Fixed security issue - access to API (issue #1814)

dmitry-vinogradov · Apr 24, 2013 · f36c43f · f36c43f
1 parent 6193239
commit f36c43f
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 14 deletions.
diff --git a/api/index.php b/api/index.php
@@ -3,7 +3,6 @@
 require_once "../server/common.php";
 
 if (!Config::getSafe('enable_api', false) &&
-      (empty($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_REAL_IP']) != $_SERVER['SERVER_ADDR'] &&
       strpos($_SERVER['QUERY_STRING'], 'tv_archive') != 2 &&
       strpos($_SERVER['QUERY_STRING'], 'stream_recorder') != 2 &&
       strpos($_SERVER['QUERY_STRING'], 'monitoring_links') != 2 &&

diff --git a/daemon/node_modules/recordertask.js b/daemon/node_modules/recordertask.js
diff --git a/daemon/node_modules/restclient.js b/daemon/node_modules/restclient.js
diff --git a/monitoring/check_channels.sh b/monitoring/check_channels.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
-API_URL=http://localhost/stalker_portal/api/monitoring_links/
+# Use login and password from the configuration file. (api_auth_login and api_auth_password in server/custom.ini)
+API_URL=http://login:password@localhost/stalker_portal/api/monitoring_links/
 PART=1/1
 
 function get_channels {

diff --git a/server/config.ini b/server/config.ini
@@ -158,6 +158,7 @@ exchange_rate_classes[] = CourseCbr
 ; API required for tv archive, pvr and billing
 enable_api = false
 
+; For security reasons it is highly recommended to use HTTP authentication
 ;api_auth_login = stalker
 ;api_auth_password = secret_pass
 enable_api_log = true

diff --git a/server/lib/restmanager.class.php b/server/lib/restmanager.class.php
@@ -21,9 +21,7 @@ public static function handleRequest(){
             $request  = new RESTRequest();
             $response->setRequest($request);
 
-            if ($request->getResource() == 'tv_archive' || (empty($_SERVER['HTTP_X_REAL_IP']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_REAL_IP']) == $_SERVER['SERVER_ADDR']){
-
-            }else if (!empty(self::$auth_login) && (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) ||
+            if (!empty(self::$auth_login) && (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) ||
                 !empty(self::$auth_login) && ($_SERVER['PHP_AUTH_USER'] != self::$auth_login || $_SERVER['PHP_AUTH_PW'] != self::$auth_password)){
                 $response->sendAuthRequest();
             }

diff --git a/storage/config.php b/storage/config.php
@@ -4,7 +4,8 @@
 define('KARAOKE_STORAGE_DIR', '/media/raid0/karaoke/');
 define('RECORDS_DIR', '/media/raid0/records/');
 define('NFS_HOME_PATH', '/media/raid0/mac/');
-define('TASKS_API_URL', 'http://bb3.sandbox/current/api/tv_archive/');
+// Use login and password from the configuration file. (api_auth_login and api_auth_password in server/custom.ini)
+define('TASKS_API_URL', 'http://login:[email protected]/current/api/tv_archive/');
 define('STORAGE_NAME', 'bb3');
 
 ?>
diff --git a/storage/lib/tvarchiverecorder.class.php b/storage/lib/tvarchiverecorder.class.php
@@ -29,8 +29,7 @@ public function start($task){
         }
 
         if (strpos($url, 'rtp://') !== false || strpos($url, 'udp://') !== false){
-            //var_dump('nohup python '.PROJECT_PATH.'/dumpstream -a'.$ip.' -p'.$port.' -d'.$this->getRecordsPath($task).' -n'.$task['parts_number'].' -c'.TASKS_API_URL.$task['ch_id'].' > /dev/null 2>&1 & echo $!');
-            exec('nohup python '.PROJECT_PATH.'/dumpstream -a'.$ip.' -p'.$port.' -d'.$this->getRecordsPath($task).' -n'.$task['parts_number'].' -c'.TASKS_API_URL.$task['ch_id'].' > /dev/null 2>&1 & echo $!', $out);
+            exec('nohup python '.PROJECT_PATH.'/dumpstream -a'.$ip.' -p'.$port.' -d'.$this->getRecordsPath($task).' -n'.$task['parts_number'].' > /dev/null 2>&1 & echo $!', $out);
         }else{
             throw new DomainException('Not supported protocol');
         }