- Store Web UI password as md5

15 years ago · d3687fd863
5 changed files with 115 additions and 75 deletions
--- a/1
+++ b/1
@ -45,6 +45,7 @@
				@@ -45,6 +45,7 @@
    - WEB UI: Added internationalization support
    - WEB UI: Reduced computation in Javascript (do this one server side instead)
    - WEB UI: Fixed Transfer list flickering
+    - WEB UI: Password is now stored as md5
    - I18N: Added Serbian translation (By Anaximandar Milet)
    - COSMETIC: Merged download / upload lists
    - COSMETIC: Torrents can be filtered based on their status
--- a/src/httpserver.cpp
+++ b/src/httpserver.cpp
@ -33,11 +33,13 @@
				@@ -33,11 +33,13 @@
 #include "httpconnection.h"
 #include "eventmanager.h"
 #include "bittorrent.h"
+#include "preferences.h"
 #include <QTimer>
+#include <QCryptographicHash>

-HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent)
-{
-	base64 = QByteArray(":").toBase64();
+HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent) {
+  username = Preferences::getWebUiUsername().toLocal8Bit();
+  password_md5 = Preferences::getWebUiPassword().toLocal8Bit();
  connect(this, SIGNAL(newConnection()), this, SLOT(newHttpConnection()));
  BTSession = _BTSession;
  manager = new EventManager(this, BTSession);
@ -110,15 +112,21 @@ void HttpServer::onTimer() {
				@@ -110,15 +112,21 @@ void HttpServer::onTimer() {
  }
 }

-void HttpServer::setAuthorization(QString username, QString password)
-{
-	QString cat = username + ":" + password;
-  base64 = QByteArray(cat.toLocal8Bit()).toBase64();
+void HttpServer::setAuthorization(QString _username, QString _password_md5) {
+  username = _username.toLocal8Bit();
+  password_md5 = _password_md5.toLocal8Bit();
 }

-bool HttpServer::isAuthorized(QByteArray auth) const
-{
-	return (auth == base64);
+bool HttpServer::isAuthorized(QByteArray auth) const {
+  // Decode Auth
+  QByteArray decoded = QByteArray::fromBase64(auth);
+  QList<QByteArray> creds = decoded.split(':');
+  if(creds.size() != 2) return false;
+  QByteArray prop_username = creds.first();
+  if(prop_username != username) return false;
+  QCryptographicHash md5(QCryptographicHash::Md5);
+  md5.addData(creds.last());
+  return (password_md5 == md5.result().toHex());
 }

 EventManager* HttpServer::eventManager() const
--- a/src/httpserver.h
+++ b/src/httpserver.h
@ -44,7 +44,8 @@ class HttpServer : public QTcpServer {
				@@ -44,7 +44,8 @@ class HttpServer : public QTcpServer {
 	Q_OBJECT

 	private:
-		QByteArray base64;
+                QByteArray username;
+                QByteArray password_md5;
                Bittorrent *BTSession;
 		EventManager *manager;
 		QTimer *timer;
@ -52,7 +53,7 @@ class HttpServer : public QTcpServer {
				@@ -52,7 +53,7 @@ class HttpServer : public QTcpServer {
 	public:
                HttpServer(Bittorrent *BTSession, int msec, QObject* parent = 0);
 		~HttpServer();
-		void setAuthorization(QString username, QString password);
+                void setAuthorization(QString username, QString password_md5);
 		bool isAuthorized(QByteArray auth) const;
 		EventManager *eventManager() const;

--- a/src/options_imp.cpp
+++ b/src/options_imp.cpp
@ -465,7 +465,8 @@ void options_imp::saveOptions(){
				@@ -465,7 +465,8 @@ void options_imp::saveOptions(){
  {
    settings.setValue("Port", webUiPort());
    settings.setValue("Username", webUiUsername());
-    settings.setValue("Password", webUiPassword());
+    // FIXME: Check that the password is valid (not empty at least)
+    Preferences::setWebUiPassword(webUiPassword());
  }
  // End Web UI
  settings.endGroup();
--- a/src/preferences.h
+++ b/src/preferences.h
@ -32,6 +32,7 @@
				@@ -32,6 +32,7 @@
 #define PREFERENCES_H

 #include <QSettings>
+#include <QCryptographicHash>
 #include <QPair>
 #include <QDir>

@ -456,12 +457,40 @@ public:
				@@ -456,12 +457,40 @@ public:

  static QString getWebUiUsername() {
    QSettings settings("qBittorrent", "qBittorrent");
-    return settings.value("Preferences/WebUI/Username", "user").toString();
+    return settings.value("Preferences/WebUI/Username", "admin").toString();
+  }
+
+  static void setWebUiPassword(QString new_password) {
+    // Get current password md5
+    QString current_pass_md5 = getWebUiPassword();
+    // Check if password did not change
+    if(current_pass_md5 == new_password) return;
+    // Encode to md5 and save
+    QCryptographicHash md5(QCryptographicHash::Md5);
+    md5.addData(new_password.toLocal8Bit());
+    QSettings settings("qBittorrent", "qBittorrent");
+    settings.setValue("Preferences/WebUI/Password_md5", md5.result().toHex());
  }

  static QString getWebUiPassword() {
    QSettings settings("qBittorrent", "qBittorrent");
-    return settings.value("Preferences/WebUI/Password", "").toString();
+    // Here for backward compatiblity
+    if(settings.contains("Preferences/WebUI/Password")) {
+      QString clear_pass = settings.value("Preferences/WebUI/Password", "adminadmin").toString();
+      settings.remove("Preferences/WebUI/Password");
+      QCryptographicHash md5(QCryptographicHash::Md5);
+      md5.addData(clear_pass.toLocal8Bit());
+      QString pass_md5(md5.result().toHex());
+      settings.setValue("Preferences/WebUI/Password_md5", pass_md5);
+      return pass_md5;
+    }
+    QString pass_md5 = settings.value("Preferences/WebUI/Password_md5", "").toString();
+    if(pass_md5.isEmpty()) {
+      QCryptographicHash md5(QCryptographicHash::Md5);
+      md5.addData("adminadmin");
+      pass_md5 = md5.result().toHex();
+    }
+    return pass_md5;
  }

 };