Browse Source

Merge pull request #17563 from Chocobo1/webapi

Restrict more WebAPI endpoints to POST method only
adaptive-webui-19844
Chocobo1 2 years ago committed by GitHub
parent
commit
001c3906b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 56
      src/webui/webapplication.h
  2. 1
      src/webui/www/private/scripts/mocha-init.js
  3. 4
      src/webui/www/private/scripts/speedslider.js
  4. 2
      src/webui/www/private/views/rss.html
  5. 4
      src/webui/www/private/views/rssDownloader.html
  6. 2
      src/webui/www/private/views/search.html

56
src/webui/webapplication.h

@ -141,16 +141,68 @@ private: @@ -141,16 +141,68 @@ private:
const QHash<std::pair<QString, QString>, QString> m_allowedMethod =
{
// <<controller name, action name>, HTTP method>
// TODO: this list is incomplete
{{u"app"_qs, u"setPreferences"_qs}, Http::METHOD_POST},
{{u"app"_qs, u"shutdown"_qs}, Http::METHOD_POST},
{{u"auth"_qs, u"login"_qs}, Http::METHOD_POST},
{{u"auth"_qs, u"logout"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"addFeed"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"addFolder"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"markAsRead"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"moveItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"refreshItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"removeItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"removeRule"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"renameRule"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"setRule"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"delete"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"enablePlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"installPlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"start"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"stop"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"uninstallPlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"updatePlugins"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"add"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addPeers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST}
{{u"torrents"_qs, u"addTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"bottomPrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"createCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"createTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"decreasePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"delete"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"deleteTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"editCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"editTracker"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"filePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"increasePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"pause"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"reannounce"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"recheck"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeCategories"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeTrackers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"rename"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"renameFile"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"renameFolder"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"resume"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setAutoManagement"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setDownloadPath"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setForceStart"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setLocation"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setSavePath"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setShareLimits"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setSuperSeeding"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"toggleFirstLastPiecePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"toggleSequentialDownload"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"topPrio"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"banPeers"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setSpeedLimitsMode"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"toggleSpeedLimitsMode"_qs}, Http::METHOD_POST},
};
bool m_isAltUIUsed = false;
Path m_rootFolder;

1
src/webui/www/private/scripts/mocha-init.js

@ -1071,6 +1071,7 @@ const initializeWindows = function() { @@ -1071,6 +1071,7 @@ const initializeWindows = function() {
if (confirm('QBT_TR(Are you sure you want to quit qBittorrent?)QBT_TR[CONTEXT=MainWindow]')) {
new Request({
url: 'api/v2/app/shutdown',
method: 'post',
onSuccess: function() {
document.write('<!doctype html><html lang="${LANG}"><head> <meta charset="UTF-8"> <title>QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</title></head><body> <h1 style="text-align: center;">QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</h1></body></html>');
document.close();

4
src/webui/www/private/scripts/speedslider.js

@ -35,7 +35,7 @@ MochaUI.extend({ @@ -35,7 +35,7 @@ MochaUI.extend({
let maximum = 500;
new Request({
url: 'api/v2/transfer/uploadLimit',
method: 'post',
method: 'get',
data: {},
onSuccess: function(data) {
if (data) {
@ -139,7 +139,7 @@ MochaUI.extend({ @@ -139,7 +139,7 @@ MochaUI.extend({
let maximum = 500;
new Request({
url: 'api/v2/transfer/downloadLimit',
method: 'post',
method: 'get',
data: {},
onSuccess: function(data) {
if (data) {

2
src/webui/www/private/views/rss.html

@ -447,7 +447,7 @@ @@ -447,7 +447,7 @@
new Request.JSON({
url: 'api/v2/rss/items',
noCache: true,
method: 'post',
method: 'get',
data: {
withData: true
},

4
src/webui/www/private/views/rssDownloader.html

@ -442,7 +442,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also @@ -442,7 +442,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
new Request.JSON({
url: 'api/v2/rss/items',
noCache: true,
method: 'post',
method: 'get',
data: {
withData: false
},
@ -630,7 +630,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also @@ -630,7 +630,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
new Request.JSON({
url: 'api/v2/rss/matchingArticles',
noCache: true,
method: 'post',
method: 'get',
data: {
ruleName: ruleName
},

2
src/webui/www/private/views/search.html

@ -647,7 +647,7 @@ @@ -647,7 +647,7 @@
new Request.JSON({
url: url,
noCache: true,
method: 'post',
method: 'get',
data: {
id: activeSearchId,
limit: maxResults,

Loading…
Cancel
Save