Commit graph

123 commits

Author SHA1 Message Date
thalieht
947c7e1d64 Convert to range-based for loop 2019-02-16 16:53:26 +02:00
Vladimir Golovnev (Glassez)
b0446380c6
Separate URL components before percent-decoding
Allow special characters in query string parameters.
Closes #9116.
2019-01-27 15:33:19 +03:00
Vladimir Golovnev (Glassez)
2ce3aa9731
Drop legacy WebAPI support 2019-01-10 20:16:06 +03:00
Chocobo1
e98d4e874f
Unify translation files loading action
Since it is possible alternative WebUI could be coded in languages other than English,
WebUI must be able to load user-provided webui_en.qm.
At least one translated string must exist in order to generate an usable .qm file.
2018-12-18 23:14:09 +08:00
Chocobo1
c1912e17c1
Revise CSP header
The majority of the CSP is tuned for built-in WebUI, it may not be
suitable for alternative UI.

Also add QLatin1String to strings. This code path is called repeatedly,
it is worth adding QLatin1String to squeeze out the last bit of
performance.
2018-12-13 15:31:32 +08:00
Chocobo1
7fd30fa90f
Enforce referrer-policy in WebUI
This stops leaking private data to other websites via Referrer header.
2018-12-10 22:17:04 +08:00
thalieht
1f36b8b89f Combine qAsConst() with copyAsConst() to asConst() 2018-11-28 23:41:23 +02:00
thalieht
6b1d26d555 Convert all foreach() to range-based for() 2018-11-28 23:40:12 +02:00
Mike Tzou
45cfac6c00
Merge pull request #9891 from Chocobo1/i18n
Fix missing words in WebUI
2018-11-24 10:55:13 +08:00
Chocobo1
b79a231d2e
Fix missing words in WebUI
This is because Qt translator returns empty string when the translation
is not provided, now we fallback to the original string from source code.

Closes #9868.
2018-11-23 23:42:20 +08:00
Mike Tzou
70707a2664
Merge pull request #9884 from Piccirello/webui-cookie-samesite
Add SameSite attribute to WebUI session cookie
2018-11-22 10:40:37 +08:00
Thomas Piccirello
cd47380b85 Add SameSite attribute to WebUI session cookie
This attribute prevents the cookie from being submitted on any cross-site request, strongly limiting CSRF.

Closes #9877.
2018-11-20 22:12:24 -05:00
Chocobo1
344e47dcfb
Add option for WebUI Host header validation
Closes #9743.
2018-11-19 11:05:04 +08:00
Vladimir Golovnev (Glassez)
f309a5279e
Fix Alternative Web UI to be available 2018-10-29 08:32:57 +03:00
Vladimir Golovnev
7e36cc746f
Merge pull request #8584 from Piccirello/new-search-api-2
WebUI search API. Closes #2495
2018-10-24 13:13:16 +03:00
Vladimir Golovnev (Glassez)
c1a4ef1377
Use independent translation for WebUI 2018-10-09 11:10:08 +03:00
Thomas Piccirello
0b6ae68801 Add WebUI search API controller
Closes #2495.
2018-09-30 20:07:27 -04:00
Chocobo1
71dcc76a64
Replace png icons with svg 2018-08-14 17:03:14 +08:00
Chocobo1
e04aae686f
Cache more preference values
These values from Preference class are frequently used.
Also group related variables together.
2018-07-14 15:48:18 +08:00
thalieht
456270bbb1 Delete several unused #include 2018-07-03 08:38:32 +03:00
Chocobo1
050b78f378
Send Cache-Control header in WebUI responses
Tune the caching time to be shorter, in case there is a program
update.
Change the cacheability to private, as WebUI resources are not intended
to be cached at proxy.
For uncacheable responses, send out "no-store" explicitly to halt
browser caching.
2018-06-04 20:50:08 +08:00
Mike Tzou
5f8feec1c1
Merge pull request #9013 from Piccirello/strengthen-csp
More restrictive Content Security Policy
2018-06-03 21:43:39 +08:00
Chocobo1
09f759355f
Replace QRegExp with QRegularExpression
Revise `static` keyword usage, static is added to frequently used
instances.
2018-05-31 22:56:49 +08:00
Thomas Piccirello
43656aaa1e Add form-action to CSP
This option restricts all form submissions to the WebUI's origin.
qBittorrent only ever submits forms to the origin, so this is intended as a security measure.
2018-05-31 00:54:57 -04:00
Thomas Piccirello
8f98f87d12 Add upgrade-insecure-requests to CSP when HTTPS is enabled
This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
2018-05-31 00:54:57 -04:00
Chocobo1
e8d378e167
Improve WebUI security measures
CSP was erroneously disabled in bad4d94f77
when clickjacking protection is off, now it is back.
Also added CSP 'frame-ancestors' directive when clickjacking
protection is enabled.
2018-05-29 13:40:52 +08:00
Mike Tzou
4a51f14328
Merge pull request #8967 from Chocobo1/protect
Add options to control WebUI security measures
2018-05-28 14:21:53 +08:00
Chocobo1
9eeef0be97
Add option to control CSRF protection
Some users are using WebUI with simple port-forwarding from their router,
providing an option to control the protection will save them from setting up an
non-trival web proxy.
Closes #7274.
2018-05-22 12:57:03 +08:00
Chocobo1
bad4d94f77
Add option to control WebUI clickjacking protection
Some users actually want embedding WebUI into their custom build iframe.
Closes #7370.
2018-05-22 01:07:25 +08:00
Chocobo1
ceaf755ac6
Make use of QStringLiteral
Only changed instances that are initialized at program start.
2018-05-18 02:14:49 +08:00
Mike Tzou
3b1fa19ea8
Merge pull request #8895 from Chocobo1/locale
Apply locale changes immediately in WebUI
2018-05-15 00:29:45 +08:00
Chocobo1
5ae926a376
Refactor code
Add const to variables.
No functionality change.
2018-05-13 15:05:30 +08:00
Chocobo1
92a4e73a22
Apply locale changes immediately in WebUI 2018-05-13 15:05:29 +08:00
Vladimir Golovnev (Glassez)
88f2a66aac
Fix params handling for some legacy API methods
Closes #8880.
2018-05-12 07:35:35 +03:00
Vladimir Golovnev (Glassez)
0fda49c060
Improve legacy API params handling 2018-05-12 07:35:31 +03:00
Vladimir Golovnev
3a0e5e51df
Merge pull request #8761 from thalieht/nullptr
Replace the zeroing of pointers with nullptr
2018-05-08 17:10:37 +03:00
Vladimir Golovnev (Glassez)
001bd38557
Fix pauseAll/resumeAll legacy API methods
Closes #8766.
2018-04-20 14:30:25 +03:00
thalieht
3e4099fe5b Replace the zeroing of pointers with nullptr 2018-04-15 13:06:31 +03:00
Chocobo1
fdf3ebbb6c
Remove usage of deprecated functions
Also use proper type for storing date/time data
2018-03-09 19:20:58 +08:00
Mike Tzou
5261d4375f
Merge pull request #8551 from Chocobo1/override
Fix warnings from linters
2018-03-09 00:36:52 +08:00
Chocobo1
0457fd260e
Avoid temporary QString allocations
This fixes clazy warning: Use multi-arg instead [-Wclazy-qstring-arg]
2018-03-07 20:06:00 +08:00
Vladimir Golovnev (Glassez)
1aca3b0adc
Parse URL query string at application level 2018-03-04 17:08:48 +03:00
Vladimir Golovnev (Glassez)
34456a7459
Fix Legacy Web API to be fully available 2018-02-28 18:25:48 +03:00
Vladimir Golovnev (Glassez)
27d8dbf13b
Redesign Web API
Normalize Web API method names.
Allow to use alternative Web UI.
Switch Web API version to standard form (i.e. "2.0").
Improve Web UI translation code.
Retranslate changed files.
Add Web API for RSS subsystem.
2018-01-28 19:16:24 +03:00
sledgehammer999
4e96a1065e
Bump API_VERSION to 16. 2017-11-22 01:14:33 +02:00
sledgehammer999
ffa6f7ea34
Bump API_VERSION to 16. 2017-11-03 01:57:32 +02:00
Mike Tzou
b6be5afb89 Merge pull request #7584 from Chocobo1/refactor
[WebAPI] Refactor
2017-10-23 19:36:28 +08:00
Chocobo1
ce362f0e5e
WebAPI refactor: utilize parseBool() function
Coding style cleanup
Rename variable
Return const reference
Add const
2017-10-18 22:27:59 +08:00
Chocobo1
f350977cb4
WebUI: add optional parameters for /command/download & /command/upload
Specifically:
torrent name: string
download limit, upload limit: number in bytes, default: -1 (unlimited)
sequential download, first last piece prio: boolean true/false, default: false
2017-10-11 20:25:11 +08:00
thalieht
525fdd6c2b Coding style, use nullptr and other minor things 2017-10-08 10:20:54 +03:00