vlc | branch: master | Pierre Ynard <[email protected]> | Mon Sep 7 19:42:34 2020 +0200| [ab87d0a17baa980f132221f5c99a64b74c243c57] | committer: Pierre Ynard
lua/http: disable if password is unset There is currently a feature doing this in the lua bindings, but it is problematic for several reasons: it doesn't reject insecure requests, but only masks their output, while actually still going ahead and silently honoring them; the web interface still recurses through its directory and registers all endpoints, and exposes their existence by answering differently depending on the request URL; the lua bindings are the wrong level to do this, as it precludes any other lua user of the HTTPd than the web interface; and it hijacks the response body to inject its own regardless of the declared content type, potentially resulting in getting it wrongly displayed. Instead, this simply loads a single notice handler, and prints helpful messages, directly from within the web interface module. > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ab87d0a17baa980f132221f5c99a64b74c243c57 --- share/lua/intf/http.lua | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua index ed0c3583eb..29fa9dd6e4 100644 --- a/share/lua/intf/http.lua +++ b/share/lua/intf/http.lua @@ -105,6 +105,15 @@ function process(filename) end +-- TODO: print localized error message +-- For now this relies on lua bindings inappropriately doing so +local function callback_nopassword() + return [[Status: 403 +Content-Length: 0 + +]] +end + function callback_error(path,url,msg) local url = url or "<page unknown>" return [[<html xmlns="http://www.w3.org/1999/xhtml";> @@ -328,5 +337,11 @@ end password = vlc.var.inherit(nil,"http-password") h = vlc.httpd() -load_dir( http_dir ) -a = h:handler("/art",nil,password,callback_art,nil) +if password == "" then + vlc.msg.err("Password unset, insecure web interface disabled") + vlc.msg.info("Set --http-password on the command line if you want to enable the web interface.") + p = h:handler("/",nil,nil,callback_nopassword,nil) +else + load_dir( http_dir ) + a = h:handler("/art",nil,password,callback_art,nil) +end _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
