mirror
/
transmission
mirror of https://github.com/transmission/transmission
1
0
Fork 0
Code Issues Releases Wiki Activity

mitigate dns rebinding attacks against daemon

This commit is contained in:
Tavis Ormandy 2018-01-11 10:00:41 -08:00 committed by Mike Gelfand
parent c8696df516
commit cf7173df93
7 changed files with 124 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libtransmission/quark.c
View File

@ -288,6 +288,8 @@ static struct tr_key_struct const my_static[] =
{ "rpc-authentication-required", 27 },
{ "rpc-bind-address", 16 },
{ "rpc-enabled", 11 },
{ "rpc-host-whitelist", 18 },
{ "rpc-host-whitelist-enabled", 26 },
{ "rpc-password", 12 },
{ "rpc-port", 8 },
{ "rpc-url", 7 },

2
libtransmission/quark.h
View File

@ -290,6 +290,8 @@ enum
TR_KEY_rpc_authentication_required,
TR_KEY_rpc_bind_address,
TR_KEY_rpc_enabled,
TR_KEY_rpc_host_whitelist,
TR_KEY_rpc_host_whitelist_enabled,
TR_KEY_rpc_password,
TR_KEY_rpc_port,
TR_KEY_rpc_url,

119
libtransmission/rpc-server.c
View File

@ -51,6 +51,7 @@ struct tr_rpc_server
bool isEnabled;
bool isPasswordEnabled;
bool isWhitelistEnabled;
bool isHostWhitelistEnabled;
tr_port port;
char* url;
struct tr_address bindAddress;
@ -62,6 +63,7 @@ struct tr_rpc_server
char* password;
char* whitelistStr;
tr_list* whitelist;
tr_list* hostWhitelist;
int loginattempts;
bool isStreamInitialized;
@ -547,6 +549,52 @@ static bool isAddressAllowed(tr_rpc_server const* server, char const* address)
return false;
}
static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)
{
/* If password auth is enabled, any hostname is permitted. */
if (server->isPasswordEnabled)
{
return true;
}
/* If whitelist is disabled, no restrictions. */
if (!server->isHostWhitelistEnabled)
{
return true;
}
char const* const host = evhttp_find_header(req->input_headers, "Host");
/* No host header, invalid request. */
if (host == NULL)
{
return false;
}
/* Host header might include the port. */
char* const hostname = tr_strndup(host, strcspn(host, ":"));
/* localhost or ipaddress is always acceptable. */
if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))
{
tr_free(hostname);
return true;
}
/* Otherwise, hostname must be whitelisted. */
for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next)
{
if (tr_wildmat(hostname, l->data))
{
tr_free(hostname);
return true;
}
}
tr_free(hostname);
return false;
}
static bool test_session_id(struct tr_rpc_server* server, struct evhttp_request* req)
{
char const* ours = get_current_session_id(server);
@ -636,6 +684,22 @@ static void handle_request(struct evhttp_request* req, void* arg)
#ifdef REQUIRE_SESSION_ID
else if (!isHostnameAllowed(server, req))
{
char* const tmp = tr_strdup_printf(
"<p>Transmission received your request, but the hostname was unrecognized.</p>"
"<p>To fix this, choose one of the following options:"
"<ul>"
"<li>Enable password authentication, then any hostname is allowed.</li>"
"<li>Add the hostname you want to use to the whitelist in settings.</li>"
"</ul></p>"
"<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>"
"<p>This requirement has been added to help prevent "
"<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> "
"attacks.</p>");
send_simple_response(req, 421, tmp);
tr_free(tmp);
}
else if (!test_session_id(server, req))
{
char const* sessionId = get_current_session_id(server);
@ -647,7 +711,7 @@ static void handle_request(struct evhttp_request* req, void* arg)
"<li> When you get this 409 error message, resend your request with the updated header"
"</ol></p>"
"<p>This requirement has been added to help prevent "
"<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
"<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
"attacks.</p>"
"<p><code>%s: %s</code></p>",
TR_RPC_SESSION_ID_HEADER, sessionId);
@ -844,17 +908,12 @@ char const* tr_rpcGetUrl(tr_rpc_server const* server)
return server->url != NULL ? server->url : "";
}
void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
static void tr_rpcSetList(char const* whitelistStr, tr_list** list)
{
void* tmp;
/* keep the string */
tmp = server->whitelistStr;
server->whitelistStr = tr_strdup(whitelistStr);
tr_free(tmp);
/* clear out the old whitelist entries */
while ((tmp = tr_list_pop_front(&server->whitelist)) != NULL)
while ((tmp = tr_list_pop_front(list)) != NULL)
{
tr_free(tmp);
}
@ -866,7 +925,7 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
size_t const len = strcspn(walk, delimiters);
char* token = tr_strndup(walk, len);
tr_list_append(&server->whitelist, token);
tr_list_append(list, token);
if (strcspn(token, "+-") < len)
{
@ -889,6 +948,21 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
}
}
void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr)
{
tr_rpcSetList(whitelistStr, &server->hostWhitelist);
}
void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)
{
/* keep the string */
char* const tmp = server->whitelistStr;
server->whitelistStr = tr_strdup(whitelistStr);
tr_free(tmp);
tr_rpcSetList(whitelistStr, &server->whitelist);
}
char const* tr_rpcGetWhitelist(tr_rpc_server const* server)
{
return server->whitelistStr != NULL ? server->whitelistStr : "";
@ -904,6 +978,11 @@ bool tr_rpcGetWhitelistEnabled(tr_rpc_server const* server)
return server->isWhitelistEnabled;
}
void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled)
{
server->isHostWhitelistEnabled = isEnabled;
}
/****
***** PASSWORD
****/
@ -1054,6 +1133,28 @@ tr_rpc_server* tr_rpcInit(tr_session* session, tr_variant* settings)
tr_rpcSetWhitelistEnabled(s, boolVal);
}
key = TR_KEY_rpc_host_whitelist_enabled;
if (!tr_variantDictFindBool(settings, key, &boolVal))
{
missing_settings_key(key);
}
else
{
tr_rpcSetHostWhitelistEnabled(s, boolVal);
}
key = TR_KEY_rpc_host_whitelist;
if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL)
{
missing_settings_key(key);
}
else
{
tr_rpcSetHostWhitelist(s, str);
}
key = TR_KEY_rpc_authentication_required;
if (!tr_variantDictFindBool(settings, key, &boolVal))

4
libtransmission/rpc-server.h
View File

@ -42,6 +42,10 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelist);
char const* tr_rpcGetWhitelist(tr_rpc_server const* server);
void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled);
void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist);
void tr_rpcSetPassword(tr_rpc_server* server, char const* password);
char const* tr_rpcGetPassword(tr_rpc_server const* server);

2
libtransmission/session.c
View File

@ -371,6 +371,8 @@ void tr_sessionGetDefaultSettings(tr_variant* d)
tr_variantDictAddStr(d, TR_KEY_rpc_username, "");
tr_variantDictAddStr(d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST);
tr_variantDictAddBool(d, TR_KEY_rpc_whitelist_enabled, true);
tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST);
tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true);
tr_variantDictAddInt(d, TR_KEY_rpc_port, atoi(TR_DEFAULT_RPC_PORT_STR));
tr_variantDictAddStr(d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR);
tr_variantDictAddBool(d, TR_KEY_scrape_paused_torrents_enabled, true);

1
libtransmission/transmission.h
View File

@ -109,6 +109,7 @@ char const* tr_getDefaultDownloadDir(void);
#define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0"
#define TR_DEFAULT_BIND_ADDRESS_IPV6 "::"
#define TR_DEFAULT_RPC_WHITELIST "127.0.0.1,::1"
#define TR_DEFAULT_RPC_HOST_WHITELIST ""
#define TR_DEFAULT_RPC_PORT_STR "9091"
#define TR_DEFAULT_RPC_URL_STR "/transmission/"
#define TR_DEFAULT_PEER_PORT_STR "51413"

3
libtransmission/web.c
View File

@ -678,6 +678,9 @@ char const* tr_webGetResponseStr(long code)
case 417:
return "Expectation Failed";
case 421:
return "Misdirected Request";
case 500:
return "Internal Server Error";