add protection against requesting direct service files
This commit is contained in:
zefie
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (request_headers.query.url) {
|
||||
if (request_headers.query.url.indexOf(":/") > 0) {
|
||||
var service_request = request_headers.query.url.split(":/")[0];
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (socket.ssid != null && !ssid_sessions[socket.ssid].get("wtvsec_login")) {
|
||||
var wtvsec_login = new WTVSec(minisrv_config);
|
||||
wtvsec_login.IssueChallenge();
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var gourl = "wtv-1800:/finish-prereg?";
|
||||
if (request_headers.query.relogin) gourl += "relogin=true";
|
||||
|
||||
|
||||
@@ -1,45 +1,47 @@
|
||||
var gourl = "wtv-head-waiter:/login?";
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (socket.ssid) {
|
||||
if (ssid_sessions[socket.ssid].loadSessionData() == true) {
|
||||
console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
|
||||
ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
|
||||
} else {
|
||||
ssid_sessions[socket.ssid].session_data = {};
|
||||
ssid_sessions[socket.ssid].setSessionData("registered", false);
|
||||
}
|
||||
if (ssid_sessions[socket.ssid].data_store) {
|
||||
if (ssid_sessions[socket.ssid].data_store.sockets) {
|
||||
var i = 0;
|
||||
ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
|
||||
if (typeof k != "undefined") {
|
||||
if (k != socket) {
|
||||
k.destroy();
|
||||
ssid_sessions[socket.ssid].data_store.sockets.delete(k);
|
||||
i++;
|
||||
}
|
||||
}
|
||||
});
|
||||
if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
|
||||
}
|
||||
}
|
||||
if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
|
||||
if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
|
||||
delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
|
||||
}
|
||||
var gourl = "wtv-head-waiter:/login?";
|
||||
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
|
||||
if (socket.ssid) {
|
||||
if (ssid_sessions[socket.ssid].loadSessionData() == true) {
|
||||
console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
|
||||
ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
|
||||
} else {
|
||||
console.log(" * Something bad happened (we don't know the client ssid???)");
|
||||
var errpage = doErrorPage(400)
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
ssid_sessions[socket.ssid].session_data = {};
|
||||
ssid_sessions[socket.ssid].setSessionData("registered", false);
|
||||
}
|
||||
if (ssid_sessions[socket.ssid].data_store) {
|
||||
if (ssid_sessions[socket.ssid].data_store.sockets) {
|
||||
var i = 0;
|
||||
ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
|
||||
if (typeof k != "undefined") {
|
||||
if (k != socket) {
|
||||
k.destroy();
|
||||
ssid_sessions[socket.ssid].data_store.sockets.delete(k);
|
||||
i++;
|
||||
}
|
||||
}
|
||||
});
|
||||
if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
|
||||
}
|
||||
}
|
||||
if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
|
||||
if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
|
||||
delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
|
||||
}
|
||||
|
||||
if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
|
||||
if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
|
||||
ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
|
||||
} else {
|
||||
console.log(" * Something bad happened (we don't know the client ssid???)");
|
||||
var errpage = doErrorPage(400)
|
||||
headers = errpage[0];
|
||||
data = errpage[1];
|
||||
}
|
||||
|
||||
if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
|
||||
if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
|
||||
|
||||
if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
|
||||
var prereg_contype = "text/html";
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = "200 OK";
|
||||
if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);
|
||||
headers += "\nContent-Type: text/html";
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var irc_nick = "";
|
||||
headers = "200 OK";
|
||||
if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (socket.ssid) {
|
||||
if (request_headers.post_data) {
|
||||
if (ssid_sessions[socket.ssid]) {
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (request_headers.post_data) {
|
||||
if (request_headers.query.domain && request_headers.query.path) {
|
||||
if (socket.ssid) {
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (socket.ssid) {
|
||||
if (ssid_sessions[socket.ssid]) {
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (socket.ssid) {
|
||||
if (ssid_sessions[socket.ssid]) {
|
||||
ssid_sessions[socket.ssid].resetCookies();
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (request_headers.query.group) {
|
||||
const WTVDownloadList = require("./WTVDownloadList.js");
|
||||
var wtvdl = new WTVDownloadList(minisrv_config, service_name);
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
const WTVDownloadList = require("./WTVDownloadList.js");
|
||||
var wtvdl = new WTVDownloadList(minisrv_config, service_name);
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (request_headers.post_data) {
|
||||
if (request_headers.query.partialPath || request_headers.query.path) {
|
||||
if (socket.ssid) {
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
const WTVFlashrom = require("./WTVFlashrom.js");
|
||||
request_is_async = true;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
const WTVFlashrom = require("./WTVFlashrom.js");
|
||||
request_is_async = true;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
const WTVFlashrom = require("./WTVFlashrom.js");
|
||||
request_is_async = true;
|
||||
|
||||
|
||||
@@ -93,7 +93,9 @@ data += `
|
||||
nexturl="${flashrom_info.next_rompath}"
|
||||
errorurl="${service_name}:/lc2-download-failed?"
|
||||
`
|
||||
if (!flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
|
||||
if (!var minisrv_service_file = true;
|
||||
|
||||
flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
|
||||
|
||||
data += `
|
||||
lastblock="${flashrom_info.is_last_part}"
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (request_headers.query.path) {
|
||||
var url = service_name + ":/get-lc2-page?path=" + request_headers.query.path;
|
||||
var romtype = ssid_sessions[socket.ssid].get("wtv-client-rom-type");
|
||||
|
||||
@@ -42,7 +42,9 @@ Updating complete
|
||||
<td colspan=12 width=560 height=10 valign=top align=left>
|
||||
<img src="${service_name}:/ROMCache/S40H1.gif" width=560 height=6>
|
||||
<tr>
|
||||
<td width=104 height=10 valign=top align=left>
|
||||
<td width=104 height=10 valign=top align=left>var minisrv_service_file = true;
|
||||
|
||||
|
||||
<td width=20 valign=top align=left>
|
||||
<td width=67 valign=top align=left>
|
||||
<td width=20 valign=top align=left>
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var error = '';
|
||||
if (request_headers.query.error) {
|
||||
switch (request_headers.query.error) {
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
const WTVFlashrom = require("./WTVFlashrom.js");
|
||||
request_is_async = true;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
// willie is just a graphical frontend to a list of ROMs
|
||||
// the rest of the scripts should work if you manually link to a ROM, and actually have it.
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var challenge_response, challenge_header = '';
|
||||
var gourl;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var challenge_response, challenge_header = '';
|
||||
var gourl;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var challenge_response, challenge_header = "";
|
||||
|
||||
var gourl = "wtv-head-waiter:/login-stage-two?";
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var gourl = "wtv-1800:/preregister?";
|
||||
if (request_headers.query.relogin) gourl += "relogin=true";
|
||||
else if (request_headers.query.reconnect) gourl += "reconnect=true";
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers =`200 OK
|
||||
Connection: Keep-Alive
|
||||
wtv-expire-all: wtv-home:/splash
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Connection: Keep-Alive
|
||||
wtv-expire-all: wtv-
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
// write posted log data to disk. should be decrypted by this point (if it was encrypted) if the crypto stream didn't break
|
||||
|
||||
request_is_async = true;
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (minisrv_config.config.allow_guests) {
|
||||
headers = `300 Moved
|
||||
Connection: Close
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `300 Moved
|
||||
Connection: Close
|
||||
wtv-noback-all: wtv-register:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (!request_headers.query.registering) {
|
||||
var errpage = doErrorPage(400);
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (!request_headers.query.registering) {
|
||||
var errpage = doErrorPage(400);
|
||||
headers = errpage[0];
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
if (!request_headers.query.registering ||
|
||||
!request_headers.query.subscriber_name ||
|
||||
!request_headers.query.subscriber_username ||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Connection: Keep-Alive
|
||||
wtv-expire-all: wtv-
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
wtv-backgroundmusic-load-playlist: wtv-music:/get-playlist
|
||||
wtv-printer-model: -1,-1
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
// Allow URL access outside our trusted minisrv
|
||||
|
||||
if (request_headers.query.url) var url = request_headers.query.url;
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
wtv-expire-all: wtv-
|
||||
wtv-expire-all: http
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
wtv-noback-all: wtv-
|
||||
wtv-expire-all: wtv-
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
var client_caps = null;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`;
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
var minisrv_service_file = true;
|
||||
|
||||
headers = `200 OK
|
||||
Content-Type: text/html`;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user