d4708
/
qBittorrent
mirror of https://github.com/d47081/qBittorrent.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Expose SSRF mitigation (#15247)

adaptive-webui-19844
Sylvain Finot 3 years ago committed by GitHub
parent
11a063ea66
commit
e87f8f5b93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 43 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      src/base/bittorrent/session.cpp
  2. 3
      src/base/bittorrent/session.h
  3. 8
      src/gui/advancedsettings.cpp
  4. 2
      src/gui/advancedsettings.h
  5. 5
      src/webui/api/appcontroller.cpp
  6. 10
      src/webui/www/private/views/preferences.html

16
src/base/bittorrent/session.cpp
Unescape View File

@ -388,6 +388,7 @@ Session::Session(QObject *parent)
, m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false) , m_IDNSupportEnabled(BITTORRENT_SESSION_KEY("IDNSupportEnabled"), false)
, m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false) , m_multiConnectionsPerIpEnabled(BITTORRENT_SESSION_KEY("MultiConnectionsPerIp"), false)
, m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true) , m_validateHTTPSTrackerCertificate(BITTORRENT_SESSION_KEY("ValidateHTTPSTrackerCertificate"), true)
, m_SSRFMitigationEnabled(BITTORRENT_SESSION_KEY("SSRFMitigation"), true)
, m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false) , m_blockPeersOnPrivilegedPorts(BITTORRENT_SESSION_KEY("BlockPeersOnPrivilegedPorts"), false)
, m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false) , m_isAddTrackersEnabled(BITTORRENT_SESSION_KEY("AddTrackersEnabled"), false)
, m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers")) , m_additionalTrackers(BITTORRENT_SESSION_KEY("AdditionalTrackers"))
@ -1381,6 +1382,8 @@ void Session::loadLTSettings(lt::settings_pack &settingsPack)
settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate()); settingsPack.set_bool(lt::settings_pack::validate_https_trackers, validateHTTPSTrackerCertificate());
settingsPack.set_bool(lt::settings_pack::ssrf_mitigation, isSSRFMitigationEnabled());
settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts()); settingsPack.set_bool(lt::settings_pack::no_connect_privileged_ports, blockPeersOnPrivilegedPorts());
settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled()); settingsPack.set_bool(lt::settings_pack::apply_ip_filter_to_trackers, isTrackerFilteringEnabled());
@ -3748,6 +3751,19 @@ void Session::setValidateHTTPSTrackerCertificate(const bool enabled)
configureDeferred(); configureDeferred();
} }
bool Session::isSSRFMitigationEnabled() const
{
return m_SSRFMitigationEnabled;
}
void Session::setSSRFMitigationEnabled(const bool enabled)
{
if (enabled == m_SSRFMitigationEnabled) return;
m_SSRFMitigationEnabled = enabled;
configureDeferred();
}
bool Session::blockPeersOnPrivilegedPorts() const bool Session::blockPeersOnPrivilegedPorts() const
{ {
return m_blockPeersOnPrivilegedPorts; return m_blockPeersOnPrivilegedPorts;

3
src/base/bittorrent/session.h
Unescape View File

@ -427,6 +427,8 @@ namespace BitTorrent
void setMultiConnectionsPerIpEnabled(bool enabled); void setMultiConnectionsPerIpEnabled(bool enabled);
bool validateHTTPSTrackerCertificate() const; bool validateHTTPSTrackerCertificate() const;
void setValidateHTTPSTrackerCertificate(bool enabled); void setValidateHTTPSTrackerCertificate(bool enabled);
bool isSSRFMitigationEnabled() const;
void setSSRFMitigationEnabled(bool enabled);
bool blockPeersOnPrivilegedPorts() const; bool blockPeersOnPrivilegedPorts() const;
void setBlockPeersOnPrivilegedPorts(bool enabled); void setBlockPeersOnPrivilegedPorts(bool enabled);
bool isTrackerFilteringEnabled() const; bool isTrackerFilteringEnabled() const;
@ -700,6 +702,7 @@ namespace BitTorrent
CachedSettingValue<bool> m_IDNSupportEnabled; CachedSettingValue<bool> m_IDNSupportEnabled;
CachedSettingValue<bool> m_multiConnectionsPerIpEnabled; CachedSettingValue<bool> m_multiConnectionsPerIpEnabled;
CachedSettingValue<bool> m_validateHTTPSTrackerCertificate; CachedSettingValue<bool> m_validateHTTPSTrackerCertificate;
CachedSettingValue<bool> m_SSRFMitigationEnabled;
CachedSettingValue<bool> m_blockPeersOnPrivilegedPorts; CachedSettingValue<bool> m_blockPeersOnPrivilegedPorts;
CachedSettingValue<bool> m_isAddTrackersEnabled; CachedSettingValue<bool> m_isAddTrackersEnabled;
CachedSettingValue<QString> m_additionalTrackers; CachedSettingValue<QString> m_additionalTrackers;

8
src/gui/advancedsettings.cpp
Unescape View File

@ -126,6 +126,7 @@ namespace
IDN_SUPPORT, IDN_SUPPORT,
MULTI_CONNECTIONS_PER_IP, MULTI_CONNECTIONS_PER_IP,
VALIDATE_HTTPS_TRACKER_CERTIFICATE, VALIDATE_HTTPS_TRACKER_CERTIFICATE,
SSRF_MITIGATION,
BLOCK_PEERS_ON_PRIVILEGED_PORTS, BLOCK_PEERS_ON_PRIVILEGED_PORTS,
// seeding // seeding
CHOKING_ALGORITHM, CHOKING_ALGORITHM,
@ -246,6 +247,8 @@ void AdvancedSettings::saveAdvancedSettings()
session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked()); session->setMultiConnectionsPerIpEnabled(m_checkBoxMultiConnectionsPerIp.isChecked());
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked()); session->setValidateHTTPSTrackerCertificate(m_checkBoxValidateHTTPSTrackerCertificate.isChecked());
// SSRF mitigation
session->setSSRFMitigationEnabled(m_checkBoxSSRFMitigation.isChecked());
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked()); session->setBlockPeersOnPrivilegedPorts(m_checkBoxBlockPeersOnPrivilegedPorts.isChecked());
// Recheck torrents on completion // Recheck torrents on completion
@ -599,6 +602,11 @@ void AdvancedSettings::loadAdvancedSettings()
addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates") addRow(VALIDATE_HTTPS_TRACKER_CERTIFICATE, (tr("Validate HTTPS tracker certificates")
+ ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)")) + ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#validate_https_trackers", "(?)"))
, &m_checkBoxValidateHTTPSTrackerCertificate); , &m_checkBoxValidateHTTPSTrackerCertificate);
// SSRF mitigation
m_checkBoxSSRFMitigation.setChecked(session->isSSRFMitigationEnabled());
addRow(SSRF_MITIGATION, (tr("Server-side request forgery (SSRF) mitigation")
+ ' ' + makeLink("https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation", "(?)"))
, &m_checkBoxSSRFMitigation);
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts()); m_checkBoxBlockPeersOnPrivilegedPorts.setChecked(session->blockPeersOnPrivilegedPorts());
addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts); addRow(BLOCK_PEERS_ON_PRIVILEGED_PORTS, (tr("Disallow connection to peers on privileged ports") + ' ' + makeLink("https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports", "(?)")), &m_checkBoxBlockPeersOnPrivilegedPorts);

2
src/gui/advancedsettings.h
Unescape View File

@ -68,7 +68,7 @@ private:
QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts, QCheckBox m_checkBoxOsCache, m_checkBoxRecheckCompleted, m_checkBoxResolveCountries, m_checkBoxResolveHosts,
m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxReannounceWhenAddressChanged, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus, m_checkBoxProgramNotifications, m_checkBoxTorrentAddedNotifications, m_checkBoxReannounceWhenAddressChanged, m_checkBoxTrackerFavicon, m_checkBoxTrackerStatus,
m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers, m_checkBoxConfirmTorrentRecheck, m_checkBoxConfirmRemoveAllTags, m_checkBoxAnnounceAllTrackers, m_checkBoxAnnounceAllTiers,
m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity, m_checkBoxMultiConnectionsPerIp, m_checkBoxValidateHTTPSTrackerCertificate, m_checkBoxSSRFMitigation, m_checkBoxBlockPeersOnPrivilegedPorts, m_checkBoxPieceExtentAffinity,
m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport; m_checkBoxSuggestMode, m_checkBoxSpeedWidgetEnabled, m_checkBoxIDNSupport;
QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm, QComboBox m_comboBoxInterface, m_comboBoxInterfaceAddress, m_comboBoxUtpMixedMode, m_comboBoxChokingAlgorithm,
m_comboBoxSeedChokingAlgorithm, m_comboBoxResumeDataStorage; m_comboBoxSeedChokingAlgorithm, m_comboBoxResumeDataStorage;

5
src/webui/api/appcontroller.cpp
Unescape View File

@ -335,6 +335,8 @@ void AppController::preferencesAction()
data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled(); data["enable_multi_connections_from_same_ip"] = session->multiConnectionsPerIpEnabled();
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate(); data["validate_https_tracker_certificate"] = session->validateHTTPSTrackerCertificate();
// SSRF mitigation
data["ssrf_mitigation"] = session->isSSRFMitigationEnabled();
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts(); data["block_peers_on_privileged_ports"] = session->blockPeersOnPrivilegedPorts();
// Embedded tracker // Embedded tracker
@ -819,6 +821,9 @@ void AppController::setPreferencesAction()
// Validate HTTPS tracker certificate // Validate HTTPS tracker certificate
if (hasKey("validate_https_tracker_certificate")) if (hasKey("validate_https_tracker_certificate"))
session->setValidateHTTPSTrackerCertificate(it.value().toBool()); session->setValidateHTTPSTrackerCertificate(it.value().toBool());
// SSRF mitigation
if (hasKey("ssrf_mitigation"))
session->setSSRFMitigationEnabled(it.value().toBool());
// Disallow connection to peers on privileged ports // Disallow connection to peers on privileged ports
if (hasKey("block_peers_on_privileged_ports")) if (hasKey("block_peers_on_privileged_ports"))
session->setBlockPeersOnPrivilegedPorts(it.value().toBool()); session->setBlockPeersOnPrivilegedPorts(it.value().toBool());

10
src/webui/www/private/views/preferences.html
Unescape View File

@ -1151,6 +1151,14 @@
<input type="checkbox" id="validateHTTPSTrackerCertificate" /> <input type="checkbox" id="validateHTTPSTrackerCertificate" />
</td> </td>
</tr> </tr>
<tr>
<td>
<label for="mitigateSSRF">QBT_TR(Server-side request forgery (SSRF) mitigation:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://www.libtorrent.org/reference-Settings.html#ssrf_mitigation" target="_blank">(?)</a></label>
</td>
<td>
<input type="checkbox" id="mitigateSSRF" />
</td>
</tr>
<tr> <tr>
<td> <td>
<label for="blockPeersOnPrivilegedPorts">QBT_TR(Disallow connection to peers on privileged ports:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports" target="_blank">(?)</a></label> <label for="blockPeersOnPrivilegedPorts">QBT_TR(Disallow connection to peers on privileged ports:)QBT_TR[CONTEXT=OptionsDialog]&nbsp;<a href="https://libtorrent.org/single-page-ref.html#no_connect_privileged_ports" target="_blank">(?)</a></label>
@ -1940,6 +1948,7 @@
$('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled); $('IDNSupportCheckbox').setProperty('checked', pref.idn_support_enabled);
$('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip); $('allowMultipleConnectionsFromTheSameIPAddress').setProperty('checked', pref.enable_multi_connections_from_same_ip);
$('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate); $('validateHTTPSTrackerCertificate').setProperty('checked', pref.validate_https_tracker_certificate);
$('mitigateSSRF').setProperty('checked', pref.ssrf_mitigation);
$('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports); $('blockPeersOnPrivilegedPorts').setProperty('checked', pref.block_peers_on_privileged_ports);
$('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker); $('enableEmbeddedTracker').setProperty('checked', pref.enable_embedded_tracker);
$('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port); $('embeddedTrackerPort').setProperty('value', pref.embedded_tracker_port);
@ -2334,6 +2343,7 @@
settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked')); settings.set('idn_support_enabled', $('IDNSupportCheckbox').getProperty('checked'));
settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked')); settings.set('enable_multi_connections_from_same_ip', $('allowMultipleConnectionsFromTheSameIPAddress').getProperty('checked'));
settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked')); settings.set('validate_https_tracker_certificate', $('validateHTTPSTrackerCertificate').getProperty('checked'));
settings.set('ssrf_mitigation', $('mitigateSSRF').getProperty('checked'));
settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked')); settings.set('block_peers_on_privileged_ports', $('blockPeersOnPrivilegedPorts').getProperty('checked'));
settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked')); settings.set('enable_embedded_tracker', $('enableEmbeddedTracker').getProperty('checked'));
settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value')); settings.set('embedded_tracker_port', $('embeddedTrackerPort').getProperty('value'));

Write Preview
Loading…
Cancel
Save