FIX: fixed cache folder being publically exposed, FIX: added .secure folder and move cookies into secured location as required

2024-12-22 07:42:24 +00:00 · 2019-02-03 14:41:11 -05:00 · 2019-02-03 14:41:11 -05:00 · ab4e87363e
commit ab4e87363e
parent 6b6ab8d285
3 changed files with 24 additions and 6 deletions
--- a/mylar/auth32p.py
+++ b/mylar/auth32p.py
@ -69,7 +69,7 @@ class info32p(object):
        try:
            with cfscrape.create_scraper() as s:
                s.headers = self.headers
-                cj = LWPCookieJar(os.path.join(mylar.CONFIG.CACHE_DIR, ".32p_cookies.dat"))
+                cj = LWPCookieJar(os.path.join(mylar.CONFIG.SECURE_DIR, ".32p_cookies.dat"))
                cj.load()
                s.cookies = cj

@ -248,7 +248,7 @@ class info32p(object):

        with cfscrape.create_scraper() as s:
            s.headers = self.headers
-            cj = LWPCookieJar(os.path.join(mylar.CONFIG.CACHE_DIR, ".32p_cookies.dat"))
+            cj = LWPCookieJar(os.path.join(mylar.CONFIG.SECURE_DIR, ".32p_cookies.dat"))
            cj.load()
            s.cookies = cj
            data = []
@ -403,7 +403,7 @@ class info32p(object):
            except Exception as e:
                logger.error('%s Can\'t create session with cfscrape' % self.module)

-            self.session_path = session_path if session_path is not None else os.path.join(mylar.CONFIG.CACHE_DIR, ".32p_cookies.dat")
+            self.session_path = session_path if session_path is not None else os.path.join(mylar.CONFIG.SECURE_DIR, ".32p_cookies.dat")
            self.ses.cookies = LWPCookieJar(self.session_path)
            if not os.path.exists(self.session_path):
                logger.fdebug('%s Session cookie does not exist. Signing in and Creating.' % self.module)
--- a/mylar/config.py
+++ b/mylar/config.py
@ -76,6 +76,7 @@ _CONFIG_DEFINITIONS = OrderedDict({
    'SHOW_ICONS': (bool, 'General', False),
    'FORMAT_BOOKTYPE': (bool, 'General', False),
    'CLEANUP_CACHE': (bool, 'General', False),
+    'SECURE_DIR': (str, 'General', None),

    'RSS_CHECKINTERVAL': (int, 'Scheduler', 20),
    'SEARCH_INTERVAL': (int, 'Scheduler', 360),
@ -773,6 +774,25 @@ class Config(object):
            except OSError:
                logger.error('[Cache Check] Could not create cache dir. Check permissions of datadir: ' + mylar.DATA_DIR)

+
+        if not self.SECURE_DIR:
+            self.SECURE_DIR = os.path.join(mylar.DATA_DIR, '.secure')
+
+        if not os.path.exists(self.SECURE_DIR):
+            try:
+               os.makedirs(self.SECURE_DIR)
+            except OSError:
+                logger.error('[Secure DIR Check] Could not create secure directory. Check permissions of datadir: ' + mylar.DATA_DIR)
+
+        #make sure the cookies.dat file is not in cache
+        for f in glob.glob(os.path.join(self.CACHE_DIR, '.32p_cookies.dat')):
+             try:
+                 if os.path.isfile(f):
+                     shutil.move(f, os.path.join(self.SECURE_DIR, '.32p_cookies.dat'))
+             except Exception as e:
+                 logger.error('SECURE-DIR-MOVE] Unable to move cookies file into secure location. This is a fatal error.')
+                 sys.exit()
+
        if self.CLEANUP_CACHE is True:
            logger.fdebug('[Cache Cleanup] Cache Cleanup initiated. Will delete items from cache that are no longer needed.')
            cache_types = ['*.nzb', '*.torrent', '*.zip', '*.html', 'mylar_*']
--- a/mylar/webstart.py
+++ b/mylar/webstart.py
@ -99,9 +99,7 @@ def initialize(options):
        },
        '/cache': {
            'tools.staticdir.on': True,
-            'tools.staticdir.dir': mylar.CONFIG.CACHE_DIR,
-            'tools.auth_basic.on': False,
-            'tools.auth.on': False
+            'tools.staticdir.dir': mylar.CONFIG.CACHE_DIR
        }
    }