PDA

View Full Version : [Bug 792] security: CLI should require authenticationif HTTP does



=?ISO-8859-1?Q?Fr=E9d=E9ric_Thomas?=
2005-02-26, 08:53
Here is a patch that implements what my earlier post with the same
subject discussed. Documentation is updated.

Fred

Frederic Thomas
2005-03-01, 14:27
Any issue with this ? I saw Dan committed the firstline fix but any
problem/comment holding up the rest of it?

Thanks

Fred


In <7e1b39866a95c8db259188cfa0625568 (AT) thomascorner (DOT) com> Frédéric_Thomas
wrote:
>
> --Apple-Mail-3-129510191
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> charset=US-ASCII;
> format=flowed
>
> Here is a patch that implements what my earlier post with the same
> subject discussed. Documentation is updated.
>
> Fred
>
>
> --Apple-Mail-3-129510191
> Content-Transfer-Encoding: 7bit
> Content-Type: application/octet-stream;
> x-unix-mode=0644;
> name="Login.diff"
> Content-Disposition: attachment;
> filename=Login.diff
>
> Index: HTML/EN/html/docs/cli-api.html
> ================================================== =================
> --- HTML/EN/html/docs/cli-api.html (revision 2234)
> +++ HTML/EN/html/docs/cli-api.html (working copy)
> @@ -16,7 +16,7 @@
>
> <p>To use the command line interface interactively, use the telnet
> command from your system's command prompt: <em>telnet localhost
> 9090</em> and when it connects, you can start typing commands.</p> -
> +
>
> <h4>General command format</h4>
> <p>The format of the commands, queries and server replies is as
> follows:</p> @@ -80,6 +80,12 @@ <h4>Notes</h4> <ul> +<li>The
> Security settings of the SlimServer preferences apply to CLI
> connections when they are established. A + change in security
> settings do not affect established connections. The connection is only
> accepted from + allowed hosts. If password protection is enabled, the &
> quot;<a href="#login">login</a>&quot; command must be the first
> command sent after + the connection. Any error in the user and/or
> password, or using any other command as the first one, results in +
> the server disconnecting.</li> + <li>Commands that use paths to songs
> or playlists (<code>&lt;item&gt;</code> parameters below) can use
> relative paths from the root of the Music Library folder to specify
> songs. For example, if the Music Library is specified as &quot;D:\
> mymusic&quot; and you'd like to refer to a song in that folder named &
> quot;foo.mp3&quot; you @@ -123,6 +129,20 @@ <hr> <h4
> id="GC">General commands</h4> +<p id="login"><strong><code>login &lt;
> user&gt; &lt;password&gt;</code></strong></p> +<p>The &quot;login&quot;
> command allows the caller to authenticate itself on the server, as +
> defined in the Security pane of the SlimServer preferences. Like any
> other command, the user + and password must be escaped. If successful,
> the server replaces the password with 6 star characters. + If
> unsuccessful, the server disconnects.</p> +<p>Examples:</p>
> +<blockquote> + <p>Request: &quot;login user correctpassword&lt;LF&
> gt;&quot;<br> + Response: &quot;login user ******&lt;LF&gt;&quot;</
> p> + <p>Request: &quot;login user wrongpassword&lt;LF&gt;&quot;<br> +
> Response: (Connection terminated)</p> + </p> +</blockquote> +
> <p><strong><code>debug &lt;debugflag&gt; &lt;0|1|?|&gt;</code></
> strong></p> <p>The &quot;debug&quot; command allows the caller to
> query, clear, set or toggle the SlimServer's internal debug flags.
> Use 0 to clear, 1 to set, ? to query Index: Slim/Control/CLI.pm
> ================================================== ================= ---
> Slim/Control/CLI.pm (revision 2234) +++ Slim/Control/CLI.pm (working
> copy) @@ -16,6 +16,7 @@ use Slim::Utils::Misc; use Slim::Utils::
> Strings qw(string); use Slim::Utils::OSDetect; +use Slim::Web::HTTP;
>
>
> # This module provides a command-line interface to the server via a
> TCP/IP port. @@ -26,6 +27,7 @@ my $connected = 0; my %outbuf = ();
> my %listen = (); +my %authenticated = (); my $mdnsID; @@ -168,7
> +170,7 @@ closer($clientsock);
>} } else {
>
> - s/$CR?$LF/\n/;
> + $firstline =~ s/$CR?$LF/\n/;
>
> # process the commands
> chomp $firstline;
> @@ -189,18 +191,48 @@
> $::d_cli && msg("Clients: ". join " " ,Slim::Player::Client::
> clientIPs(), "\n"); $::d_cli && msg("Processing command: $command\n");
>
> - if ($command =~ /^listen\s*(0|1|)/) {
> - if ($1 eq 0) {
> - $listen{$clientsock} = undef;
> - } elsif ($1 eq 1) {
> - $listen{$clientsock} = $clientsock;
> + # Check authentification if not already done
> + if (!defined($authenticated{$clientsock})) {
> + if (Slim::Utils::Prefs::get('authorize')) {
> + $::d_cli && msg("CLI connection requires authentication.\n");
> + if ($command =~ m|^login (\S*?) (\S*)|) {
> + # unescape: like other CLI command arguments, user and password
> should be URI-escaped + my ($user, $pass) = (Slim::Web::HTTP::
> unescape($1),Slim::Web::HTTP::unescape($2)); + if (Slim::Web::HTTP::
> checkAuthorization($user, $pass)) { + $::d_cli && msg("CLI
> authentication successful.\n"); + $authenticated{$clientsock} = 1;
> + $output = "login " . Slim::Web::HTTP::escape($user) . " ******";
> + }
> + }
> +
> + # failed, disconnect
> + if (!defined($authenticated{$clientsock})) {
> + closer($clientsock);
> + return;
> + }
> +
>} } >} } else {
> - $listen{$clientsock} = $listen{$clientsock} ? undef : $clientsock;
> + # we're authenticated if no authentication is required!
> + $authenticated{$clientsock} = 1;
>}}>} }
> +
>}}>} }
>
> - $output = Slim::Control::Stdio::executeCmd($command);
> + if (defined($authenticated{$clientsock})) {
>
> + if ($command =~ /^listen\s*(0|1|)/) {
> + if ($1 eq 0) {
> + $listen{$clientsock} = undef;
> + } elsif ($1 eq 1) {
> + $listen{$clientsock} = $clientsock;
> + } else {
> + $listen{$clientsock} = $listen{$clientsock} ? undef : $clientsock;
> + }
> + }
> +
> + $output = Slim::Control::Stdio::executeCmd($command);
> +
> + }
> # if the callback isn't goint to print the response...
> if (!$listen{$clientsock}) {
>
> @@ -267,6 +299,8 @@
> sub closer {
> my $clientsock = shift;
>
> + $::d_cli && msg("Closing connection\n");
> +
> Slim::Networking::Select::addWrite($clientsock, undef);
> Slim::Networking::Select::addRead($clientsock, undef);
> Slim::Networking::Select::addError($clientsock, undef);
>
> --Apple-Mail-3-129510191
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
>