d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-01-24 13:34:27 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #17563 from Chocobo1/webapi

Browse Source 
Restrict more WebAPI endpoints to POST method only
This commit is contained in:
Chocobo1 2022-08-18 11:37:59 +08:00 committed by GitHub
commit 001c3906b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 61 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/webui/webapplication.h
View File

@ -141,16 +141,68 @@ private:
const QHash<std::pair<QString, QString>, QString> m_allowedMethod = const QHash<std::pair<QString, QString>, QString> m_allowedMethod =
{ {
// <<controller name, action name>, HTTP method> // <<controller name, action name>, HTTP method>
// TODO: this list is incomplete
{{u"app"_qs, u"setPreferences"_qs}, Http::METHOD_POST}, {{u"app"_qs, u"setPreferences"_qs}, Http::METHOD_POST},
{{u"app"_qs, u"shutdown"_qs}, Http::METHOD_POST}, {{u"app"_qs, u"shutdown"_qs}, Http::METHOD_POST},
{{u"auth"_qs, u"login"_qs}, Http::METHOD_POST}, {{u"auth"_qs, u"login"_qs}, Http::METHOD_POST},
{{u"auth"_qs, u"logout"_qs}, Http::METHOD_POST}, {{u"auth"_qs, u"logout"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"addFeed"_qs}, Http::METHOD_POST}, {{u"rss"_qs, u"addFeed"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"addFolder"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"markAsRead"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"moveItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"refreshItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"removeItem"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"removeRule"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"renameRule"_qs}, Http::METHOD_POST},
{{u"rss"_qs, u"setRule"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"delete"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"enablePlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"installPlugin"_qs}, Http::METHOD_POST}, {{u"search"_qs, u"installPlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"start"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"stop"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"uninstallPlugin"_qs}, Http::METHOD_POST},
{{u"search"_qs, u"updatePlugins"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"add"_qs}, Http::METHOD_POST}, {{u"torrents"_qs, u"add"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addPeers"_qs}, Http::METHOD_POST}, {{u"torrents"_qs, u"addPeers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST} {{u"torrents"_qs, u"addTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"addTrackers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"bottomPrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"createCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"createTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"decreasePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"delete"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"deleteTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"editCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"editTracker"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"filePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"increasePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"pause"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"reannounce"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"recheck"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeCategories"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeTags"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"removeTrackers"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"rename"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"renameFile"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"renameFolder"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"resume"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setAutoManagement"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setCategory"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setDownloadPath"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setForceStart"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setLocation"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setSavePath"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setShareLimits"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setSuperSeeding"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"toggleFirstLastPiecePrio"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"toggleSequentialDownload"_qs}, Http::METHOD_POST},
{{u"torrents"_qs, u"topPrio"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"banPeers"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setDownloadLimit"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setSpeedLimitsMode"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"setUploadLimit"_qs}, Http::METHOD_POST},
{{u"transfer"_qs, u"toggleSpeedLimitsMode"_qs}, Http::METHOD_POST},
}; };
bool m_isAltUIUsed = false; bool m_isAltUIUsed = false;
Path m_rootFolder; Path m_rootFolder;

1
src/webui/www/private/scripts/mocha-init.js
View File

@ -1071,6 +1071,7 @@ const initializeWindows = function() {
if (confirm('QBT_TR(Are you sure you want to quit qBittorrent?)QBT_TR[CONTEXT=MainWindow]')) { if (confirm('QBT_TR(Are you sure you want to quit qBittorrent?)QBT_TR[CONTEXT=MainWindow]')) {
new Request({ new Request({
url: 'api/v2/app/shutdown', url: 'api/v2/app/shutdown',
method: 'post',
onSuccess: function() { onSuccess: function() {
document.write('<!doctype html><html lang="${LANG}"><head> <meta charset="UTF-8"> <title>QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</title></head><body> <h1 style="text-align: center;">QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</h1></body></html>'); document.write('<!doctype html><html lang="${LANG}"><head> <meta charset="UTF-8"> <title>QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</title></head><body> <h1 style="text-align: center;">QBT_TR(qBittorrent has been shutdown)QBT_TR[CONTEXT=HttpServer]</h1></body></html>');
document.close(); document.close();

4
src/webui/www/private/scripts/speedslider.js
View File

@ -35,7 +35,7 @@ MochaUI.extend({
let maximum = 500; let maximum = 500;
new Request({ new Request({
url: 'api/v2/transfer/uploadLimit', url: 'api/v2/transfer/uploadLimit',
method: 'post', method: 'get',
data: {}, data: {},
onSuccess: function(data) { onSuccess: function(data) {
if (data) { if (data) {
@ -139,7 +139,7 @@ MochaUI.extend({
let maximum = 500; let maximum = 500;
new Request({ new Request({
url: 'api/v2/transfer/downloadLimit', url: 'api/v2/transfer/downloadLimit',
method: 'post', method: 'get',
data: {}, data: {},
onSuccess: function(data) { onSuccess: function(data) {
if (data) { if (data) {

2
src/webui/www/private/views/rss.html
View File

@ -447,7 +447,7 @@
new Request.JSON({ new Request.JSON({
url: 'api/v2/rss/items', url: 'api/v2/rss/items',
noCache: true, noCache: true,
method: 'post', method: 'get',
data: { data: {
withData: true withData: true
}, },

4
src/webui/www/private/views/rssDownloader.html
View File

@ -442,7 +442,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
new Request.JSON({ new Request.JSON({
url: 'api/v2/rss/items', url: 'api/v2/rss/items',
noCache: true, noCache: true,
method: 'post', method: 'get',
data: { data: {
withData: false withData: false
}, },
@ -630,7 +630,7 @@ Supports the formats: S01E01, 1x1, 2017.12.31 and 31.12.2017 (Date formats also
new Request.JSON({ new Request.JSON({
url: 'api/v2/rss/matchingArticles', url: 'api/v2/rss/matchingArticles',
noCache: true, noCache: true,
method: 'post', method: 'get',
data: { data: {
ruleName: ruleName ruleName: ruleName
}, },

2
src/webui/www/private/views/search.html
View File

@ -647,7 +647,7 @@
new Request.JSON({ new Request.JSON({
url: url, url: url,
noCache: true, noCache: true,
method: 'post', method: 'get',
data: { data: {
id: activeSearchId, id: activeSearchId,
limit: maxResults, limit: maxResults,