diff --git a/src/base/bittorrent/session.cpp b/src/base/bittorrent/session.cpp index 23f638457..4a7a39368 100644 --- a/src/base/bittorrent/session.cpp +++ b/src/base/bittorrent/session.cpp @@ -388,6 +388,7 @@ Session::Session(QObject *parent) , m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false) , m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false) , m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true) + , m_SSRFMitigationEnabled(BITTORRENT_SESSION_KEY("SSRFMitigation"), true) , m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false) , m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false) , m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers")) @@ -1381,6 +1382,8 @@ void Session::loadLTSettings(lt::settings_pack &settingsPack) settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate()); + settingsPack.set_bool(lt::settings_pack::ssrf_mitigation, isSSRFMitigationEnabled()); + settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts()); settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled()); @@ -3748,6 +3751,19 @@ void Session::setValidateHTTPSTrackerCertificate(const bool enabled) configureDeferred(); } +bool Session::isSSRFMitigationEnabled() const +{ + return m_SSRFMitigationEnabled; +} + +void Session::setSSRFMitigationEnabled(const bool enabled) +{ + if (enabled == m_SSRFMitigationEnabled) return; + + m_SSRFMitigationEnabled = enabled; + configureDeferred(); +} + bool Session::blockPeersOnPrivilegedPorts() const { return m_blockPeersOnPrivilegedPorts; diff --git a/src/base/bittorrent/session.h b/src/base/bittorrent/session.h index e5f422374..448d1142f 100644 --- a/src/base/bittorrent/session.h +++ b/src/base/bittorrent/session.h @@ -427,6 +427,8 @@ namespace BitTorrent void setMultiConnectionsPerIpEnabled(bool enabled); bool validateHTTPSTrackerCertificate() const; void setValidateHTTPSTrackerCertificate(bool enabled); + bool isSSRFMitigationEnabled() const; + void setSSRFMitigationEnabled(bool enabled); bool blockPeersOnPrivilegedPorts() const; void setBlockPeersOnPrivilegedPorts(bool enabled); bool isTrackerFilteringEnabled() const; @@ -700,6 +702,7 @@ namespace BitTorrent CachedSettingValue m_IDNSupportEnabled; CachedSettingValue m_multiConnectionsPerIpEnabled; CachedSettingValue m_validateHTTPSTrackerCertificate; + CachedSettingValue m_SSRFMitigationEnabled; CachedSettingValue m_blockPeersOnPrivilegedPorts; CachedSettingValue m_isAddTrackersEnabled; CachedSettingValue m_additionalTrackers; diff --git a/src/gui/advancedsettings.cpp b/src/gui/advancedsettings.cpp index 29837b46c..3465880bc 100644 --- a/src/gui/advancedsettings.cpp +++ b/src/gui/advancedsettings.cpp @@ -126,6 +126,7 @@ namespace IDN_SUPPORT, MULTI_CONNECTIONS_PER_IP, VALIDATE_HTTPS_TRACKER_CERTIFICATE, + SSRF_MITIGATION, BLOCK_PEERS_ON_PRIVILEGED_PORTS, // seeding CHOKING_ALGORITHM, @@ -246,6 +247,8 @@ void AdvancedSettings::saveAdvancedSettings() session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked()); // Validate HTTPS tracker certificate session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked()); + // SSRF mitigation + session->setSSRFMitigationEnabled(m_checkBoxSSRFMitigation.isChecked()); // Disallow connection to peers on privileged ports session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked()); // Recheck torrents on completion @@ -599,6 +602,11 @@ void AdvancedSettings::loadAdvancedSettings() addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates") + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)")) , &m_checkBoxValidateHTTPSTrackerCertificate); + // SSRF mitigation + m_checkBoxSSRFMitigation.setChecked(session->isSSRFMitigationEnabled()); + addRow(SSRF_MITIGATION, (tr("Server-side request forgery (SSRF) mitigation") + + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation", "(?)")) + , &m_checkBoxSSRFMitigation); // Disallow connection to peers on privileged ports m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts()); addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts); diff --git a/src/gui/advancedsettings.h b/src/gui/advancedsettings.h index 66991ecc4..341401d67 100644 --- a/src/gui/advancedsettings.h +++ b/src/gui/advancedsettings.h @@ -68,7 +68,7 @@ private: QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts, m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxReannounceWhenAddressChanged, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus, m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers, - m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity, + m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxSSRFMitigation, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity, m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport; QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm, m_comboBoxSeedChokingAlgorithm, m_comboBoxResumeDataStorage; diff --git a/src/webui/api/appcontroller.cpp b/src/webui/api/appcontroller.cpp index 201892d7e..a6be72dd5 100644 --- a/src/webui/api/appcontroller.cpp +++ b/src/webui/api/appcontroller.cpp @@ -335,6 +335,8 @@ void AppController::preferencesAction() data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled(); // Validate HTTPS tracker certificate data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate(); + // SSRF mitigation + data["ssrf_mitigation"] = session->isSSRFMitigationEnabled(); // Disallow connection to peers on privileged ports data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts(); // Embedded tracker @@ -819,6 +821,9 @@ void AppController::setPreferencesAction() // Validate HTTPS tracker certificate if (hasKey("validate_https_tracker_certificate")) session->setValidateHTTPSTrackerCertificate(it.value().toBool()); + // SSRF mitigation + if (hasKey("ssrf_mitigation")) + session->setSSRFMitigationEnabled(it.value().toBool()); // Disallow connection to peers on privileged ports if (hasKey("block_peers_on_privileged_ports")) session->setBlockPeersOnPrivilegedPorts(it.value().toBool()); diff --git a/src/webui/www/private/views/preferences.html b/src/webui/www/private/views/preferences.html index ef1267de0..ec7349193 100644 --- a/src/webui/www/private/views/preferences.html +++ b/src/webui/www/private/views/preferences.html @@ -1151,6 +1151,14 @@ + + + + + + + + @@ -1940,6 +1948,7 @@ $('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled); $('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip); $('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate); + $('mitigateSSRF').setProperty('checked', pref.ssrf_mitigation); $('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports); $('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker); $('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port); @@ -2334,6 +2343,7 @@ settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked')); settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked')); settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked')); + settings.set('ssrf_mitigation', $('mitigateSSRF').getProperty('checked')); settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked')); settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked')); settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value'));