d4708
/
qBittorrent
mirror of https://github.com/d47081/qBittorrent.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add option to control CSRF protection 

Some users are using WebUI with simple port-forwarding from their router,
providing an option to control the protection will save them from setting up an
non-trival web proxy.
Closes #7274.
adaptive-webui-19844
Chocobo1 6 years ago
parent
bad4d94f77
commit
9eeef0be97
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
8 changed files with 37 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      src/base/preferences.cpp
  2. 2
      src/base/preferences.h
  3. 3
      src/gui/optionsdlg.cpp
  4. 7
      src/gui/optionsdlg.ui
  5. 3
      src/webui/api/appcontroller.cpp
  6. 7
      src/webui/webapplication.cpp
  7. 1
      src/webui/webapplication.h
  8. 6
      src/webui/www/private/preferences_content.html

10
src/base/preferences.cpp
Unescape View File

@ -586,6 +586,16 @@ void Preferences::setWebUiClickjackingProtectionEnabled(bool enabled) @@ -586,6 +586,16 @@ void Preferences::setWebUiClickjackingProtectionEnabled(bool enabled)
setValue("Preferences/WebUI/ClickjackingProtection", enabled);
}
bool Preferences::isWebUiCSRFProtectionEnabled() const
{
return value("Preferences/WebUI/CSRFProtection", true).toBool();
}
void Preferences::setWebUiCSRFProtectionEnabled(bool enabled)
{
setValue("Preferences/WebUI/CSRFProtection", enabled);
}
bool Preferences::isWebUiHttpsEnabled() const
{
return value("Preferences/WebUI/HTTPS/Enabled", false).toBool();

2
src/base/preferences.h
Unescape View File

@ -197,6 +197,8 @@ public: @@ -197,6 +197,8 @@ public:
// WebUI security
bool isWebUiClickjackingProtectionEnabled() const;
void setWebUiClickjackingProtectionEnabled(bool enabled);
bool isWebUiCSRFProtectionEnabled() const;
void setWebUiCSRFProtectionEnabled(bool enabled);
// HTTPS
bool isWebUiHttpsEnabled() const;

3
src/gui/optionsdlg.cpp
Unescape View File

@ -379,6 +379,7 @@ OptionsDialog::OptionsDialog(QWidget *parent) @@ -379,6 +379,7 @@ OptionsDialog::OptionsDialog(QWidget *parent)
connect(m_ui->checkBypassAuthSubnetWhitelist, &QAbstractButton::toggled, this, &ThisType::enableApplyButton);
connect(m_ui->checkBypassAuthSubnetWhitelist, &QAbstractButton::toggled, m_ui->IPSubnetWhitelistButton, &QPushButton::setEnabled);
connect(m_ui->checkClickjacking, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
connect(m_ui->checkCSRFProtection, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
connect(m_ui->checkDynDNS, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
connect(m_ui->comboDNSService, qComboBoxCurrentIndexChanged, this, &ThisType::enableApplyButton);
connect(m_ui->domainNameTxt, &QLineEdit::textChanged, this, &ThisType::enableApplyButton);
@ -697,6 +698,7 @@ void OptionsDialog::saveOptions() @@ -697,6 +698,7 @@ void OptionsDialog::saveOptions()
pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
// Security
pref->setWebUiClickjackingProtectionEnabled(m_ui->checkClickjacking->isChecked());
pref->setWebUiCSRFProtectionEnabled(m_ui->checkCSRFProtection->isChecked());
// DynDNS
pref->setDynDNSEnabled(m_ui->checkDynDNS->isChecked());
pref->setDynDNSService(m_ui->comboDNSService->currentIndex());
@ -1101,6 +1103,7 @@ void OptionsDialog::loadOptions() @@ -1101,6 +1103,7 @@ void OptionsDialog::loadOptions()
// Security
m_ui->checkClickjacking->setChecked(pref->isWebUiClickjackingProtectionEnabled());
m_ui->checkCSRFProtection->setChecked(pref->isWebUiCSRFProtectionEnabled());
m_ui->checkDynDNS->setChecked(pref->isDynDNSEnabled());
m_ui->comboDNSService->setCurrentIndex(static_cast<int>(pref->getDynDNSService()));

7
src/gui/optionsdlg.ui
Unescape View File

@ -3175,6 +3175,13 @@ Use ';' to split multiple entries. Can use wildcard '*'.</string> @@ -3175,6 +3175,13 @@ Use ';' to split multiple entries. Can use wildcard '*'.</string>
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="checkCSRFProtection">
<property name="text">
<string>Enable Cross-Site Request Forgery (CSRF) protection</string>
</property>
</widget>
</item>
<item>
<widget class="QGroupBox" name="checkDynDNS">
<property name="title">

3
src/webui/api/appcontroller.cpp
Unescape View File

@ -207,6 +207,7 @@ void AppController::preferencesAction() @@ -207,6 +207,7 @@ void AppController::preferencesAction()
data["bypass_auth_subnet_whitelist"] = authSubnetWhitelistStringList.join("\n");
// Security
data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
// Update my dynamic domain name
data["dyndns_enabled"] = pref->isDynDNSEnabled();
data["dyndns_service"] = pref->getDynDNSService();
@ -484,6 +485,8 @@ void AppController::setPreferencesAction() @@ -484,6 +485,8 @@ void AppController::setPreferencesAction()
// Security
if (m.contains("web_ui_clickjacking_protection_enabled"))
pref->setWebUiClickjackingProtectionEnabled(m["web_ui_clickjacking_protection_enabled"].toBool());
if (m.contains("web_ui_csrf_protection_enabled"))
pref->setWebUiCSRFProtectionEnabled(m["web_ui_csrf_protection_enabled"].toBool());
// Update my dynamic domain name
if (m.contains("dyndns_enabled"))
pref->setDynDNSEnabled(m["dyndns_enabled"].toBool());

7
src/webui/webapplication.cpp
Unescape View File

@ -430,6 +430,7 @@ void WebApplication::configure() @@ -430,6 +430,7 @@ void WebApplication::configure()
}
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -514,9 +515,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons @@ -514,9 +515,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
clear();
try {
// block cross-site requests
if (isCrossSiteRequest(m_request) || !validateHostHeader(m_domainList))
// block suspicious requests
if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
|| !validateHostHeader(m_domainList)) {
throw UnauthorizedHTTPError();
}
sessionInitialize();
doProcessRequest();

1
src/webui/webapplication.h
Unescape View File

@ -145,4 +145,5 @@ private: @@ -145,4 +145,5 @@ private:
// security related
bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled;
};

6
src/webui/www/private/preferences_content.html
Unescape View File

@ -463,6 +463,10 @@ @@ -463,6 +463,10 @@
<input type="checkbox" id="clickjacking_protection_checkbox" />
<label for="clickjacking_protection_checkbox">QBT_TR(Enable clickjacking protection)QBT_TR[CONTEXT=OptionsDialog]</label>
</div>
<div class="formRow">
<input type="checkbox" id="csrf_protection_checkbox" />
<label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
</div>
</fieldset>
<fieldset class="settings">
@ -1029,6 +1033,7 @@ @@ -1029,6 +1033,7 @@
// Security
$('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
$('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
// Update my dynamic domain name
$('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
@ -1322,6 +1327,7 @@ @@ -1322,6 +1327,7 @@
settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value'));
settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
// Update my dynamic domain name
settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));

Write Preview
Loading…
Cancel
Save