search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sync translations from Transifex and run lupdate
[qBittorrent.git] / src / webui / webapplication.cpp
blobc85bc9ca84509e8d8452b7dcd122fa6daca81784
1 /*
2 * Bittorrent Client using Qt and libtorrent.
3 * Copyright (C) 2014, 2022 Vladimir Golovnev <glassez@yandex.ru>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 *
19 * In addition, as a special exception, the copyright holders give permission to
20 * link this program with the OpenSSL project's "OpenSSL" library (or with
21 * modified versions of it that use the same license as the "OpenSSL" library),
22 * and distribute the linked executables. You must obey the GNU General Public
23 * License in all respects for all of the code used other than "OpenSSL". If you
24 * modify file(s), you may extend this exception to your version of the file(s),
25 * but you are not obligated to do so. If you do not wish to do so, delete this
26 * exception statement from your version.
27 */
28
29 #include "webapplication.h"
30
31 #include <algorithm>
32
33 #include <QDateTime>
34 #include <QDebug>
35 #include <QDir>
36 #include <QFileInfo>
37 #include <QJsonDocument>
38 #include <QMimeDatabase>
39 #include <QMimeType>
40 #include <QNetworkCookie>
41 #include <QRegularExpression>
42 #include <QUrl>
43
44 #include "base/algorithm.h"
45 #include "base/http/httperror.h"
46 #include "base/logger.h"
47 #include "base/preferences.h"
48 #include "base/types.h"
49 #include "base/utils/fs.h"
50 #include "base/utils/io.h"
51 #include "base/utils/misc.h"
52 #include "base/utils/random.h"
53 #include "base/utils/string.h"
54 #include "api/apierror.h"
55 #include "api/appcontroller.h"
56 #include "api/authcontroller.h"
57 #include "api/logcontroller.h"
58 #include "api/rsscontroller.h"
59 #include "api/searchcontroller.h"
60 #include "api/synccontroller.h"
61 #include "api/torrentscontroller.h"
62 #include "api/transfercontroller.h"
63
64 const int MAX_ALLOWED_FILESIZE = 10 * 1024 * 1024;
65 const QString DEFAULT_SESSION_COOKIE_NAME = u"SID"_s;
66
67 const QString WWW_FOLDER = u":/www"_s;
68 const QString PUBLIC_FOLDER = u"/public"_s;
69 const QString PRIVATE_FOLDER = u"/private"_s;
70
71 namespace
72 {
73 QStringMap parseCookie(const QStringView cookieStr)
74 {
75 // [rfc6265] 4.2.1. Syntax
76 QStringMap ret;
77 const QList<QStringView> cookies = cookieStr.split(u';', Qt::SkipEmptyParts);
78
79 for (const auto &cookie : cookies)
80 {
81 const int idx = cookie.indexOf(u'=');
82 if (idx < 0)
83 continue;
84
85 const QString name = cookie.left(idx).trimmed().toString();
86 const QString value = Utils::String::unquote(cookie.mid(idx + 1).trimmed()).toString();
87 ret.insert(name, value);
88 }
89 return ret;
90 }
91
92 QUrl urlFromHostHeader(const QString &hostHeader)
93 {
94 if (!hostHeader.contains(u"://"))
95 return {u"http://"_s + hostHeader};
96 return hostHeader;
97 }
98
99 QString getCachingInterval(QString contentType)
100 {
101 contentType = contentType.toLower();
102
103 if (contentType.startsWith(u"image/"))
104 return u"private, max-age=604800"_s; // 1 week
105
106 if ((contentType == Http::CONTENT_TYPE_CSS)
107 || (contentType == Http::CONTENT_TYPE_JS))
108 {
109 // short interval in case of program update
110 return u"private, max-age=43200"_s; // 12 hrs
111 }
112
113 return u"no-store"_s;
114 }
115
116 QString createLanguagesOptionsHtml()
117 {
118 // List language files
119 const QDir langDir {u":/www/translations"_s};
120 const QStringList langFiles = langDir.entryList(QStringList(u"webui_*.qm"_s), QDir::Files);
121 QStringList languages;
122 for (const QString &langFile : langFiles)
123 {
124 const QString localeStr = langFile.section(u"_"_s, 1, -1).section(u"."_s, 0, 0); // remove "webui_" and ".qm"
125 languages << u"<option value=\"%1\">%2</option>"_s.arg(localeStr, Utils::Misc::languageToLocalizedString(localeStr));
126 qDebug() << "Supported locale:" << localeStr;
127 }
128
129 return languages.join(u'\n');
130 }
131
132 bool isValidCookieName(const QString &cookieName)
133 {
134 if (cookieName.isEmpty() || (cookieName.size() > 128))
135 return false;
136
137 const QRegularExpression invalidNameRegex {u"[^a-zA-Z0-9_\\-]"_s};
138 if (invalidNameRegex.match(cookieName).hasMatch())
139 return false;
140
141 return true;
142 }
143 }
144
145 WebApplication::WebApplication(IApplication *app, QObject *parent)
146 : QObject(parent)
147 , ApplicationComponent(app)
148 , m_cacheID {QString::number(Utils::Random::rand(), 36)}
149 , m_authController {new AuthController(this, app, this)}
150 {
151 declarePublicAPI(u"auth/login"_s);
152
153 configure();
154 connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
155
156 m_sessionCookieName = Preferences::instance()->getWebAPISessionCookieName();
157 if (!isValidCookieName(m_sessionCookieName))
158 {
159 if (!m_sessionCookieName.isEmpty())
160 {
161 LogMsg(tr("Unacceptable session cookie name is specified: '%1'. Default one is used.")
162 .arg(m_sessionCookieName), Log::WARNING);
163 }
164 m_sessionCookieName = DEFAULT_SESSION_COOKIE_NAME;
165 }
166 }
167
168 WebApplication::~WebApplication()
169 {
170 // cleanup sessions data
171 qDeleteAll(m_sessions);
172 }
173
174 void WebApplication::sendWebUIFile()
175 {
176 if (request().path.contains(u'\\'))
177 throw BadRequestHTTPError();
178
179 if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
180 ; pathItems.contains(u".") || pathItems.contains(u".."))
181 {
182 throw BadRequestHTTPError();
183 }
184
185 const QString path = (request().path != u"/")
186 ? request().path
187 : u"/index.html"_s;
188
189 Path localPath = m_rootFolder
190 / Path(session() ? PRIVATE_FOLDER : PUBLIC_FOLDER)
191 / Path(path);
192 if (!localPath.exists() && session())
193 {
194 // try to send public file if there is no private one
195 localPath = m_rootFolder / Path(PUBLIC_FOLDER) / Path(path);
196 }
197
198 if (m_isAltUIUsed)
199 {
200 if (!Utils::Fs::isRegularFile(localPath))
201 throw InternalServerErrorHTTPError(tr("Unacceptable file type, only regular file is allowed."));
202
203 const QString rootFolder = m_rootFolder.data();
204
205 QFileInfo fileInfo {localPath.parentPath().data()};
206 while (fileInfo.path() != rootFolder)
207 {
208 if (fileInfo.isSymLink())
209 throw InternalServerErrorHTTPError(tr("Symlinks inside alternative UI folder are forbidden."));
210
211 fileInfo.setFile(fileInfo.path());
212 }
213 }
214
215 sendFile(localPath);
216 }
217
218 void WebApplication::translateDocument(QString &data) const
219 {
220 const QRegularExpression regex(u"QBT_TR\\((([^\\)]|\\)(?!QBT_TR))+)\\)QBT_TR\\[CONTEXT=([a-zA-Z_][a-zA-Z0-9_]*)\\]"_s);
221
222 int i = 0;
223 bool found = true;
224 while (i < data.size() && found)
225 {
226 QRegularExpressionMatch regexMatch;
227 i = data.indexOf(regex, i, &regexMatch);
228 if (i >= 0)
229 {
230 const QString sourceText = regexMatch.captured(1);
231 const QString context = regexMatch.captured(3);
232
233 const QString loadedText = m_translationFileLoaded
234 ? m_translator.translate(context.toUtf8().constData(), sourceText.toUtf8().constData())
235 : QString();
236 // `loadedText` is empty when translation is not provided
237 // it should fallback to `sourceText`
238 QString translation = loadedText.isEmpty() ? sourceText : loadedText;
239
240 // Use HTML code for quotes to prevent issues with JS
241 translation.replace(u'\'', u"&#39;"_s);
242 translation.replace(u'\"', u"&#34;"_s);
243
244 data.replace(i, regexMatch.capturedLength(), translation);
245 i += translation.length();
246 }
247 else
248 {
249 found = false; // no more translatable strings
250 }
251
252 data.replace(u"${LANG}"_s, m_currentLocale.left(2));
253 data.replace(u"${CACHEID}"_s, m_cacheID);
254 }
255 }
256
257 WebSession *WebApplication::session()
258 {
259 return m_currentSession;
260 }
261
262 const Http::Request &WebApplication::request() const
263 {
264 return m_request;
265 }
266
267 const Http::Environment &WebApplication::env() const
268 {
269 return m_env;
270 }
271
272 void WebApplication::doProcessRequest()
273 {
274 const QRegularExpressionMatch match = m_apiPathPattern.match(request().path);
275 if (!match.hasMatch())
276 {
277 sendWebUIFile();
278 return;
279 }
280
281 const QString action = match.captured(u"action"_s);
282 const QString scope = match.captured(u"scope"_s);
283
284 // Check public/private scope
285 if (!session() && !isPublicAPI(scope, action))
286 throw ForbiddenHTTPError();
287
288 // Find matching API
289 APIController *controller = nullptr;
290 if (session())
291 controller = session()->getAPIController(scope);
292 if (!controller)
293 {
294 if (scope == u"auth")
295 controller = m_authController;
296 else
297 throw NotFoundHTTPError();
298 }
299
300 // Filter HTTP methods
301 const auto allowedMethodIter = m_allowedMethod.find({scope, action});
302 if (allowedMethodIter == m_allowedMethod.end())
303 {
304 // by default allow both GET, POST methods
305 if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
306 throw MethodNotAllowedHTTPError();
307 }
308 else
309 {
310 if (*allowedMethodIter != m_request.method)
311 throw MethodNotAllowedHTTPError();
312 }
313
314 DataMap data;
315 for (const Http::UploadedFile &torrent : request().files)
316 data[torrent.filename] = torrent.data;
317
318 try
319 {
320 const QVariant result = controller->run(action, m_params, data);
321 switch (result.userType())
322 {
323 case QMetaType::QJsonDocument:
324 print(result.toJsonDocument().toJson(QJsonDocument::Compact), Http::CONTENT_TYPE_JSON);
325 break;
326 case QMetaType::QByteArray:
327 print(result.toByteArray(), Http::CONTENT_TYPE_TXT);
328 break;
329 case QMetaType::QString:
330 default:
331 print(result.toString(), Http::CONTENT_TYPE_TXT);
332 break;
333 }
334 }
335 catch (const APIError &error)
336 {
337 // re-throw as HTTPError
338 switch (error.type())
339 {
340 case APIErrorType::AccessDenied:
341 throw ForbiddenHTTPError(error.message());
342 case APIErrorType::BadData:
343 throw UnsupportedMediaTypeHTTPError(error.message());
344 case APIErrorType::BadParams:
345 throw BadRequestHTTPError(error.message());
346 case APIErrorType::Conflict:
347 throw ConflictHTTPError(error.message());
348 case APIErrorType::NotFound:
349 throw NotFoundHTTPError(error.message());
350 default:
351 Q_ASSERT(false);
352 }
353 }
354 }
355
356 void WebApplication::configure()
357 {
358 const auto *pref = Preferences::instance();
359
360 const bool isAltUIUsed = pref->isAltWebUiEnabled();
361 const Path rootFolder = (!isAltUIUsed ? Path(WWW_FOLDER) : pref->getWebUiRootFolder());
362 if ((isAltUIUsed != m_isAltUIUsed) || (rootFolder != m_rootFolder))
363 {
364 m_isAltUIUsed = isAltUIUsed;
365 m_rootFolder = rootFolder;
366 m_translatedFiles.clear();
367 if (!m_isAltUIUsed)
368 LogMsg(tr("Using built-in Web UI."));
369 else
370 LogMsg(tr("Using custom Web UI. Location: \"%1\".").arg(m_rootFolder.toString()));
371 }
372
373 const QString newLocale = pref->getLocale();
374 if (m_currentLocale != newLocale)
375 {
376 m_currentLocale = newLocale;
377 m_translatedFiles.clear();
378
379 m_translationFileLoaded = m_translator.load((m_rootFolder / Path(u"translations/webui_"_s) + newLocale).data());
380 if (m_translationFileLoaded)
381 {
382 LogMsg(tr("Web UI translation for selected locale (%1) has been successfully loaded.")
383 .arg(newLocale));
384 }
385 else
386 {
387 LogMsg(tr("Couldn't load Web UI translation for selected locale (%1).").arg(newLocale), Log::WARNING);
388 }
389 }
390
391 m_isLocalAuthEnabled = pref->isWebUiLocalAuthEnabled();
392 m_isAuthSubnetWhitelistEnabled = pref->isWebUiAuthSubnetWhitelistEnabled();
393 m_authSubnetWhitelist = pref->getWebUiAuthSubnetWhitelist();
394 m_sessionTimeout = pref->getWebUISessionTimeout();
395
396 m_domainList = pref->getServerDomains().split(u';', Qt::SkipEmptyParts);
397 std::for_each(m_domainList.begin(), m_domainList.end(), [](QString &entry) { entry = entry.trimmed(); });
398
399 m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
400 m_isSecureCookieEnabled = pref->isWebUiSecureCookieEnabled();
401 m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
402 m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
403
404 m_prebuiltHeaders.clear();
405 m_prebuiltHeaders.push_back({Http::HEADER_X_XSS_PROTECTION, u"1; mode=block"_s});
406 m_prebuiltHeaders.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS, u"nosniff"_s});
407
408 if (!m_isAltUIUsed)
409 {
410 m_prebuiltHeaders.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY, u"same-origin"_s});
411 m_prebuiltHeaders.push_back({Http::HEADER_REFERRER_POLICY, u"same-origin"_s});
412 }
413
414 const bool isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
415 if (isClickjackingProtectionEnabled)
416 m_prebuiltHeaders.push_back({Http::HEADER_X_FRAME_OPTIONS, u"SAMEORIGIN"_s});
417
418 const QString contentSecurityPolicy =
419 (m_isAltUIUsed
420 ? QString()
421 : u"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"_s)
422 + (isClickjackingProtectionEnabled ? u" frame-ancestors 'self';"_s : QString())
423 + (m_isHttpsEnabled ? u" upgrade-insecure-requests;"_s : QString());
424 if (!contentSecurityPolicy.isEmpty())
425 m_prebuiltHeaders.push_back({Http::HEADER_CONTENT_SECURITY_POLICY, contentSecurityPolicy});
426
427 if (pref->isWebUICustomHTTPHeadersEnabled())
428 {
429 const QString customHeaders = pref->getWebUICustomHTTPHeaders();
430 const QList<QStringView> customHeaderLines = QStringView(customHeaders).trimmed().split(u'\n', Qt::SkipEmptyParts);
431
432 for (const QStringView line : customHeaderLines)
433 {
434 const int idx = line.indexOf(u':');
435 if (idx < 0)
436 {
437 // require separator `:` to be present even if `value` field can be empty
438 LogMsg(tr("Missing ':' separator in WebUI custom HTTP header: \"%1\"").arg(line.toString()), Log::WARNING);
439 continue;
440 }
441
442 const QString header = line.left(idx).trimmed().toString();
443 const QString value = line.mid(idx + 1).trimmed().toString();
444 m_prebuiltHeaders.push_back({header, value});
445 }
446 }
447
448 m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
449 if (m_isReverseProxySupportEnabled)
450 {
451 const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);
452
453 m_trustedReverseProxyList.clear();
454 m_trustedReverseProxyList.reserve(proxyList.size());
455
456 for (QString proxy : proxyList)
457 {
458 if (!proxy.contains(u'/'))
459 {
460 const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
461 if (protocol == QAbstractSocket::IPv4Protocol)
462 {
463 proxy.append(u"/32");
464 }
465 else if (protocol == QAbstractSocket::IPv6Protocol)
466 {
467 proxy.append(u"/128");
468 }
469 }
470
471 const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
472 if (subnet)
473 m_trustedReverseProxyList.push_back(subnet.value());
474 }
475
476 if (m_trustedReverseProxyList.isEmpty())
477 m_isReverseProxySupportEnabled = false;
478 }
479 }
480
481 void WebApplication::declarePublicAPI(const QString &apiPath)
482 {
483 m_publicAPIs << apiPath;
484 }
485
486 void WebApplication::sendFile(const Path &path)
487 {
488 const QDateTime lastModified = Utils::Fs::lastModified(path);
489
490 // find translated file in cache
491 if (!m_isAltUIUsed)
492 {
493 if (const auto it = m_translatedFiles.constFind(path);
494 (it != m_translatedFiles.constEnd()) && (lastModified <= it->lastModified))
495 {
496 print(it->data, it->mimeType);
497 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(it->mimeType)});
498 return;
499 }
500 }
501
502 const auto readResult = Utils::IO::readFile(path, MAX_ALLOWED_FILESIZE);
503 if (!readResult)
504 {
505 const QString message = tr("Web server error. %1").arg(readResult.error().message);
506
507 switch (readResult.error().status)
508 {
509 case Utils::IO::ReadError::NotExist:
510 qDebug("%s", qUtf8Printable(message));
511 // don't write log messages here to avoid exhausting the disk space
512 throw NotFoundHTTPError();
513
514 case Utils::IO::ReadError::ExceedSize:
515 qWarning("%s", qUtf8Printable(message));
516 LogMsg(message, Log::WARNING);
517 throw InternalServerErrorHTTPError(readResult.error().message);
518
519 case Utils::IO::ReadError::Failed:
520 case Utils::IO::ReadError::SizeMismatch:
521 LogMsg(message, Log::WARNING);
522 throw InternalServerErrorHTTPError(readResult.error().message);
523 }
524
525 throw InternalServerErrorHTTPError(tr("Web server error. Unknown error."));
526 }
527
528 QByteArray data = readResult.value();
529 const QMimeType mimeType = QMimeDatabase().mimeTypeForFileNameAndData(path.data(), data);
530 const bool isTranslatable = !m_isAltUIUsed && mimeType.inherits(u"text/plain"_s);
531
532 if (isTranslatable)
533 {
534 auto dataStr = QString::fromUtf8(data);
535 // Translate the file
536 translateDocument(dataStr);
537
538 // Add the language options
539 if (path == (m_rootFolder / Path(PRIVATE_FOLDER) / Path(u"views/preferences.html"_s)))
540 dataStr.replace(u"${LANGUAGE_OPTIONS}"_s, createLanguagesOptionsHtml());
541
542 data = dataStr.toUtf8();
543 m_translatedFiles[path] = {data, mimeType.name(), lastModified}; // caching translated file
544 }
545
546 print(data, mimeType.name());
547 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(mimeType.name())});
548 }
549
550 Http::Response WebApplication::processRequest(const Http::Request &request, const Http::Environment &env)
551 {
552 m_currentSession = nullptr;
553 m_request = request;
554 m_env = env;
555 m_params.clear();
556
557 if (m_request.method == Http::METHOD_GET)
558 {
559 for (auto iter = m_request.query.cbegin(); iter != m_request.query.cend(); ++iter)
560 m_params[iter.key()] = QString::fromUtf8(iter.value());
561 }
562 else
563 {
564 m_params = m_request.posts;
565 }
566
567 // clear response
568 clear();
569
570 try
571 {
572 // block suspicious requests
573 if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
574 || (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList)))
575 {
576 throw UnauthorizedHTTPError();
577 }
578
579 // reverse proxy resolve client address
580 m_clientAddress = resolveClientAddress();
581
582 sessionInitialize();
583 doProcessRequest();
584 }
585 catch (const HTTPError &error)
586 {
587 status(error.statusCode(), error.statusText());
588 print((!error.message().isEmpty() ? error.message() : error.statusText()), Http::CONTENT_TYPE_TXT);
589 }
590
591 for (const Http::Header &prebuiltHeader : asConst(m_prebuiltHeaders))
592 setHeader(prebuiltHeader);
593
594 return response();
595 }
596
597 QString WebApplication::clientId() const
598 {
599 return m_clientAddress.toString();
600 }
601
602 void WebApplication::sessionInitialize()
603 {
604 Q_ASSERT(!m_currentSession);
605
606 const QString sessionId {parseCookie(m_request.headers.value(u"cookie"_s)).value(m_sessionCookieName)};
607
608 // TODO: Additional session check
609
610 if (!sessionId.isEmpty())
611 {
612 m_currentSession = m_sessions.value(sessionId);
613 if (m_currentSession)
614 {
615 if (m_currentSession->hasExpired(m_sessionTimeout))
616 {
617 // session is outdated - removing it
618 delete m_sessions.take(sessionId);
619 m_currentSession = nullptr;
620 }
621 else
622 {
623 m_currentSession->updateTimestamp();
624 }
625 }
626 else
627 {
628 qDebug() << Q_FUNC_INFO << "session does not exist!";
629 }
630 }
631
632 if (!m_currentSession && !isAuthNeeded())
633 sessionStart();
634 }
635
636 QString WebApplication::generateSid() const
637 {
638 QString sid;
639
640 do
641 {
642 const quint32 tmp[] =
643 {Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()
644 , Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()};
645 sid = QString::fromLatin1(QByteArray::fromRawData(reinterpret_cast<const char *>(tmp), sizeof(tmp)).toBase64());
646 }
647 while (m_sessions.contains(sid));
648
649 return sid;
650 }
651
652 bool WebApplication::isAuthNeeded()
653 {
654 if (!m_isLocalAuthEnabled && Utils::Net::isLoopbackAddress(m_clientAddress))
655 return false;
656 if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInSubnets(m_clientAddress, m_authSubnetWhitelist))
657 return false;
658 return true;
659 }
660
661 bool WebApplication::isPublicAPI(const QString &scope, const QString &action) const
662 {
663 return m_publicAPIs.contains(u"%1/%2"_s.arg(scope, action));
664 }
665
666 void WebApplication::sessionStart()
667 {
668 Q_ASSERT(!m_currentSession);
669
670 // remove outdated sessions
671 Algorithm::removeIf(m_sessions, [this](const QString &, const WebSession *session)
672 {
673 if (session->hasExpired(m_sessionTimeout))
674 {
675 delete session;
676 return true;
677 }
678
679 return false;
680 });
681
682 m_currentSession = new WebSession(generateSid(), app());
683 m_currentSession->registerAPIController<AppController>(u"app"_s);
684 m_currentSession->registerAPIController<LogController>(u"log"_s);
685 m_currentSession->registerAPIController<RSSController>(u"rss"_s);
686 m_currentSession->registerAPIController<SearchController>(u"search"_s);
687 m_currentSession->registerAPIController<SyncController>(u"sync"_s);
688 m_currentSession->registerAPIController<TorrentsController>(u"torrents"_s);
689 m_currentSession->registerAPIController<TransferController>(u"transfer"_s);
690 m_sessions[m_currentSession->id()] = m_currentSession;
691
692 QNetworkCookie cookie {m_sessionCookieName.toLatin1(), m_currentSession->id().toUtf8()};
693 cookie.setHttpOnly(true);
694 cookie.setSecure(m_isSecureCookieEnabled && m_isHttpsEnabled);
695 cookie.setPath(u"/"_s);
696 QByteArray cookieRawForm = cookie.toRawForm();
697 if (m_isCSRFProtectionEnabled)
698 cookieRawForm.append("; SameSite=Strict");
699 else if (cookie.isSecure())
700 cookieRawForm.append("; SameSite=None");
701 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookieRawForm)});
702 }
703
704 void WebApplication::sessionEnd()
705 {
706 Q_ASSERT(m_currentSession);
707
708 QNetworkCookie cookie {m_sessionCookieName.toLatin1()};
709 cookie.setPath(u"/"_s);
710 cookie.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
711
712 delete m_sessions.take(m_currentSession->id());
713 m_currentSession = nullptr;
714
715 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookie.toRawForm())});
716 }
717
718 bool WebApplication::isCrossSiteRequest(const Http::Request &request) const
719 {
720 // https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
721
722 const auto isSameOrigin = [](const QUrl &left, const QUrl &right) -> bool
723 {
724 // [rfc6454] 5. Comparing Origins
725 return ((left.port() == right.port())
726 // && (left.scheme() == right.scheme()) // not present in this context
727 && (left.host() == right.host()));
728 };
729
730 const QString targetOrigin = request.headers.value(Http::HEADER_X_FORWARDED_HOST, request.headers.value(Http::HEADER_HOST));
731 const QString originValue = request.headers.value(Http::HEADER_ORIGIN);
732 const QString refererValue = request.headers.value(Http::HEADER_REFERER);
733
734 if (originValue.isEmpty() && refererValue.isEmpty())
735 {
736 // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
737 // so lets be permissive here
738 return false;
739 }
740
741 // sent with CORS requests, as well as with POST requests
742 if (!originValue.isEmpty())
743 {
744 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), originValue);
745 if (isInvalid)
746 {
747 LogMsg(tr("WebUI: Origin header & Target origin mismatch! Source IP: '%1'. Origin header: '%2'. Target origin: '%3'")
748 .arg(m_env.clientAddress.toString(), originValue, targetOrigin)
749 , Log::WARNING);
750 }
751 return isInvalid;
752 }
753
754 if (!refererValue.isEmpty())
755 {
756 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), refererValue);
757 if (isInvalid)
758 {
759 LogMsg(tr("WebUI: Referer header & Target origin mismatch! Source IP: '%1'. Referer header: '%2'. Target origin: '%3'")
760 .arg(m_env.clientAddress.toString(), refererValue, targetOrigin)
761 , Log::WARNING);
762 }
763 return isInvalid;
764 }
765
766 return true;
767 }
768
769 bool WebApplication::validateHostHeader(const QStringList &domains) const
770 {
771 const QUrl hostHeader = urlFromHostHeader(m_request.headers[Http::HEADER_HOST]);
772 const QString requestHost = hostHeader.host();
773
774 // (if present) try matching host header's port with local port
775 const int requestPort = hostHeader.port();
776 if ((requestPort != -1) && (m_env.localPort != requestPort))
777 {
778 LogMsg(tr("WebUI: Invalid Host header, port mismatch. Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
779 .arg(m_env.clientAddress.toString()).arg(m_env.localPort)
780 .arg(m_request.headers[Http::HEADER_HOST])
781 , Log::WARNING);
782 return false;
783 }
784
785 // try matching host header with local address
786 const bool sameAddr = m_env.localAddress.isEqual(QHostAddress(requestHost));
787
788 if (sameAddr)
789 return true;
790
791 // try matching host header with domain list
792 for (const auto &domain : domains)
793 {
794 const QRegularExpression domainRegex {Utils::String::wildcardToRegexPattern(domain), QRegularExpression::CaseInsensitiveOption};
795 if (requestHost.contains(domainRegex))
796 return true;
797 }
798
799 LogMsg(tr("WebUI: Invalid Host header. Request source IP: '%1'. Received Host header: '%2'")
800 .arg(m_env.clientAddress.toString(), m_request.headers[Http::HEADER_HOST])
801 , Log::WARNING);
802 return false;
803 }
804
805 QHostAddress WebApplication::resolveClientAddress() const
806 {
807 if (!m_isReverseProxySupportEnabled)
808 return m_env.clientAddress;
809
810 // Only reverse proxy can overwrite client address
811 if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
812 return m_env.clientAddress;
813
814 const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
815
816 if (!forwardedFor.isEmpty())
817 {
818 // client address is the 1st global IP in X-Forwarded-For or, if none available, the 1st IP in the list
819 const QStringList remoteIpList = forwardedFor.split(u',', Qt::SkipEmptyParts);
820
821 if (!remoteIpList.isEmpty())
822 {
823 QHostAddress clientAddress;
824
825 for (const QString &remoteIp : remoteIpList)
826 {
827 if (clientAddress.setAddress(remoteIp) && clientAddress.isGlobal())
828 return clientAddress;
829 }
830
831 if (clientAddress.setAddress(remoteIpList[0]))
832 return clientAddress;
833 }
834 }
835
836 return m_env.clientAddress;
837 }
838
839 // WebSession
840
841 WebSession::WebSession(const QString &sid, IApplication *app)
842 : ApplicationComponent(app)
843 , m_sid {sid}
844 {
845 updateTimestamp();
846 }
847
848 QString WebSession::id() const
849 {
850 return m_sid;
851 }
852
853 bool WebSession::hasExpired(const qint64 seconds) const
854 {
855 if (seconds <= 0)
856 return false;
857 return m_timer.hasExpired(seconds * 1000);
858 }
859
860 void WebSession::updateTimestamp()
861 {
862 m_timer.start();
863 }
864
865 APIController *WebSession::getAPIController(const QString &scope) const
866 {
867 return m_apiControllers.value(scope);
868 }