mirror
/
transmission
mirror of https://github.com/transmission/transmission
1
0
Fork 0
Code Issues Releases Wiki Activity

anti-brute force for RPC Server

This commit is contained in:
bobbyhopere 2017-08-12 16:36:43 +02:00 committed by GitHub
parent 38d3d5377b
commit 5f25e3be7f
1 changed files with 35 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
libtransmission/rpc-server.c
View File

@ -560,12 +560,31 @@ static void handle_request(struct evhttp_request* req, void* arg)
if (req != NULL && req->evcon != NULL)
{
static int attempts = 0;
char const* auth;
char* user = NULL;
char* pass = NULL;
evhttp_add_header(req->output_headers, "Server", MY_REALM);
if (attempts == 100)
{
send_simple_response (req, 403,
"Too many unsuccessful login attempts. "
"Please restart transmission-daemon.");
return;
}
if (!isAddressAllowed(server, req->remote_host))
{
send_simple_response(req, 403,
"<p>Unauthorized IP Address.</p>"
"<p>Either disable the IP address whitelist or add your address to it.</p>"
"<p>If you're editing settings.json, see the 'rpc-whitelist' and 'rpc-whitelist-enabled' entries.</p>"
"<p>If you're still using ACLs, use a whitelist instead. See the transmission-daemon manpage for details.</p>");
return;
}
auth = evhttp_find_header(req->input_headers, "Authorization");
if (auth != NULL && evutil_ascii_strncasecmp(auth, "basic ", 6) == 0)
@ -587,21 +606,26 @@ static void handle_request(struct evhttp_request* req, void* arg)
}
}
if (!isAddressAllowed(server, req->remote_host))
{
send_simple_response(req, 403,
"<p>Unauthorized IP Address.</p>"
"<p>Either disable the IP address whitelist or add your address to it.</p>"
"<p>If you're editing settings.json, see the 'rpc-whitelist' and 'rpc-whitelist-enabled' entries.</p>"
"<p>If you're still using ACLs, use a whitelist instead. See the transmission-daemon manpage for details.</p>");
}
else if (server->isPasswordEnabled && (pass == NULL || user == NULL || strcmp(server->username, user) != 0 ||
if (server->isPasswordEnabled && (pass == NULL || user == NULL || strcmp(server->username, user) != 0 ||
!tr_ssha1_matches(server->password, pass)))
{
evhttp_add_header(req->output_headers, "WWW-Authenticate", "Basic realm=\"" MY_REALM "\"");
send_simple_response(req, 401, "Unauthorized User");
attempts++;
char* unauthuser = tr_strdup_printf(
"Unauthorized User. "
"%i unsuccessful login attempts.",
attempts);
send_simple_response(req, 401, unauthuser);
tr_free (unauthuser);
tr_free (user);
return;
}
else if (strncmp(req->uri, server->url, strlen(server->url)) != 0)
else
{
attempts = 0;
}
if (strncmp(req->uri, server->url, strlen(server->url)) != 0)
{
char* location = tr_strdup_printf("%sweb/", server->url);
evhttp_add_header(req->output_headers, "Location", location);