Merge pull request #79 from diamante0018/password-mongoose

fix(download): restore password verification
This commit is contained in:
Louve 2024-01-20 14:55:26 +01:00 committed by GitHub
commit f6b19d6bc8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 2 deletions

View File

@ -435,7 +435,7 @@ namespace Components
MongooseLogBuffer.push_back(c);
}
void Download::ReplyError(mg_connection* connection, int code)
void Download::ReplyError(mg_connection* connection, int code, std::string messageOverride)
{
std::string msg{};
switch(code)
@ -453,6 +453,11 @@ namespace Components
break;
}
if (!messageOverride.empty())
{
msg = messageOverride;
}
mg_http_reply(connection, code, "Content-Type: text/plain\r\n", "%s", msg.c_str());
}
@ -462,6 +467,31 @@ namespace Components
mg_http_reply(connection, 200, formatted.c_str(), "%s", data.c_str());
}
bool VerifyPassword([[maybe_unused]] mg_connection* c, [[maybe_unused]] const mg_http_message* hm)
{
const std::string g_password = *Game::g_password ? (*Game::g_password)->current.string : "";
if (g_password.empty()) return true;
// SHA256 hashes are 64 characters long but we're gonna be safe here
char buffer[128]{};
const auto len = mg_http_get_var(&hm->query, "password", buffer, sizeof(buffer));
if (len <= 0)
{
Download::ReplyError(c, 403, "Password Required");
return false;
}
const auto password = std::string(buffer, len);
if (password != Utils::String::DumpHex(Utils::Cryptography::SHA256::Compute(g_password), ""))
{
Download::ReplyError(c, 403, "Invalid Password");
return false;
}
return true;
}
std::optional<std::string> Download::InfoHandler([[maybe_unused]] mg_connection* c, [[maybe_unused]] const mg_http_message* hm)
{
if (!(*Game::com_sv_running)->current.enabled)
@ -524,6 +554,12 @@ namespace Components
static nlohmann::json jsonList;
static std::filesystem::path fsGamePre;
if (!VerifyPassword(c, hm))
{
// Custom reply done in VerifyPassword
return {};
}
const std::filesystem::path fsGame = (*Game::fs_gameDirVar)->current.string;
if (!fsGame.empty() && (fsGamePre != fsGame))
@ -572,6 +608,12 @@ namespace Components
static std::string mapNamePre;
static nlohmann::json jsonList;
if (!VerifyPassword(c, hm))
{
// Custom reply done in VerifyPassword
return {};
}
const std::string mapName = Party::IsInUserMapLobby() ? (*Game::ui_mapname)->current.string : Maps::GetUserMap()->getName();
if (!Maps::GetUserMap()->isValid() && !Party::IsInUserMapLobby())
{

View File

@ -17,6 +17,8 @@ namespace Components
static void InitiateClientDownload(const std::string& mod, bool needPassword, bool map = false);
static void InitiateMapDownload(const std::string& map, bool needPassword);
static void ReplyError(mg_connection* connection, int code, std::string messageOverride = {});
static Dvar::Var SV_wwwDownload;
static Dvar::Var SV_wwwBaseUrl;
@ -105,7 +107,6 @@ namespace Components
static bool DownloadFile(ClientDownload* download, unsigned int index);
static void LogFn(char c, void* param);
static void ReplyError(mg_connection* connection, int code);
static void Reply(mg_connection* connection, const std::string& contentType, const std::string& data);
static std::optional<std::string> FileHandler(mg_connection* c, const mg_http_message* hm);