2 * Bittorrent Client using Qt and libtorrent.
3 * Copyright (C) 2014-2024 Vladimir Golovnev <glassez@yandex.ru>
4 * Copyright (C) 2024 Radu Carpa <radu.carpa@cern.ch>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 * In addition, as a special exception, the copyright holders give permission to
21 * link this program with the OpenSSL project's "OpenSSL" library (or with
22 * modified versions of it that use the same license as the "OpenSSL" library),
23 * and distribute the linked executables. You must obey the GNU General Public
24 * License in all respects for all of the code used other than "OpenSSL". If you
25 * modify file(s), you may extend this exception to your version of the file(s),
26 * but you are not obligated to do so. If you do not wish to do so, delete this
27 * exception statement from your version.
30 #include "webapplication.h"
39 #include <QJsonDocument>
40 #include <QMetaObject>
41 #include <QMimeDatabase>
43 #include <QNetworkCookie>
44 #include <QRegularExpression>
49 #include "base/algorithm.h"
50 #include "base/bittorrent/torrentcreationmanager.h"
51 #include "base/http/httperror.h"
52 #include "base/logger.h"
53 #include "base/preferences.h"
54 #include "base/types.h"
55 #include "base/utils/fs.h"
56 #include "base/utils/io.h"
57 #include "base/utils/misc.h"
58 #include "base/utils/random.h"
59 #include "base/utils/string.h"
60 #include "api/apierror.h"
61 #include "api/appcontroller.h"
62 #include "api/authcontroller.h"
63 #include "api/logcontroller.h"
64 #include "api/rsscontroller.h"
65 #include "api/searchcontroller.h"
66 #include "api/synccontroller.h"
67 #include "api/torrentcreatorcontroller.h"
68 #include "api/torrentscontroller.h"
69 #include "api/transfercontroller.h"
70 #include "freediskspacechecker.h"
72 const int MAX_ALLOWED_FILESIZE
= 10 * 1024 * 1024;
73 const QString DEFAULT_SESSION_COOKIE_NAME
= u
"SID"_s
;
75 const QString WWW_FOLDER
= u
":/www"_s
;
76 const QString PUBLIC_FOLDER
= u
"/public"_s
;
77 const QString PRIVATE_FOLDER
= u
"/private"_s
;
79 using namespace std::chrono_literals
;
81 const std::chrono::seconds FREEDISKSPACE_CHECK_TIMEOUT
= 30s
;
85 QStringMap
parseCookie(const QStringView cookieStr
)
87 // [rfc6265] 4.2.1. Syntax
89 const QList
<QStringView
> cookies
= cookieStr
.split(u
';', Qt::SkipEmptyParts
);
91 for (const auto &cookie
: cookies
)
93 const int idx
= cookie
.indexOf(u
'=');
97 const QString name
= cookie
.left(idx
).trimmed().toString();
98 const QString value
= Utils::String::unquote(cookie
.mid(idx
+ 1).trimmed()).toString();
99 ret
.insert(name
, value
);
104 QUrl
urlFromHostHeader(const QString
&hostHeader
)
106 if (!hostHeader
.contains(u
"://"))
107 return {u
"http://"_s
+ hostHeader
};
111 QString
getCachingInterval(QString contentType
)
113 contentType
= contentType
.toLower();
115 if (contentType
.startsWith(u
"image/"))
116 return u
"private, max-age=604800"_s
; // 1 week
118 if ((contentType
== Http::CONTENT_TYPE_CSS
) || (contentType
== Http::CONTENT_TYPE_JS
))
120 // short interval in case of program update
121 return u
"private, max-age=43200"_s
; // 12 hrs
124 return u
"no-store"_s
;
127 QString
createLanguagesOptionsHtml()
129 // List language files
130 const QStringList langFiles
= QDir(u
":/www/translations"_s
)
131 .entryList({u
"webui_*.qm"_s
}, QDir::Files
, QDir::Name
);
133 QStringList languages
;
134 languages
.reserve(langFiles
.size());
136 for (const QString
&langFile
: langFiles
)
138 const auto langCode
= QStringView(langFile
).sliced(6).chopped(3); // remove "webui_" and ".qm"
139 const QString entry
= u
"<option value=\"%1\">%2</option>"_s
140 .arg(langCode
, Utils::Misc::languageToLocalizedString(langCode
));
141 languages
.append(entry
);
144 return languages
.join(u
'\n');
147 bool isValidCookieName(const QString
&cookieName
)
149 if (cookieName
.isEmpty() || (cookieName
.size() > 128))
152 const QRegularExpression invalidNameRegex
{u
"[^a-zA-Z0-9_\\-]"_s
};
153 if (invalidNameRegex
.match(cookieName
).hasMatch())
160 WebApplication::WebApplication(IApplication
*app
, QObject
*parent
)
161 : ApplicationComponent(app
, parent
)
162 , m_cacheID
{QString::number(Utils::Random::rand(), 36)}
163 , m_authController
{new AuthController(this, app
, this)}
164 , m_workerThread
{new QThread
}
165 , m_freeDiskSpaceChecker
{new FreeDiskSpaceChecker
}
166 , m_freeDiskSpaceCheckingTimer
{new QTimer(this)}
167 , m_torrentCreationManager
{new BitTorrent::TorrentCreationManager(app
, this)}
169 declarePublicAPI(u
"auth/login"_s
);
172 connect(Preferences::instance(), &Preferences::changed
, this, &WebApplication::configure
);
174 m_sessionCookieName
= Preferences::instance()->getWebAPISessionCookieName();
175 if (!isValidCookieName(m_sessionCookieName
))
177 if (!m_sessionCookieName
.isEmpty())
179 LogMsg(tr("Unacceptable session cookie name is specified: '%1'. Default one is used.")
180 .arg(m_sessionCookieName
), Log::WARNING
);
182 m_sessionCookieName
= DEFAULT_SESSION_COOKIE_NAME
;
185 m_freeDiskSpaceChecker
->moveToThread(m_workerThread
.get());
186 connect(m_workerThread
.get(), &QThread::finished
, m_freeDiskSpaceChecker
, &QObject::deleteLater
);
187 m_workerThread
->start();
189 m_freeDiskSpaceCheckingTimer
->setInterval(FREEDISKSPACE_CHECK_TIMEOUT
);
190 m_freeDiskSpaceCheckingTimer
->setSingleShot(true);
191 connect(m_freeDiskSpaceCheckingTimer
, &QTimer::timeout
, m_freeDiskSpaceChecker
, &FreeDiskSpaceChecker::check
);
192 connect(m_freeDiskSpaceChecker
, &FreeDiskSpaceChecker::checked
, m_freeDiskSpaceCheckingTimer
, qOverload
<>(&QTimer::start
));
193 QMetaObject::invokeMethod(m_freeDiskSpaceChecker
, &FreeDiskSpaceChecker::check
);
196 WebApplication::~WebApplication()
198 // cleanup sessions data
199 qDeleteAll(m_sessions
);
202 void WebApplication::sendWebUIFile()
204 if (request().path
.contains(u
'\\'))
205 throw BadRequestHTTPError();
207 if (const QList
<QStringView
> pathItems
= QStringView(request().path
).split(u
'/', Qt::SkipEmptyParts
)
208 ; pathItems
.contains(u
".") || pathItems
.contains(u
".."))
210 throw BadRequestHTTPError();
213 const QString path
= (request().path
!= u
"/")
217 Path localPath
= m_rootFolder
218 / Path(session() ? PRIVATE_FOLDER
: PUBLIC_FOLDER
)
220 if (!localPath
.exists() && session())
222 // try to send public file if there is no private one
223 localPath
= m_rootFolder
/ Path(PUBLIC_FOLDER
) / Path(path
);
228 if (!Utils::Fs::isRegularFile(localPath
))
229 throw InternalServerErrorHTTPError(tr("Unacceptable file type, only regular file is allowed."));
231 const QString rootFolder
= m_rootFolder
.data();
233 QFileInfo fileInfo
{localPath
.parentPath().data()};
234 while (fileInfo
.path() != rootFolder
)
236 if (fileInfo
.isSymLink())
237 throw InternalServerErrorHTTPError(tr("Symlinks inside alternative UI folder are forbidden."));
239 fileInfo
.setFile(fileInfo
.path());
246 void WebApplication::translateDocument(QString
&data
) const
248 const QRegularExpression
regex(u
"QBT_TR\\((([^\\)]|\\)(?!QBT_TR))+)\\)QBT_TR\\[CONTEXT=([a-zA-Z_][a-zA-Z0-9_]*)\\]"_s
);
252 while (i
< data
.size() && found
)
254 QRegularExpressionMatch regexMatch
;
255 i
= data
.indexOf(regex
, i
, ®exMatch
);
258 const QString sourceText
= regexMatch
.captured(1);
259 const QString context
= regexMatch
.captured(3);
261 const QString loadedText
= m_translationFileLoaded
262 ? m_translator
.translate(context
.toUtf8().constData(), sourceText
.toUtf8().constData())
264 // `loadedText` is empty when translation is not provided
265 // it should fallback to `sourceText`
266 QString translation
= loadedText
.isEmpty() ? sourceText
: loadedText
;
268 // Escape quotes to workaround issues with HTML attributes
269 // FIXME: this is a dirty workaround to deal with broken translation strings:
270 // 1. Translation strings is the culprit of the issue, they should be fixed instead
271 // 2. The escaped quote/string is wrong for JS. JS use backslash to escape the quote: "\""
272 translation
.replace(u
'"', u
"""_s
);
274 data
.replace(i
, regexMatch
.capturedLength(), translation
);
275 i
+= translation
.length();
279 found
= false; // no more translatable strings
282 data
.replace(u
"${LANG}"_s
, m_currentLocale
.left(2));
283 data
.replace(u
"${CACHEID}"_s
, m_cacheID
);
287 WebSession
*WebApplication::session()
289 return m_currentSession
;
292 const Http::Request
&WebApplication::request() const
297 const Http::Environment
&WebApplication::env() const
302 void WebApplication::setUsername(const QString
&username
)
304 m_authController
->setUsername(username
);
307 void WebApplication::setPasswordHash(const QByteArray
&passwordHash
)
309 m_authController
->setPasswordHash(passwordHash
);
312 void WebApplication::doProcessRequest()
314 const QRegularExpressionMatch match
= m_apiPathPattern
.match(request().path
);
315 if (!match
.hasMatch())
321 const QString action
= match
.captured(u
"action"_s
);
322 const QString scope
= match
.captured(u
"scope"_s
);
324 // Check public/private scope
325 if (!session() && !isPublicAPI(scope
, action
))
326 throw ForbiddenHTTPError();
329 APIController
*controller
= nullptr;
331 controller
= session()->getAPIController(scope
);
334 if (scope
== u
"auth")
335 controller
= m_authController
;
337 throw NotFoundHTTPError();
340 // Filter HTTP methods
341 const auto allowedMethodIter
= m_allowedMethod
.find({scope
, action
});
342 if (allowedMethodIter
== m_allowedMethod
.end())
344 // by default allow both GET, POST methods
345 if ((m_request
.method
!= Http::METHOD_GET
) && (m_request
.method
!= Http::METHOD_POST
))
346 throw MethodNotAllowedHTTPError();
350 if (*allowedMethodIter
!= m_request
.method
)
351 throw MethodNotAllowedHTTPError();
355 for (const Http::UploadedFile
&torrent
: request().files
)
356 data
[torrent
.filename
] = torrent
.data
;
360 const APIResult result
= controller
->run(action
, m_params
, data
);
361 switch (result
.data
.userType())
363 case QMetaType::QJsonDocument
:
364 print(result
.data
.toJsonDocument().toJson(QJsonDocument::Compact
), Http::CONTENT_TYPE_JSON
);
366 case QMetaType::QByteArray
:
368 const auto resultData
= result
.data
.toByteArray();
369 print(resultData
, (!result
.mimeType
.isEmpty() ? result
.mimeType
: Http::CONTENT_TYPE_TXT
));
370 if (!result
.filename
.isEmpty())
372 setHeader({u
"Content-Disposition"_s
, u
"attachment; filename=\"%1\""_s
.arg(result
.filename
)});
376 case QMetaType::QString
:
378 print(result
.data
.toString(), Http::CONTENT_TYPE_TXT
);
382 catch (const APIError
&error
)
384 // re-throw as HTTPError
385 switch (error
.type())
387 case APIErrorType::AccessDenied
:
388 throw ForbiddenHTTPError(error
.message());
389 case APIErrorType::BadData
:
390 throw UnsupportedMediaTypeHTTPError(error
.message());
391 case APIErrorType::BadParams
:
392 throw BadRequestHTTPError(error
.message());
393 case APIErrorType::Conflict
:
394 throw ConflictHTTPError(error
.message());
395 case APIErrorType::NotFound
:
396 throw NotFoundHTTPError(error
.message());
403 void WebApplication::configure()
405 const auto *pref
= Preferences::instance();
407 const bool isAltUIUsed
= pref
->isAltWebUIEnabled();
408 const Path rootFolder
= (!isAltUIUsed
? Path(WWW_FOLDER
) : pref
->getWebUIRootFolder());
409 if ((isAltUIUsed
!= m_isAltUIUsed
) || (rootFolder
!= m_rootFolder
))
411 m_isAltUIUsed
= isAltUIUsed
;
412 m_rootFolder
= rootFolder
;
413 m_translatedFiles
.clear();
415 LogMsg(tr("Using built-in WebUI."));
417 LogMsg(tr("Using custom WebUI. Location: \"%1\".").arg(m_rootFolder
.toString()));
420 const QString newLocale
= pref
->getLocale();
421 if (m_currentLocale
!= newLocale
)
423 m_currentLocale
= newLocale
;
424 m_translatedFiles
.clear();
426 m_translationFileLoaded
= m_translator
.load((m_rootFolder
/ Path(u
"translations/webui_"_s
) + newLocale
).data());
427 if (m_translationFileLoaded
)
429 LogMsg(tr("WebUI translation for selected locale (%1) has been successfully loaded.")
434 LogMsg(tr("Couldn't load WebUI translation for selected locale (%1).").arg(newLocale
), Log::WARNING
);
438 m_isLocalAuthEnabled
= pref
->isWebUILocalAuthEnabled();
439 m_isAuthSubnetWhitelistEnabled
= pref
->isWebUIAuthSubnetWhitelistEnabled();
440 m_authSubnetWhitelist
= pref
->getWebUIAuthSubnetWhitelist();
441 m_sessionTimeout
= pref
->getWebUISessionTimeout();
443 m_domainList
= pref
->getServerDomains().split(u
';', Qt::SkipEmptyParts
);
444 std::for_each(m_domainList
.begin(), m_domainList
.end(), [](QString
&entry
) { entry
= entry
.trimmed(); });
446 m_isCSRFProtectionEnabled
= pref
->isWebUICSRFProtectionEnabled();
447 m_isSecureCookieEnabled
= pref
->isWebUISecureCookieEnabled();
448 m_isHostHeaderValidationEnabled
= pref
->isWebUIHostHeaderValidationEnabled();
449 m_isHttpsEnabled
= pref
->isWebUIHttpsEnabled();
451 m_prebuiltHeaders
.clear();
452 m_prebuiltHeaders
.push_back({Http::HEADER_X_XSS_PROTECTION
, u
"1; mode=block"_s
});
453 m_prebuiltHeaders
.push_back({Http::HEADER_X_CONTENT_TYPE_OPTIONS
, u
"nosniff"_s
});
457 m_prebuiltHeaders
.push_back({Http::HEADER_CROSS_ORIGIN_OPENER_POLICY
, u
"same-origin"_s
});
458 m_prebuiltHeaders
.push_back({Http::HEADER_REFERRER_POLICY
, u
"same-origin"_s
});
461 const bool isClickjackingProtectionEnabled
= pref
->isWebUIClickjackingProtectionEnabled();
462 if (isClickjackingProtectionEnabled
)
463 m_prebuiltHeaders
.push_back({Http::HEADER_X_FRAME_OPTIONS
, u
"SAMEORIGIN"_s
});
465 const QString contentSecurityPolicy
=
468 : u
"default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"_s
)
469 + (isClickjackingProtectionEnabled
? u
" frame-ancestors 'self';"_s
: QString())
470 + (m_isHttpsEnabled
? u
" upgrade-insecure-requests;"_s
: QString());
471 if (!contentSecurityPolicy
.isEmpty())
472 m_prebuiltHeaders
.push_back({Http::HEADER_CONTENT_SECURITY_POLICY
, contentSecurityPolicy
});
474 if (pref
->isWebUICustomHTTPHeadersEnabled())
476 const QString customHeaders
= pref
->getWebUICustomHTTPHeaders();
477 const QList
<QStringView
> customHeaderLines
= QStringView(customHeaders
).trimmed().split(u
'\n', Qt::SkipEmptyParts
);
479 for (const QStringView line
: customHeaderLines
)
481 const int idx
= line
.indexOf(u
':');
484 // require separator `:` to be present even if `value` field can be empty
485 LogMsg(tr("Missing ':' separator in WebUI custom HTTP header: \"%1\"").arg(line
.toString()), Log::WARNING
);
489 const QString header
= line
.left(idx
).trimmed().toString();
490 const QString value
= line
.mid(idx
+ 1).trimmed().toString();
491 m_prebuiltHeaders
.push_back({header
, value
});
495 m_isReverseProxySupportEnabled
= pref
->isWebUIReverseProxySupportEnabled();
496 if (m_isReverseProxySupportEnabled
)
498 const QStringList proxyList
= pref
->getWebUITrustedReverseProxiesList().split(u
';', Qt::SkipEmptyParts
);
500 m_trustedReverseProxyList
.clear();
501 m_trustedReverseProxyList
.reserve(proxyList
.size());
503 for (QString proxy
: proxyList
)
505 if (!proxy
.contains(u
'/'))
507 const QAbstractSocket::NetworkLayerProtocol protocol
= QHostAddress(proxy
).protocol();
508 if (protocol
== QAbstractSocket::IPv4Protocol
)
510 proxy
.append(u
"/32");
512 else if (protocol
== QAbstractSocket::IPv6Protocol
)
514 proxy
.append(u
"/128");
518 const std::optional
<Utils::Net::Subnet
> subnet
= Utils::Net::parseSubnet(proxy
);
520 m_trustedReverseProxyList
.push_back(subnet
.value());
523 if (m_trustedReverseProxyList
.isEmpty())
524 m_isReverseProxySupportEnabled
= false;
528 void WebApplication::declarePublicAPI(const QString
&apiPath
)
530 m_publicAPIs
<< apiPath
;
533 void WebApplication::sendFile(const Path
&path
)
535 const QDateTime lastModified
= Utils::Fs::lastModified(path
);
537 // find translated file in cache
540 if (const auto it
= m_translatedFiles
.constFind(path
);
541 (it
!= m_translatedFiles
.constEnd()) && (lastModified
<= it
->lastModified
))
543 print(it
->data
, it
->mimeType
);
544 setHeader({Http::HEADER_CACHE_CONTROL
, getCachingInterval(it
->mimeType
)});
549 const auto readResult
= Utils::IO::readFile(path
, MAX_ALLOWED_FILESIZE
);
552 const QString message
= tr("Web server error. %1").arg(readResult
.error().message
);
554 switch (readResult
.error().status
)
556 case Utils::IO::ReadError::NotExist
:
557 qDebug("%s", qUtf8Printable(message
));
558 // don't write log messages here to avoid exhausting the disk space
559 throw NotFoundHTTPError();
561 case Utils::IO::ReadError::ExceedSize
:
562 qWarning("%s", qUtf8Printable(message
));
563 LogMsg(message
, Log::WARNING
);
564 throw InternalServerErrorHTTPError(readResult
.error().message
);
566 case Utils::IO::ReadError::Failed
:
567 case Utils::IO::ReadError::SizeMismatch
:
568 LogMsg(message
, Log::WARNING
);
569 throw InternalServerErrorHTTPError(readResult
.error().message
);
572 throw InternalServerErrorHTTPError(tr("Web server error. Unknown error."));
575 QByteArray data
= readResult
.value();
576 const QMimeType mimeType
= QMimeDatabase().mimeTypeForFileNameAndData(path
.data(), data
);
577 const bool isTranslatable
= !m_isAltUIUsed
&& mimeType
.inherits(u
"text/plain"_s
);
581 auto dataStr
= QString::fromUtf8(data
);
582 // Translate the file
583 translateDocument(dataStr
);
585 // Add the language options
586 if (path
== (m_rootFolder
/ Path(PRIVATE_FOLDER
) / Path(u
"views/preferences.html"_s
)))
587 dataStr
.replace(u
"${LANGUAGE_OPTIONS}"_s
, createLanguagesOptionsHtml());
589 data
= dataStr
.toUtf8();
590 m_translatedFiles
[path
] = {data
, mimeType
.name(), lastModified
}; // caching translated file
593 print(data
, mimeType
.name());
594 setHeader({Http::HEADER_CACHE_CONTROL
, getCachingInterval(mimeType
.name())});
597 Http::Response
WebApplication::processRequest(const Http::Request
&request
, const Http::Environment
&env
)
599 m_currentSession
= nullptr;
604 if (m_request
.method
== Http::METHOD_GET
)
606 for (auto iter
= m_request
.query
.cbegin(); iter
!= m_request
.query
.cend(); ++iter
)
607 m_params
[iter
.key()] = QString::fromUtf8(iter
.value());
611 m_params
= m_request
.posts
;
619 // block suspicious requests
620 if ((m_isCSRFProtectionEnabled
&& isCrossSiteRequest(m_request
))
621 || (m_isHostHeaderValidationEnabled
&& !validateHostHeader(m_domainList
)))
623 throw UnauthorizedHTTPError();
626 // reverse proxy resolve client address
627 m_clientAddress
= resolveClientAddress();
632 catch (const HTTPError
&error
)
634 status(error
.statusCode(), error
.statusText());
635 print((!error
.message().isEmpty() ? error
.message() : error
.statusText()), Http::CONTENT_TYPE_TXT
);
638 for (const Http::Header
&prebuiltHeader
: asConst(m_prebuiltHeaders
))
639 setHeader(prebuiltHeader
);
644 QString
WebApplication::clientId() const
646 return m_clientAddress
.toString();
649 void WebApplication::sessionInitialize()
651 Q_ASSERT(!m_currentSession
);
653 const QString sessionId
{parseCookie(m_request
.headers
.value(u
"cookie"_s
)).value(m_sessionCookieName
)};
655 // TODO: Additional session check
657 if (!sessionId
.isEmpty())
659 m_currentSession
= m_sessions
.value(sessionId
);
660 if (m_currentSession
)
662 if (m_currentSession
->hasExpired(m_sessionTimeout
))
664 // session is outdated - removing it
665 delete m_sessions
.take(sessionId
);
666 m_currentSession
= nullptr;
670 m_currentSession
->updateTimestamp();
675 qDebug() << Q_FUNC_INFO
<< "session does not exist!";
679 if (!m_currentSession
&& !isAuthNeeded())
683 QString
WebApplication::generateSid() const
689 const quint32 tmp
[] =
690 {Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()
691 , Utils::Random::rand(), Utils::Random::rand(), Utils::Random::rand()};
692 sid
= QString::fromLatin1(QByteArray::fromRawData(reinterpret_cast<const char *>(tmp
), sizeof(tmp
)).toBase64());
694 while (m_sessions
.contains(sid
));
699 bool WebApplication::isAuthNeeded()
701 if (!m_isLocalAuthEnabled
&& m_clientAddress
.isLoopback())
703 if (m_isAuthSubnetWhitelistEnabled
&& Utils::Net::isIPInSubnets(m_clientAddress
, m_authSubnetWhitelist
))
708 bool WebApplication::isPublicAPI(const QString
&scope
, const QString
&action
) const
710 return m_publicAPIs
.contains(u
"%1/%2"_s
.arg(scope
, action
));
713 void WebApplication::sessionStart()
715 Q_ASSERT(!m_currentSession
);
717 // remove outdated sessions
718 Algorithm::removeIf(m_sessions
, [this](const QString
&, const WebSession
*session
)
720 if (session
->hasExpired(m_sessionTimeout
))
729 m_currentSession
= new WebSession(generateSid(), app());
730 m_sessions
[m_currentSession
->id()] = m_currentSession
;
732 m_currentSession
->registerAPIController(u
"app"_s
, new AppController(app(), this));
733 m_currentSession
->registerAPIController(u
"log"_s
, new LogController(app(), this));
734 m_currentSession
->registerAPIController(u
"torrentcreator"_s
, new TorrentCreatorController(m_torrentCreationManager
, app(), this));
735 m_currentSession
->registerAPIController(u
"rss"_s
, new RSSController(app(), this));
736 m_currentSession
->registerAPIController(u
"search"_s
, new SearchController(app(), this));
737 m_currentSession
->registerAPIController(u
"torrents"_s
, new TorrentsController(app(), this));
738 m_currentSession
->registerAPIController(u
"transfer"_s
, new TransferController(app(), this));
740 auto *syncController
= new SyncController(app(), this);
741 syncController
->updateFreeDiskSpace(m_freeDiskSpaceChecker
->lastResult());
742 connect(m_freeDiskSpaceChecker
, &FreeDiskSpaceChecker::checked
, syncController
, &SyncController::updateFreeDiskSpace
);
743 m_currentSession
->registerAPIController(u
"sync"_s
, syncController
);
745 QNetworkCookie cookie
{m_sessionCookieName
.toLatin1(), m_currentSession
->id().toLatin1()};
746 cookie
.setHttpOnly(true);
747 cookie
.setSecure(m_isSecureCookieEnabled
&& isOriginTrustworthy()); // [rfc6265] 4.1.2.5. The Secure Attribute
748 cookie
.setPath(u
"/"_s
);
749 if (m_isCSRFProtectionEnabled
)
750 cookie
.setSameSitePolicy(QNetworkCookie::SameSite::Strict
);
751 else if (cookie
.isSecure())
752 cookie
.setSameSitePolicy(QNetworkCookie::SameSite::None
);
753 setHeader({Http::HEADER_SET_COOKIE
, QString::fromLatin1(cookie
.toRawForm())});
756 void WebApplication::sessionEnd()
758 Q_ASSERT(m_currentSession
);
760 QNetworkCookie cookie
{m_sessionCookieName
.toLatin1()};
761 cookie
.setPath(u
"/"_s
);
762 cookie
.setExpirationDate(QDateTime::currentDateTime().addDays(-1));
764 delete m_sessions
.take(m_currentSession
->id());
765 m_currentSession
= nullptr;
767 setHeader({Http::HEADER_SET_COOKIE
, QString::fromLatin1(cookie
.toRawForm())});
770 bool WebApplication::isOriginTrustworthy() const
772 // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
774 if (m_isReverseProxySupportEnabled
)
776 const QString forwardedProto
= request().headers
.value(Http::HEADER_X_FORWARDED_PROTO
);
777 if (forwardedProto
.compare(u
"https", Qt::CaseInsensitive
) == 0)
781 if (m_isHttpsEnabled
)
784 // client is on localhost
785 if (env().clientAddress
.isLoopback())
791 bool WebApplication::isCrossSiteRequest(const Http::Request
&request
) const
793 // https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
795 const auto isSameOrigin
= [](const QUrl
&left
, const QUrl
&right
) -> bool
797 // [rfc6454] 5. Comparing Origins
798 return ((left
.port() == right
.port())
799 // && (left.scheme() == right.scheme()) // not present in this context
800 && (left
.host() == right
.host()));
803 const QString targetOrigin
= request
.headers
.value(Http::HEADER_X_FORWARDED_HOST
, request
.headers
.value(Http::HEADER_HOST
));
804 const QString originValue
= request
.headers
.value(Http::HEADER_ORIGIN
);
805 const QString refererValue
= request
.headers
.value(Http::HEADER_REFERER
);
807 if (originValue
.isEmpty() && refererValue
.isEmpty())
809 // owasp.org recommends to block this request, but doing so will inevitably lead Web API users to spoof headers
810 // so lets be permissive here
814 // sent with CORS requests, as well as with POST requests
815 if (!originValue
.isEmpty())
817 const bool isInvalid
= !isSameOrigin(urlFromHostHeader(targetOrigin
), originValue
);
820 LogMsg(tr("WebUI: Origin header & Target origin mismatch! Source IP: '%1'. Origin header: '%2'. Target origin: '%3'")
821 .arg(m_env
.clientAddress
.toString(), originValue
, targetOrigin
)
827 if (!refererValue
.isEmpty())
829 const bool isInvalid
= !isSameOrigin(urlFromHostHeader(targetOrigin
), refererValue
);
832 LogMsg(tr("WebUI: Referer header & Target origin mismatch! Source IP: '%1'. Referer header: '%2'. Target origin: '%3'")
833 .arg(m_env
.clientAddress
.toString(), refererValue
, targetOrigin
)
842 bool WebApplication::validateHostHeader(const QStringList
&domains
) const
844 const QUrl hostHeader
= urlFromHostHeader(m_request
.headers
[Http::HEADER_HOST
]);
845 const QString requestHost
= hostHeader
.host();
847 // (if present) try matching host header's port with local port
848 const int requestPort
= hostHeader
.port();
849 if ((requestPort
!= -1) && (m_env
.localPort
!= requestPort
))
851 LogMsg(tr("WebUI: Invalid Host header, port mismatch. Request source IP: '%1'. Server port: '%2'. Received Host header: '%3'")
852 .arg(m_env
.clientAddress
.toString()).arg(m_env
.localPort
)
853 .arg(m_request
.headers
[Http::HEADER_HOST
])
858 // try matching host header with local address
859 const bool sameAddr
= m_env
.localAddress
.isEqual(QHostAddress(requestHost
));
864 // try matching host header with domain list
865 for (const auto &domain
: domains
)
867 const QRegularExpression domainRegex
{Utils::String::wildcardToRegexPattern(domain
), QRegularExpression::CaseInsensitiveOption
};
868 if (requestHost
.contains(domainRegex
))
872 LogMsg(tr("WebUI: Invalid Host header. Request source IP: '%1'. Received Host header: '%2'")
873 .arg(m_env
.clientAddress
.toString(), m_request
.headers
[Http::HEADER_HOST
])
878 QHostAddress
WebApplication::resolveClientAddress() const
880 if (!m_isReverseProxySupportEnabled
)
881 return m_env
.clientAddress
;
883 // Only reverse proxy can overwrite client address
884 if (!Utils::Net::isIPInSubnets(m_env
.clientAddress
, m_trustedReverseProxyList
))
885 return m_env
.clientAddress
;
887 const QString forwardedFor
= m_request
.headers
.value(Http::HEADER_X_FORWARDED_FOR
);
889 if (!forwardedFor
.isEmpty())
891 // client address is the 1st global IP in X-Forwarded-For or, if none available, the 1st IP in the list
892 const QStringList remoteIpList
= forwardedFor
.split(u
',', Qt::SkipEmptyParts
);
894 if (!remoteIpList
.isEmpty())
896 QHostAddress clientAddress
;
898 for (const QString
&remoteIp
: remoteIpList
)
900 if (clientAddress
.setAddress(remoteIp
) && clientAddress
.isGlobal())
901 return clientAddress
;
904 if (clientAddress
.setAddress(remoteIpList
[0]))
905 return clientAddress
;
909 return m_env
.clientAddress
;
914 WebSession::WebSession(const QString
&sid
, IApplication
*app
)
915 : ApplicationComponent(app
)
921 QString
WebSession::id() const
926 bool WebSession::hasExpired(const qint64 seconds
) const
930 return m_timer
.hasExpired(seconds
* 1000);
933 void WebSession::updateTimestamp()
938 void WebSession::registerAPIController(const QString
&scope
, APIController
*controller
)
940 Q_ASSERT(controller
);
941 m_apiControllers
[scope
] = controller
;
944 APIController
*WebSession::getAPIController(const QString
&scope
) const
946 return m_apiControllers
.value(scope
);