Enable customizing the save statistics time interval
[qBittorrent.git] / src / webui / webapplication.cpp
blobddcf391768e2c6fcceeafb37d26d2fea44dcc38b
1 /*
2 * Bittorrent Client using Qt and libtorrent.
3 * Copyright (C) 2014-2024 Vladimir Golovnev <glassez@yandex.ru>
4 * Copyright (C) 2024 Radu Carpa <radu.carpa@cern.ch>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 * In addition, as a special exception, the copyright holders give permission to
21 * link this program with the OpenSSL project's "OpenSSL" library (or with
22 * modified versions of it that use the same license as the "OpenSSL" library),
23 * and distribute the linked executables. You must obey the GNU General Public
24 * License in all respects for all of the code used other than "OpenSSL". If you
25 * modify file(s), you may extend this exception to your version of the file(s),
26 * but you are not obligated to do so. If you do not wish to do so, delete this
27 * exception statement from your version.
30 #include "webapplication.h"
32 #include <algorithm>
33 #include <chrono>
35 #include <QDateTime>
36 #include <QDebug>
37 #include <QDir>
38 #include <QFileInfo>
39 #include <QJsonDocument>
40 #include <QMetaObject>
41 #include <QMimeDatabase>
42 #include <QMimeType>
43 #include <QNetworkCookie>
44 #include <QRegularExpression>
45 #include <QThread>
46 #include <QTimer>
47 #include <QUrl>
49 #include "base/algorithm.h"
50 #include "base/bittorrent/torrentcreationmanager.h"
51 #include "base/http/httperror.h"
52 #include "base/logger.h"
53 #include "base/preferences.h"
54 #include "base/types.h"
55 #include "base/utils/fs.h"
56 #include "base/utils/io.h"
57 #include "base/utils/misc.h"
58 #include "base/utils/random.h"
59 #include "base/utils/string.h"
60 #include "api/apierror.h"
61 #include "api/appcontroller.h"
62 #include "api/authcontroller.h"
63 #include "api/logcontroller.h"
64 #include "api/rsscontroller.h"
65 #include "api/searchcontroller.h"
66 #include "api/synccontroller.h"
67 #include "api/torrentcreatorcontroller.h"
68 #include "api/torrentscontroller.h"
69 #include "api/transfercontroller.h"
70 #include "freediskspacechecker.h"
72 const int MAX_ALLOWED_FILESIZE = 10 * 1024 * 1024;
73 const QString DEFAULT_SESSION_COOKIE_NAME = u"SID"_s;
75 const QString WWW_FOLDER = u":/www"_s;
76 const QString PUBLIC_FOLDER = u"/public"_s;
77 const QString PRIVATE_FOLDER = u"/private"_s;
79 using namespace std::chrono_literals;
81 const std::chrono::seconds FREEDISKSPACE_CHECK_TIMEOUT = 30s;
83 namespace
85 QStringMap parseCookie(const QStringView cookieStr)
87 // [rfc6265] 4.2.1. Syntax
88 QStringMap ret;
89 const QList<QStringView> cookies = cookieStr.split(u';', Qt::SkipEmptyParts);
91 for (const auto &cookie : cookies)
93 const int idx = cookie.indexOf(u'=');
94 if (idx < 0)
95 continue;
97 const QString name = cookie.left(idx).trimmed().toString();
98 const QString value = Utils::String::unquote(cookie.mid(idx + 1).trimmed()).toString();
99 ret.insert(name, value);
101 return ret;
104 QUrl urlFromHostHeader(const QString &hostHeader)
106 if (!hostHeader.contains(u"://"))
107 return {u"http://"_s + hostHeader};
108 return hostHeader;
111 QString getCachingInterval(QString contentType)
113 contentType = contentType.toLower();
115 if (contentType.startsWith(u"image/"))
116 return u"private, max-age=604800"_s; // 1 week
118 if ((contentType == Http::CONTENT_TYPE_CSS) || (contentType == Http::CONTENT_TYPE_JS))
120 // short interval in case of program update
121 return u"private, max-age=43200"_s; // 12 hrs
124 return u"no-store"_s;
127 QString createLanguagesOptionsHtml()
129 // List language files
130 const QStringList langFiles = QDir(u":/www/translations"_s)
131 .entryList({u"webui_*.qm"_s}, QDir::Files, QDir::Name);
133 QStringList languages;
134 languages.reserve(langFiles.size());
136 for (const QString &langFile : langFiles)
138 const auto langCode = QStringView(langFile).sliced(6).chopped(3); // remove "webui_" and ".qm"
139 const QString entry = u"<option value=\"%1\">%2</option>"_s
140 .arg(langCode, Utils::Misc::languageToLocalizedString(langCode));
141 languages.append(entry);
144 return languages.join(u'\n');
147 bool isValidCookieName(const QString &cookieName)
149 if (cookieName.isEmpty() || (cookieName.size() > 128))
150 return false;
152 const QRegularExpression invalidNameRegex {u"[^a-zA-Z0-9_\\-]"_s};
153 if (invalidNameRegex.match(cookieName).hasMatch())
154 return false;
156 return true;
160 WebApplication::WebApplication(IApplication *app, QObject *parent)
161 : ApplicationComponent(app, parent)
162 , m_cacheID {QString::number(Utils::Random::rand(), 36)}
163 , m_authController {new AuthController(this, app, this)}
164 , m_workerThread {new QThread}
165 , m_freeDiskSpaceChecker {new FreeDiskSpaceChecker}
166 , m_freeDiskSpaceCheckingTimer {new QTimer(this)}
167 , m_torrentCreationManager {new BitTorrent::TorrentCreationManager(app, this)}
169 declarePublicAPI(u"auth/login"_s);
171 configure();
172 connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
174 m_sessionCookieName = Preferences::instance()->getWebAPISessionCookieName();
175 if (!isValidCookieName(m_sessionCookieName))
177 if (!m_sessionCookieName.isEmpty())
179 LogMsg(tr("Unacceptable session cookie name is specified: '%1'. Default one is used.")
180 .arg(m_sessionCookieName), Log::WARNING);
182 m_sessionCookieName = DEFAULT_SESSION_COOKIE_NAME;
185 m_freeDiskSpaceChecker->moveToThread(m_workerThread.get());
186 connect(m_workerThread.get(), &QThread::finished, m_freeDiskSpaceChecker, &QObject::deleteLater);
187 m_workerThread->start();
189 m_freeDiskSpaceCheckingTimer->setInterval(FREEDISKSPACE_CHECK_TIMEOUT);
190 m_freeDiskSpaceCheckingTimer->setSingleShot(true);
191 connect(m_freeDiskSpaceCheckingTimer, &QTimer::timeout, m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::check);
192 connect(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::checked, m_freeDiskSpaceCheckingTimer, qOverload<>(&QTimer::start));
193 QMetaObject::invokeMethod(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::check);
196 WebApplication::~WebApplication()
198 // cleanup sessions data
199 qDeleteAll(m_sessions);
202 void WebApplication::sendWebUIFile()
204 if (request().path.contains(u'\\'))
205 throw BadRequestHTTPError();
207 if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
208 ; pathItems.contains(u".") || pathItems.contains(u".."))
210 throw BadRequestHTTPError();
213 const QString path = (request().path != u"/")
214 ? request().path
215 : u"/index.html"_s;
217 Path localPath = m_rootFolder
218 / Path(session() ? PRIVATE_FOLDER : PUBLIC_FOLDER)
219 / Path(path);
220 if (!localPath.exists() && session())
222 // try to send public file if there is no private one
223 localPath = m_rootFolder / Path(PUBLIC_FOLDER) / Path(path);
226 if (m_isAltUIUsed)
228 if (!Utils::Fs::isRegularFile(localPath))
229 throw InternalServerErrorHTTPError(tr("Unacceptable file type, only regular file is allowed."));
231 const QString rootFolder = m_rootFolder.data();
233 QFileInfo fileInfo {localPath.parentPath().data()};
234 while (fileInfo.path() != rootFolder)
236 if (fileInfo.isSymLink())
237 throw InternalServerErrorHTTPError(tr("Symlinks inside alternative UI folder are forbidden."));
239 fileInfo.setFile(fileInfo.path());
243 sendFile(localPath);
246 void WebApplication::translateDocument(QString &data) const
248 const QRegularExpression regex(u"QBT_TR\\((([^\\)]|\\)(?!QBT_TR))+)\\)QBT_TR\\[CONTEXT=([a-zA-Z_][a-zA-Z0-9_]*)\\]"_s);
250 int i = 0;
251 bool found = true;
252 while (i < data.size() && found)
254 QRegularExpressionMatch regexMatch;
255 i = data.indexOf(regex, i, &regexMatch);
256 if (i >= 0)
258 const QString sourceText = regexMatch.captured(1);
259 const QString context = regexMatch.captured(3);
261 const QString loadedText = m_translationFileLoaded
262 ? m_translator.translate(context.toUtf8().constData(), sourceText.toUtf8().constData())
263 : QString();
264 // `loadedText` is empty when translation is not provided
265 // it should fallback to `sourceText`
266 QString translation = loadedText.isEmpty() ? sourceText : loadedText;
268 // Escape quotes to workaround issues with HTML attributes
269 // FIXME: this is a dirty workaround to deal with broken translation strings:
270 // 1. Translation strings is the culprit of the issue, they should be fixed instead
271 // 2. The escaped quote/string is wrong for JS. JS use backslash to escape the quote: "\""
272 translation.replace(u'"', u"&#34;"_s);
274 data.replace(i, regexMatch.capturedLength(), translation);
275 i += translation.length();
277 else
279 found = false; // no more translatable strings
282 data.replace(u"${LANG}"_s, m_currentLocale.left(2));
283 data.replace(u"${CACHEID}"_s, m_cacheID);
287 WebSession *WebApplication::session()
289 return m_currentSession;
292 const Http::Request &WebApplication::request() const
294 return m_request;
297 const Http::Environment &WebApplication::env() const
299 return m_env;
302 void WebApplication::setUsername(const QString &username)
304 m_authController->setUsername(username);
307 void WebApplication::setPasswordHash(const QByteArray &passwordHash)
309 m_authController->setPasswordHash(passwordHash);
312 void WebApplication::doProcessRequest()
314 const QRegularExpressionMatch match = m_apiPathPattern.match(request().path);
315 if (!match.hasMatch())
317 sendWebUIFile();
318 return;
321 const QString action = match.captured(u"action"_s);
322 const QString scope = match.captured(u"scope"_s);
324 // Check public/private scope
325 if (!session() && !isPublicAPI(scope, action))
326 throw ForbiddenHTTPError();
328 // Find matching API
329 APIController *controller = nullptr;
330 if (session())
331 controller = session()->getAPIController(scope);
332 if (!controller)
334 if (scope == u"auth")
335 controller = m_authController;
336 else
337 throw NotFoundHTTPError();
340 // Filter HTTP methods
341 const auto allowedMethodIter = m_allowedMethod.find({scope, action});
342 if (allowedMethodIter == m_allowedMethod.end())
344 // by default allow both GET, POST methods
345 if ((m_request.method != Http::METHOD_GET) && (m_request.method != Http::METHOD_POST))
346 throw MethodNotAllowedHTTPError();
348 else
350 if (*allowedMethodIter != m_request.method)
351 throw MethodNotAllowedHTTPError();
354 DataMap data;
355 for (const Http::UploadedFile &torrent : request().files)
356 data[torrent.filename] = torrent.data;
360 const APIResult result = controller->run(action, m_params, data);
361 switch (result.data.userType())
363 case QMetaType::QJsonDocument:
364 print(result.data.toJsonDocument().toJson(QJsonDocument::Compact), Http::CONTENT_TYPE_JSON);
365 break;
366 case QMetaType::QByteArray:
368 const auto resultData = result.data.toByteArray();
369 print(resultData, (!result.mimeType.isEmpty() ? result.mimeType : Http::CONTENT_TYPE_TXT));
370 if (!result.filename.isEmpty())
372 setHeader({u"Content-Disposition"_s, u"attachment; filename=\"%1\""_s.arg(result.filename)});
375 break;
376 case QMetaType::QString:
377 default:
378 print(result.data.toString(), Http::CONTENT_TYPE_TXT);
379 break;
382 catch (const APIError &error)
384 // re-throw as HTTPError
385 switch (error.type())
387 case APIErrorType::AccessDenied:
388 throw ForbiddenHTTPError(error.message());
389 case APIErrorType::BadData:
390 throw UnsupportedMediaTypeHTTPError(error.message());
391 case APIErrorType::BadParams:
392 throw BadRequestHTTPError(error.message());
393 case APIErrorType::Conflict:
394 throw ConflictHTTPError(error.message());
395 case APIErrorType::NotFound:
396 throw NotFoundHTTPError(error.message());
397 default:
398 Q_ASSERT(false);
403 void WebApplication::configure()
405 const auto *pref = Preferences::instance();
407 const bool isAltUIUsed = pref->isAltWebUIEnabled();
408 const Path rootFolder = (!isAltUIUsed ? Path(WWW_FOLDER) : pref->getWebUIRootFolder());
409 if ((isAltUIUsed != m_isAltUIUsed) || (rootFolder != m_rootFolder))
411 m_isAltUIUsed = isAltUIUsed;
412 m_rootFolder = rootFolder;
413 m_translatedFiles.clear();
414 if (!m_isAltUIUsed)
415 LogMsg(tr("Using built-in WebUI."));
416 else
417 LogMsg(tr("Using custom WebUI. Location: \"%1\".").arg(m_rootFolder.toString()));
420 const QString newLocale = pref->getLocale();
421 if (m_currentLocale != newLocale)
423 m_currentLocale = newLocale;
424 m_translatedFiles.clear();
426 m_translationFileLoaded = m_translator.load((m_rootFolder / Path(u"translations/webui_"_s) + newLocale).data());
427 if (m_translationFileLoaded)
429 LogMsg(tr("WebUI translation for selected locale (%1) has been successfully loaded.")
430 .arg(newLocale));
432 else
434 LogMsg(tr("Couldn't load WebUI translation for selected locale (%1).").arg(newLocale), Log::WARNING);
438 m_isLocalAuthEnabled = pref->isWebUILocalAuthEnabled();
439 m_isAuthSubnetWhitelistEnabled = pref->isWebUIAuthSubnetWhitelistEnabled();
440 m_authSubnetWhitelist = pref->getWebUIAuthSubnetWhitelist();
441 m_sessionTimeout = pref->getWebUISessionTimeout();
443 m_domainList = pref->getServerDomains().split(u';', Qt::SkipEmptyParts);
444 std::for_each(m_domainList.begin(), m_domainList.end(), [](QString &entry) { entry = entry.trimmed(); });
446 m_isCSRFProtectionEnabled = pref->isWebUICSRFProtectionEnabled();
447 m_isSecureCookieEnabled = pref->isWebUISecureCookieEnabled();
448 m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
449 m_isHttpsEnabled = pref->isWebUIHttpsEnabled();
451 m_prebuiltHeaders.clear();
452 m_prebuiltHeaders.push_back({Http::HEADER_X_XSS_PROTECTION, u"1; mode=block"_s});
453 m_prebuiltHeaders.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS, u"nosniff"_s});
455 if (!m_isAltUIUsed)
457 m_prebuiltHeaders.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY, u"same-origin"_s});
458 m_prebuiltHeaders.push_back({Http::HEADER_REFERRER_POLICY, u"same-origin"_s});
461 const bool isClickjackingProtectionEnabled = pref->isWebUIClickjackingProtectionEnabled();
462 if (isClickjackingProtectionEnabled)
463 m_prebuiltHeaders.push_back({Http::HEADER_X_FRAME_OPTIONS, u"SAMEORIGIN"_s});
465 const QString contentSecurityPolicy =
466 (m_isAltUIUsed
467 ? QString()
468 : u"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"_s)
469 + (isClickjackingProtectionEnabled ? u" frame-ancestors 'self';"_s : QString())
470 + (m_isHttpsEnabled ? u" upgrade-insecure-requests;"_s : QString());
471 if (!contentSecurityPolicy.isEmpty())
472 m_prebuiltHeaders.push_back({Http::HEADER_CONTENT_SECURITY_POLICY, contentSecurityPolicy});
474 if (pref->isWebUICustomHTTPHeadersEnabled())
476 const QString customHeaders = pref->getWebUICustomHTTPHeaders();
477 const QList<QStringView> customHeaderLines = QStringView(customHeaders).trimmed().split(u'\n', Qt::SkipEmptyParts);
479 for (const QStringView line : customHeaderLines)
481 const int idx = line.indexOf(u':');
482 if (idx < 0)
484 // require separator `:` to be present even if `value` field can be empty
485 LogMsg(tr("Missing ':' separator in WebUI custom HTTP header: \"%1\"").arg(line.toString()), Log::WARNING);
486 continue;
489 const QString header = line.left(idx).trimmed().toString();
490 const QString value = line.mid(idx + 1).trimmed().toString();
491 m_prebuiltHeaders.push_back({header, value});
495 m_isReverseProxySupportEnabled = pref->isWebUIReverseProxySupportEnabled();
496 if (m_isReverseProxySupportEnabled)
498 const QStringList proxyList = pref->getWebUITrustedReverseProxiesList().split(u';', Qt::SkipEmptyParts);
500 m_trustedReverseProxyList.clear();
501 m_trustedReverseProxyList.reserve(proxyList.size());
503 for (QString proxy : proxyList)
505 if (!proxy.contains(u'/'))
507 const QAbstractSocket::NetworkLayerProtocol protocol = QHostAddress(proxy).protocol();
508 if (protocol == QAbstractSocket::IPv4Protocol)
510 proxy.append(u"/32");
512 else if (protocol == QAbstractSocket::IPv6Protocol)
514 proxy.append(u"/128");
518 const std::optional<Utils::Net::Subnet> subnet = Utils::Net::parseSubnet(proxy);
519 if (subnet)
520 m_trustedReverseProxyList.push_back(subnet.value());
523 if (m_trustedReverseProxyList.isEmpty())
524 m_isReverseProxySupportEnabled = false;
528 void WebApplication::declarePublicAPI(const QString &apiPath)
530 m_publicAPIs << apiPath;
533 void WebApplication::sendFile(const Path &path)
535 const QDateTime lastModified = Utils::Fs::lastModified(path);
537 // find translated file in cache
538 if (!m_isAltUIUsed)
540 if (const auto it = m_translatedFiles.constFind(path);
541 (it != m_translatedFiles.constEnd()) && (lastModified <= it->lastModified))
543 print(it->data, it->mimeType);
544 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(it->mimeType)});
545 return;
549 const auto readResult = Utils::IO::readFile(path, MAX_ALLOWED_FILESIZE);
550 if (!readResult)
552 const QString message = tr("Web server error. %1").arg(readResult.error().message);
554 switch (readResult.error().status)
556 case Utils::IO::ReadError::NotExist:
557 qDebug("%s", qUtf8Printable(message));
558 // don't write log messages here to avoid exhausting the disk space
559 throw NotFoundHTTPError();
561 case Utils::IO::ReadError::ExceedSize:
562 qWarning("%s", qUtf8Printable(message));
563 LogMsg(message, Log::WARNING);
564 throw InternalServerErrorHTTPError(readResult.error().message);
566 case Utils::IO::ReadError::Failed:
567 case Utils::IO::ReadError::SizeMismatch:
568 LogMsg(message, Log::WARNING);
569 throw InternalServerErrorHTTPError(readResult.error().message);
572 throw InternalServerErrorHTTPError(tr("Web server error. Unknown error."));
575 QByteArray data = readResult.value();
576 const QMimeType mimeType = QMimeDatabase().mimeTypeForFileNameAndData(path.data(), data);
577 const bool isTranslatable = !m_isAltUIUsed && mimeType.inherits(u"text/plain"_s);
579 if (isTranslatable)
581 auto dataStr = QString::fromUtf8(data);
582 // Translate the file
583 translateDocument(dataStr);
585 // Add the language options
586 if (path == (m_rootFolder / Path(PRIVATE_FOLDER) / Path(u"views/preferences.html"_s)))
587 dataStr.replace(u"${LANGUAGE_OPTIONS}"_s, createLanguagesOptionsHtml());
589 data = dataStr.toUtf8();
590 m_translatedFiles[path] = {data, mimeType.name(), lastModified}; // caching translated file
593 print(data, mimeType.name());
594 setHeader({Http::HEADER_CACHE_CONTROL, getCachingInterval(mimeType.name())});
597 Http::Response WebApplication::processRequest(const Http::Request &request, const Http::Environment &env)
599 m_currentSession = nullptr;
600 m_request = request;
601 m_env = env;
602 m_params.clear();
604 if (m_request.method == Http::METHOD_GET)
606 for (auto iter = m_request.query.cbegin(); iter != m_request.query.cend(); ++iter)
607 m_params[iter.key()] = QString::fromUtf8(iter.value());
609 else
611 m_params = m_request.posts;
614 // clear response
615 clear();
619 // block suspicious requests
620 if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
621 || (m_isHostHeaderValidationEnabled && !validateHostHeader(m_domainList)))
623 throw UnauthorizedHTTPError();
626 // reverse proxy resolve client address
627 m_clientAddress = resolveClientAddress();
629 sessionInitialize();
630 doProcessRequest();
632 catch (const HTTPError &error)
634 status(error.statusCode(), error.statusText());
635 print((!error.message().isEmpty() ? error.message() : error.statusText()), Http::CONTENT_TYPE_TXT);
638 for (const Http::Header &prebuiltHeader : asConst(m_prebuiltHeaders))
639 setHeader(prebuiltHeader);
641 return response();
644 QString WebApplication::clientId() const
646 return m_clientAddress.toString();
649 void WebApplication::sessionInitialize()
651 Q_ASSERT(!m_currentSession);
653 const QString sessionId {parseCookie(m_request.headers.value(u"cookie"_s)).value(m_sessionCookieName)};
655 // TODO: Additional session check
657 if (!sessionId.isEmpty())
659 m_currentSession = m_sessions.value(sessionId);
660 if (m_currentSession)
662 if (m_currentSession->hasExpired(m_sessionTimeout))
664 // session is outdated - removing it
665 delete m_sessions.take(sessionId);
666 m_currentSession = nullptr;
668 else
670 m_currentSession->updateTimestamp();
673 else
675 qDebug() << Q_FUNC_INFO << "session does not exist!";
679 if (!m_currentSession && !isAuthNeeded())
680 sessionStart();
683 QString WebApplication::generateSid() const
685 QString sid;
689 const quint32 tmp[] =
690 {Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()
691 , Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()};
692 sid = QString::fromLatin1(QByteArray::fromRawData(reinterpret_cast<const char *>(tmp), sizeof(tmp)).toBase64());
694 while (m_sessions.contains(sid));
696 return sid;
699 bool WebApplication::isAuthNeeded()
701 if (!m_isLocalAuthEnabled && m_clientAddress.isLoopback())
702 return false;
703 if (m_isAuthSubnetWhitelistEnabled && Utils::Net::isIPInSubnets(m_clientAddress, m_authSubnetWhitelist))
704 return false;
705 return true;
708 bool WebApplication::isPublicAPI(const QString &scope, const QString &action) const
710 return m_publicAPIs.contains(u"%1/%2"_s.arg(scope, action));
713 void WebApplication::sessionStart()
715 Q_ASSERT(!m_currentSession);
717 // remove outdated sessions
718 Algorithm::removeIf(m_sessions, [this](const QString &, const WebSession *session)
720 if (session->hasExpired(m_sessionTimeout))
722 delete session;
723 return true;
726 return false;
729 m_currentSession = new WebSession(generateSid(), app());
730 m_sessions[m_currentSession->id()] = m_currentSession;
732 m_currentSession->registerAPIController(u"app"_s, new AppController(app(), this));
733 m_currentSession->registerAPIController(u"log"_s, new LogController(app(), this));
734 m_currentSession->registerAPIController(u"torrentcreator"_s, new TorrentCreatorController(m_torrentCreationManager, app(), this));
735 m_currentSession->registerAPIController(u"rss"_s, new RSSController(app(), this));
736 m_currentSession->registerAPIController(u"search"_s, new SearchController(app(), this));
737 m_currentSession->registerAPIController(u"torrents"_s, new TorrentsController(app(), this));
738 m_currentSession->registerAPIController(u"transfer"_s, new TransferController(app(), this));
740 auto *syncController = new SyncController(app(), this);
741 syncController->updateFreeDiskSpace(m_freeDiskSpaceChecker->lastResult());
742 connect(m_freeDiskSpaceChecker, &FreeDiskSpaceChecker::checked, syncController, &SyncController::updateFreeDiskSpace);
743 m_currentSession->registerAPIController(u"sync"_s, syncController);
745 QNetworkCookie cookie {m_sessionCookieName.toLatin1(), m_currentSession->id().toLatin1()};
746 cookie.setHttpOnly(true);
747 cookie.setSecure(m_isSecureCookieEnabled && isOriginTrustworthy()); // [rfc6265] 4.1.2.5. The Secure Attribute
748 cookie.setPath(u"/"_s);
749 if (m_isCSRFProtectionEnabled)
750 cookie.setSameSitePolicy(QNetworkCookie::SameSite::Strict);
751 else if (cookie.isSecure())
752 cookie.setSameSitePolicy(QNetworkCookie::SameSite::None);
753 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookie.toRawForm())});
756 void WebApplication::sessionEnd()
758 Q_ASSERT(m_currentSession);
760 QNetworkCookie cookie {m_sessionCookieName.toLatin1()};
761 cookie.setPath(u"/"_s);
762 cookie.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
764 delete m_sessions.take(m_currentSession->id());
765 m_currentSession = nullptr;
767 setHeader({Http::HEADER_SET_COOKIE, QString::fromLatin1(cookie.toRawForm())});
770 bool WebApplication::isOriginTrustworthy() const
772 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
774 if (m_isReverseProxySupportEnabled)
776 const QString forwardedProto = request().headers.value(Http::HEADER_X_FORWARDED_PROTO);
777 if (forwardedProto.compare(u"https", Qt::CaseInsensitive) == 0)
778 return true;
781 if (m_isHttpsEnabled)
782 return true;
784 // client is on localhost
785 if (env().clientAddress.isLoopback())
786 return true;
788 return false;
791 bool WebApplication::isCrossSiteRequest(const Http::Request &request) const
793 // https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
795 const auto isSameOrigin = [](const QUrl &left, const QUrl &right) -> bool
797 // [rfc6454] 5. Comparing Origins
798 return ((left.port() == right.port())
799 // && (left.scheme() == right.scheme()) // not present in this context
800 && (left.host() == right.host()));
803 const QString targetOrigin = request.headers.value(Http::HEADER_X_FORWARDED_HOST, request.headers.value(Http::HEADER_HOST));
804 const QString originValue = request.headers.value(Http::HEADER_ORIGIN);
805 const QString refererValue = request.headers.value(Http::HEADER_REFERER);
807 if (originValue.isEmpty() && refererValue.isEmpty())
809 // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
810 // so lets be permissive here
811 return false;
814 // sent with CORS requests, as well as with POST requests
815 if (!originValue.isEmpty())
817 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), originValue);
818 if (isInvalid)
820 LogMsg(tr("WebUI: Origin header & Target origin mismatch! Source IP: '%1'. Origin header: '%2'. Target origin: '%3'")
821 .arg(m_env.clientAddress.toString(), originValue, targetOrigin)
822 , Log::WARNING);
824 return isInvalid;
827 if (!refererValue.isEmpty())
829 const bool isInvalid = !isSameOrigin(urlFromHostHeader(targetOrigin), refererValue);
830 if (isInvalid)
832 LogMsg(tr("WebUI: Referer header & Target origin mismatch! Source IP: '%1'. Referer header: '%2'. Target origin: '%3'")
833 .arg(m_env.clientAddress.toString(), refererValue, targetOrigin)
834 , Log::WARNING);
836 return isInvalid;
839 return true;
842 bool WebApplication::validateHostHeader(const QStringList &domains) const
844 const QUrl hostHeader = urlFromHostHeader(m_request.headers[Http::HEADER_HOST]);
845 const QString requestHost = hostHeader.host();
847 // (if present) try matching host header's port with local port
848 const int requestPort = hostHeader.port();
849 if ((requestPort != -1) && (m_env.localPort != requestPort))
851 LogMsg(tr("WebUI: Invalid Host header, port mismatch. Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
852 .arg(m_env.clientAddress.toString()).arg(m_env.localPort)
853 .arg(m_request.headers[Http::HEADER_HOST])
854 , Log::WARNING);
855 return false;
858 // try matching host header with local address
859 const bool sameAddr = m_env.localAddress.isEqual(QHostAddress(requestHost));
861 if (sameAddr)
862 return true;
864 // try matching host header with domain list
865 for (const auto &domain : domains)
867 const QRegularExpression domainRegex {Utils::String::wildcardToRegexPattern(domain), QRegularExpression::CaseInsensitiveOption};
868 if (requestHost.contains(domainRegex))
869 return true;
872 LogMsg(tr("WebUI: Invalid Host header. Request source IP: '%1'. Received Host header: '%2'")
873 .arg(m_env.clientAddress.toString(), m_request.headers[Http::HEADER_HOST])
874 , Log::WARNING);
875 return false;
878 QHostAddress WebApplication::resolveClientAddress() const
880 if (!m_isReverseProxySupportEnabled)
881 return m_env.clientAddress;
883 // Only reverse proxy can overwrite client address
884 if (!Utils::Net::isIPInSubnets(m_env.clientAddress, m_trustedReverseProxyList))
885 return m_env.clientAddress;
887 const QString forwardedFor = m_request.headers.value(Http::HEADER_X_FORWARDED_FOR);
889 if (!forwardedFor.isEmpty())
891 // client address is the 1st global IP in X-Forwarded-For or, if none available, the 1st IP in the list
892 const QStringList remoteIpList = forwardedFor.split(u',', Qt::SkipEmptyParts);
894 if (!remoteIpList.isEmpty())
896 QHostAddress clientAddress;
898 for (const QString &remoteIp : remoteIpList)
900 if (clientAddress.setAddress(remoteIp) && clientAddress.isGlobal())
901 return clientAddress;
904 if (clientAddress.setAddress(remoteIpList[0]))
905 return clientAddress;
909 return m_env.clientAddress;
912 // WebSession
914 WebSession::WebSession(const QString &sid, IApplication *app)
915 : ApplicationComponent(app)
916 , m_sid {sid}
918 updateTimestamp();
921 QString WebSession::id() const
923 return m_sid;
926 bool WebSession::hasExpired(const qint64 seconds) const
928 if (seconds <= 0)
929 return false;
930 return m_timer.hasExpired(seconds * 1000);
933 void WebSession::updateTimestamp()
935 m_timer.start();
938 void WebSession::registerAPIController(const QString &scope, APIController *controller)
940 Q_ASSERT(controller);
941 m_apiControllers[scope] = controller;
944 APIController *WebSession::getAPIController(const QString &scope) const
946 return m_apiControllers.value(scope);