPassword().toLocal8Bit();
   connect(this, SIGNAL(newConnection()), this, SLOT(newHttpConnection()));
   BTSession = _BTSession;
   manager = new EventManager(this, BTSession);
@@ -110,15 +112,21 @@ void HttpServer::onTimer() {
   }
 }
 
-void HttpServer::setAuthorization(QString username, QString password)
+void HttpServer::setAuthorization(QString _username, QString _password_md5) {
-{
+  username = _username.toLocal8Bit();
-	QString cat = username + ":" + password;
+  password_md5 = _password_md5.toLocal8Bit();
-  base64 = QByteArray(cat.toLocal8Bit()).toBase64();
 }
 
-bool HttpServer::isAuthorized(QByteArray auth) const
+bool HttpServer::isAuthorized(QByteArray auth) const {
-{
+  // Decode Auth
-	return (auth == base64);
+  QByteArray decoded = QByteArray::fromBase64(auth);
+  QList<QByteArray> creds = decoded.split(':');
+  if(creds.size() != 2) return false;
+  QByteArray prop_username = creds.first();
+  if(prop_username != username) return false;
+  QCryptographicHash md5(QCryptographicHash::Md5);
+  md5.addData(creds.last());
+  return (password_md5 == md5.result().toHex());
 }
 
 EventManager* HttpServer::eventManager() const

src/httpserver.h

@@ -44,7 +44,8 @@ class HttpServer : public QTcpServer {
 	Q_OBJECT
 
 	private:
-		QByteArray base64;
+                QByteArray username;
+                QByteArray password_md5;
                 Bittorrent *BTSession;
 		EventManager *manager;
 		QTimer *timer;
@@ -52,7 +53,7 @@ class HttpServer : public QTcpServer {
 	public:
                 HttpServer(Bittorrent *BTSession, int msec, QObject* parent = 0);
 		~HttpServer();
-		void setAuthorization(QString username, QString password);
+                void setAuthorization(QString username, QString password_md5);
 		bool isAuthorized(QByteArray auth) const;
 		EventManager *eventManager() const;
 

src/options_imp.cpp

@@ -465,7 +465,8 @@ void options_imp::saveOptions(){
   {
     settings.setValue("Port", webUiPort());
     settings.setValue("Username", webUiUsername());
-    settings.setValue("Password", webUiPassword());
+    // FIXME: Check that the password is valid (not empty at least)
+    Preferences::setWebUiPassword(webUiPassword());
   }
   // End Web UI
   settings.endGroup();

src/preferences.h

@@ -32,6 +32,7 @@
 #define PREFERENCES_H
 
 #include <QSettings>
+#include <QCryptographicHash>
 #include <QPair>
 #include <QDir>
 
@@ -456,12 +457,40 @@ public:
 
   static QString getWebUiUsername() {
     QSettings settings("qBittorrent", "qBittorrent");
-    return settings.value("Preferences/WebUI/Username", "user").toString();
+    return settings.value("Preferences/WebUI/Username", "admin").toString();
+  }
+
+  static void setWebUiPassword(QString new_password) {
+    // Get current password md5
+    QString current_pass_md5 = getWebUiPassword();
+    // Check if password did not change
+    if(current_pass_md5 == new_password) return;
+    // Encode to md5 and save
+    QCryptographicHash md5(QCryptographicHash::Md5);
+    md5.addData(new_password.toLocal8Bit());
+    QSettings settings("qBittorrent", "qBittorrent");
+    settings.setValue("Preferences/WebUI/Password_md5", md5.result().toHex());
   }
 
   static QString getWebUiPassword() {
     QSettings settings("qBittorrent", "qBittorrent");
-    return settings.value("Preferences/WebUI/Password", "").toString();
+    // Here for backward compatiblity
+    if(settings.contains("Preferences/WebUI/Password")) {
+      QString clear_pass = settings.value("Preferences/WebUI/Password", "adminadmin").toString();
+      settings.remove("Preferences/WebUI/Password");
+      QCryptographicHash md5(QCryptographicHash::Md5);
+      md5.addData(clear_pass.toLocal8Bit());
+      QString pass_md5(md5.result().toHex());
+      settings.setValue("Preferences/WebUI/Password_md5", pass_md5);
+      return pass_md5;
+    }
+    QString pass_md5 = settings.value("Preferences/WebUI/Password_md5", "").toString();
+    if(pass_md5.isEmpty()) {
+      QCryptographicHash md5(QCryptographicHash::Md5);
+      md5.addData("adminadmin");
+      pass_md5 = md5.result().toHex();
+    }
+    return pass_md5;
   }
 
 };