d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-01-10 14:57:52 +00:00
Code Issues Projects Releases Wiki Activity

- Protect Web UI authentication against brute forcing (IP are banned after 3 failed attempts)

Browse Source
This commit is contained in:
Christophe Dumez 2010-01-14 20:40:06 +00:00
parent 2bf8e2d2d7
commit 9c4c5e2d1a
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/httpconnection.cpp
View File

@ -128,17 +128,28 @@ QString HttpConnection::translateDocument(QString data) {
return data;
}
void HttpConnection::respond()
{
void HttpConnection::respond() {
//qDebug("Respond called");
int nb_fail = parent->client_failed_attempts.value(socket->peerAddress().toString(), 0);
if(nb_fail > 2) {
generator.setStatusLine(403, "Forbidden");
generator.setMessage(tr("Your IP address has been banned after too many failed authentication attempts."));
write();
return;
}
QStringList auth = parser.value("Authorization").split(" ", QString::SkipEmptyParts);
if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit()))
{
if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit())) {
// Update failed attempt counter
parent->client_failed_attempts.insert(socket->peerAddress().toString(), nb_fail+1);
qDebug("client IP: %s (%d failed attempts)", socket->peerAddress().toString().toLocal8Bit().data(), nb_fail);
// Return unauthorized header
generator.setStatusLine(401, "Unauthorized");
generator.setValue("WWW-Authenticate", "Basic realm=\"you know what\"");
write();
return;
}
// Client sucessfuly authenticated, reset number of failed attempts
parent->client_failed_attempts.remove(socket->peerAddress().toString());
QString url = parser.url();
// Favicon
if(url.endsWith("favicon.ico")) {

2
src/httpserver.h
View File

@ -35,6 +35,7 @@
#include <QPair>
#include <QTcpServer>
#include <QByteArray>
#include <QHash>
class Bittorrent;
class QTimer;
@ -56,6 +57,7 @@ class HttpServer : public QTcpServer {
void setAuthorization(QString username, QString password_md5);
bool isAuthorized(QByteArray auth) const;
EventManager *eventManager() const;
QHash<QString, int> client_failed_attempts;
private slots:
void newHttpConnection();