mirror of https://github.com/Jackett/Jackett
core: security fix, authorization first in download / blackhole links (#6825)
This commit is contained in:
parent
7e93a86ae0
commit
45b205ddc3
|
@ -20,14 +20,14 @@ namespace Jackett.Server.Controllers
|
||||||
{
|
{
|
||||||
private Logger logger;
|
private Logger logger;
|
||||||
private IIndexerManagerService indexerService;
|
private IIndexerManagerService indexerService;
|
||||||
private readonly ServerConfig serverConfig;
|
private ServerConfig serverConfig;
|
||||||
private IProtectionService protectionService;
|
private IProtectionService protectionService;
|
||||||
|
|
||||||
public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig config, IProtectionService ps)
|
public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig sConfig, IProtectionService ps)
|
||||||
{
|
{
|
||||||
logger = l;
|
logger = l;
|
||||||
indexerService = i;
|
indexerService = i;
|
||||||
serverConfig = config;
|
serverConfig = sConfig;
|
||||||
protectionService = ps;
|
protectionService = ps;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,6 +37,9 @@ namespace Jackett.Server.Controllers
|
||||||
var jsonReply = new JObject();
|
var jsonReply = new JObject();
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
if (serverConfig.APIKey != jackett_apikey)
|
||||||
|
return Unauthorized();
|
||||||
|
|
||||||
var indexer = indexerService.GetWebIndexer(indexerID);
|
var indexer = indexerService.GetWebIndexer(indexerID);
|
||||||
if (!indexer.IsConfigured)
|
if (!indexer.IsConfigured)
|
||||||
{
|
{
|
||||||
|
@ -44,9 +47,6 @@ namespace Jackett.Server.Controllers
|
||||||
throw new Exception("This indexer is not configured.");
|
throw new Exception("This indexer is not configured.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (serverConfig.APIKey != jackett_apikey)
|
|
||||||
throw new Exception("Incorrect API key");
|
|
||||||
|
|
||||||
path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
|
path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
|
||||||
path = protectionService.UnProtect(path);
|
path = protectionService.UnProtect(path);
|
||||||
var remoteFile = new Uri(path, UriKind.RelativeOrAbsolute);
|
var remoteFile = new Uri(path, UriKind.RelativeOrAbsolute);
|
||||||
|
|
|
@ -17,14 +17,14 @@ namespace Jackett.Server.Controllers
|
||||||
[Route("dl/{indexerID}")]
|
[Route("dl/{indexerID}")]
|
||||||
public class DownloadController : Controller
|
public class DownloadController : Controller
|
||||||
{
|
{
|
||||||
private ServerConfig config;
|
private ServerConfig serverConfig;
|
||||||
private Logger logger;
|
private Logger logger;
|
||||||
private IIndexerManagerService indexerService;
|
private IIndexerManagerService indexerService;
|
||||||
private IProtectionService protectionService;
|
private IProtectionService protectionService;
|
||||||
|
|
||||||
public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig serverConfig)
|
public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig sConfig)
|
||||||
{
|
{
|
||||||
config = serverConfig;
|
serverConfig = sConfig;
|
||||||
logger = l;
|
logger = l;
|
||||||
indexerService = i;
|
indexerService = i;
|
||||||
protectionService = ps;
|
protectionService = ps;
|
||||||
|
@ -35,6 +35,9 @@ namespace Jackett.Server.Controllers
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
if (serverConfig.APIKey != jackett_apikey)
|
||||||
|
return Unauthorized();
|
||||||
|
|
||||||
var indexer = indexerService.GetWebIndexer(indexerID);
|
var indexer = indexerService.GetWebIndexer(indexerID);
|
||||||
|
|
||||||
if (!indexer.IsConfigured)
|
if (!indexer.IsConfigured)
|
||||||
|
@ -46,9 +49,6 @@ namespace Jackett.Server.Controllers
|
||||||
path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
|
path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
|
||||||
path = protectionService.UnProtect(path);
|
path = protectionService.UnProtect(path);
|
||||||
|
|
||||||
if (config.APIKey != jackett_apikey)
|
|
||||||
return Unauthorized();
|
|
||||||
|
|
||||||
var target = new Uri(path, UriKind.RelativeOrAbsolute);
|
var target = new Uri(path, UriKind.RelativeOrAbsolute);
|
||||||
var downloadBytes = await indexer.Download(target);
|
var downloadBytes = await indexer.Download(target);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue