core: security fix, authorization first in download / blackhole links (#6825)

2020-01-05 07:41:01 +01:00 · 2020-01-05 07:41:01 +01:00 · 45b205ddc3
parent 7e93a86ae0
commit 45b205ddc3
2 changed files with 12 additions and 12 deletions
--- a/src/Jackett.Server/Controllers/BlackholeController.cs
+++ b/src/Jackett.Server/Controllers/BlackholeController.cs
@ -20,14 +20,14 @@ namespace Jackett.Server.Controllers
    {
        private Logger logger;
        private IIndexerManagerService indexerService;
-        private readonly ServerConfig serverConfig;
+        private ServerConfig serverConfig;
        private IProtectionService protectionService;

-        public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig config, IProtectionService ps)
+        public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig sConfig, IProtectionService ps)
        {
            logger = l;
            indexerService = i;
-            serverConfig = config;
+            serverConfig = sConfig;
            protectionService = ps;
        }

@ -37,6 +37,9 @@ namespace Jackett.Server.Controllers
            var jsonReply = new JObject();
            try
            {
+                if (serverConfig.APIKey != jackett_apikey)
+                    return Unauthorized();
+
                var indexer = indexerService.GetWebIndexer(indexerID);
                if (!indexer.IsConfigured)
                {
@ -44,9 +47,6 @@ namespace Jackett.Server.Controllers
                    throw new Exception("This indexer is not configured.");
                }

-                if (serverConfig.APIKey != jackett_apikey)
-                    throw new Exception("Incorrect API key");
-
                path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
                path = protectionService.UnProtect(path);
                var remoteFile = new Uri(path, UriKind.RelativeOrAbsolute);
--- a/src/Jackett.Server/Controllers/DownloadController.cs
+++ b/src/Jackett.Server/Controllers/DownloadController.cs
@ -17,14 +17,14 @@ namespace Jackett.Server.Controllers
    [Route("dl/{indexerID}")]
    public class DownloadController : Controller
    {
-        private ServerConfig config;
+        private ServerConfig serverConfig;
        private Logger logger;
        private IIndexerManagerService indexerService;
        private IProtectionService protectionService;

-        public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig serverConfig)
+        public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig sConfig)
        {
-            config = serverConfig;
+            serverConfig = sConfig;
            logger = l;
            indexerService = i;
            protectionService = ps;
@ -35,6 +35,9 @@ namespace Jackett.Server.Controllers
        {
            try
            {
+                if (serverConfig.APIKey != jackett_apikey)
+                    return Unauthorized();
+
                var indexer = indexerService.GetWebIndexer(indexerID);

                if (!indexer.IsConfigured)
@ -46,9 +49,6 @@ namespace Jackett.Server.Controllers
                path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
                path = protectionService.UnProtect(path);

-                if (config.APIKey != jackett_apikey)
-                    return Unauthorized();
-
                var target = new Uri(path, UriKind.RelativeOrAbsolute);
                var downloadBytes = await indexer.Download(target);