zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial attempt to fix security issue

Browse Source 
- likely adds new bug where users will be kicked to relogin after the
  server restarts
- TODO: figure out a way to safely check the user login when session
  data is unknown (eg restart) (hint: ticket?)
This commit is contained in:
zefie
2022-02-16 18:30:19 -05:00
parent c295f81ccc
commit 2a526c0702
5 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js
View File

@@ -45,11 +45,10 @@ else {
var home_url = "wtv-home:/splash?"; var home_url = "wtv-home:/splash?";
} }
var limitedLogin = ssid_sessions[socket.ssid].lockdown; var limitedLogin = ssid_sessions[socket.ssid].lockdown;
var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].getSessionData('password_valid'))); var limitedLoginRegistered = (limitedLogin || (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')));
var offline_user_list = null; var offline_user_list = null;
if (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].user_id == 0) { if (ssid_sessions[socket.ssid].isRegistered() && ssid_sessions[socket.ssid].user_id == 0) {
var accounts = ssid_sessions[socket.ssid].listPrimaryAccountUsers(); var accounts = ssid_sessions[socket.ssid].listPrimaryAccountUsers();
console.log(accounts);
var num_accounts = ssid_sessions[socket.ssid].getNumberOfUserAccounts(); var num_accounts = ssid_sessions[socket.ssid].getNumberOfUserAccounts();
var offline_user_list_str = "<user-list>\n"; var offline_user_list_str = "<user-list>\n";
var i = 0; var i = 0;
@@ -144,8 +143,7 @@ wtv-inactive-timeout: 1440
headers += "\nwtv-boot-url: wtv-head-waiter:/relogin?relogin=true"; headers += "\nwtv-boot-url: wtv-head-waiter:/relogin?relogin=true";
if (request_headers.query.guest_login) headers += "&guest_login=true"; if (request_headers.query.guest_login) headers += "&guest_login=true";
headers += "\nwtv-home-url: " + home_url;
headers += "\nwtv-home-url: wtv-home:/home?";
} }
if (ssid_sessions[socket.ssid].get('wtv-need-upgrade') != 'true' && !request_headers.query.reconnect && !limitedLogin) if (ssid_sessions[socket.ssid].get('wtv-need-upgrade') != 'true' && !request_headers.query.reconnect && !limitedLogin)

2
zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/password.js
View File

@@ -18,7 +18,7 @@ data = `<html><HEAD><title>Password</title>
<img src="images/PasswordBanner.gif" width=50 height=191> <tr> <td absheight=8> <img src="images/PasswordBanner.gif" width=50 height=191> <tr> <td absheight=8>
</table> </table>
</sidebar> </sidebar>
<body background="images/NameStrip.gif" <body background="/ROMCache/NameStrip.gif"
novtilebg novtilebg
nohtilebg nohtilebg
bgcolor=191919 bgcolor=191919

BIN
zefie_wtvp_minisrv/SharedROMCache/NameStrip.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 117 B

5
zefie_wtvp_minisrv/WTVClientSessionData.js
View File

@@ -43,6 +43,9 @@ class WTVClientSessionData {
"wtv-head-waiter:/ValidateLogin", "wtv-head-waiter:/ValidateLogin",
"wtv-head-waiter:/login-stage-two", "wtv-head-waiter:/login-stage-two",
"wtv-head-waiter:/relogin", "wtv-head-waiter:/relogin",
"wtv-head-waiter:/ROMCache/Spacer.gif",
"wtv-head-waiter:/ROMCache/NameStrip.gif",
"wtv-head-waiter:/images/NameBanner.gif",
"wtv-head-waiter:/bad-disk", "wtv-head-waiter:/bad-disk",
"wtv-head-waiter:/images/PasswordBanner.gif", "wtv-head-waiter:/images/PasswordBanner.gif",
"wtv-log:/log", "wtv-log:/log",
@@ -682,7 +685,7 @@ class WTVClientSessionData {
isAuthorized(url, whitelist = 'lockdown', ignore_lockdown = false) { isAuthorized(url, whitelist = 'lockdown', ignore_lockdown = false) {
// not in lockdown so just return true // not in lockdown so just return true
if (!this.lockdown && !ignore_lockdown) return true; if (whitelist == 'lockdown' && !this.lockdown && !ignore_lockdown) return true;
// in lockdown, check whitelisted urls // in lockdown, check whitelisted urls
var self = this; var self = this;

12
zefie_wtvp_minisrv/app.js
View File

@@ -412,6 +412,18 @@ async function processURL(socket, request_headers) {
return; return;
} }
if (ssid_sessions[socket.ssid].isRegistered() && !ssid_sessions[socket.ssid].getSessionData('password_valid')) {
if (!ssid_sessions[socket.ssid].isAuthorized(shortURL,'login')) {
// user is not fully logged in, and URL not authorized
headers = "300 Unauthorized\n";
headers += "Location: client:relogin\n";
data = "";
sendToClient(socket, headers, data);
console.log(" * Incomplete login rejected request for " + shortURL + " on socket ID", socket.id);
return;
}
}
if (ssid_sessions[socket.ssid].get("wtv-my-disk-sucks-sucks-sucks")) { if (ssid_sessions[socket.ssid].get("wtv-my-disk-sucks-sucks-sucks")) {
if (!ssid_sessions[socket.ssid].baddisk) { if (!ssid_sessions[socket.ssid].baddisk) {
// psuedo lockdown, will unlock on the disk warning page, but prevents minisrv access until they read the error // psuedo lockdown, will unlock on the disk warning page, but prevents minisrv access until they read the error