public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session) { var path = this.GetPath(request.Uri); var html = System.IO.Path.Combine(path, "index.html"); var htm = System.IO.Path.Combine(path, "index.htm"); if (System.IO.Directory.Exists(path) && (System.IO.File.Exists(html) || System.IO.File.Exists(htm))) { if (!request.Uri.AbsolutePath.EndsWith("/", StringComparison.Ordinal)) { response.Redirect(request.Uri.AbsolutePath + "/"); return(true); } response.Status = System.Net.HttpStatusCode.OK; response.Reason = "OK"; response.ContentType = "text/html; charset=utf-8"; response.AddHeader("Cache-Control", "no-cache, no-store, must-revalidate, max-age=0"); using (var fs = System.IO.File.OpenRead(System.IO.File.Exists(html) ? html : htm)) { response.ContentLength = fs.Length; response.Body = fs; response.Send(); } return(true); } return(false); }
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session) { HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString; var auth_token = FindAuthCookie(request); var xsrf_token = FindXSRFToken(request); if (!HasXSRFCookie(request)) { var cookieAdded = AddXSRFTokenToRespone(response); if (!cookieAdded) { response.Status = System.Net.HttpStatusCode.ServiceUnavailable; response.Reason = "Too Many Concurrent Request, try again later"; return(true); } } Tuple <DateTime, string> tmpTuple; DateTime tmpDateTime; if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase)) { if (!string.IsNullOrWhiteSpace(auth_token)) { // Remove the active auth token m_activeTokens.TryRemove(auth_token, out tmpDateTime); } response.Status = System.Net.HttpStatusCode.NoContent; response.Reason = "OK"; return(true); } else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase)) { // Remove expired nonces foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key)) { m_activeNonces.TryRemove(k, out tmpTuple); } if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value)) { if (m_activeNonces.Count > 50) { response.Status = System.Net.HttpStatusCode.ServiceUnavailable; response.Reason = "Too many active login attempts"; return(true); } var password = Program.DataConnection.ApplicationSettings.WebserverPassword; if (request.Headers[TRAYICONPASSWORDSOURCE_HEADER] == "database") { password = Program.DataConnection.ApplicationSettings.WebserverPasswordTrayIconHash; } var buf = new byte[32]; var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES); m_prng.GetBytes(buf); var nonce = Convert.ToBase64String(buf); var sha256 = System.Security.Cryptography.SHA256.Create(); sha256.TransformBlock(buf, 0, buf.Length, buf, 0); buf = Convert.FromBase64String(password); sha256.TransformFinalBlock(buf, 0, buf.Length); var pwd = Convert.ToBase64String(sha256.Hash); m_activeNonces.AddOrUpdate(nonce, key => new Tuple <DateTime, string>(expires, pwd), (key, existingValue) => { // Simulate the original behavior => if the nonce, against all odds, is already used // we throw an ArgumentException throw new ArgumentException("An element with the same key already exists in the dictionary."); }); response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires)); using (var bw = new BodyWriter(response, request)) { bw.OutputOK(new { Status = "OK", Nonce = nonce, Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt }); } return(true); } else { if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value)) { var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)]; var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value; var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce); if (m_activeNonces.ContainsKey(urldecoded)) { nonce = urldecoded; } if (!m_activeNonces.ContainsKey(nonce)) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var pwd = m_activeNonces[nonce].Item2; // Remove the nonce m_activeNonces.TryRemove(nonce, out tmpTuple); if (pwd != input["password"].Value) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var buf = new byte[32]; var expires = DateTime.UtcNow.AddHours(1); m_prng.GetBytes(buf); var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf); while (token.Length > 0 && token.EndsWith("=", StringComparison.Ordinal)) { token = token.Substring(0, token.Length - 1); } m_activeTokens.AddOrUpdate(token, key => expires, (key, existingValue) => { // Simulate the original behavior => if the token, against all odds, is already used // we throw an ArgumentException throw new ArgumentException("An element with the same key already exists in the dictionary."); }); response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires)); using (var bw = new BodyWriter(response, request)) bw.OutputOK(); return(true); } } } var limitedAccess = request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.OrdinalIgnoreCase) ; // Override to allow the CAPTCHA call to go through if (request.Uri.AbsolutePath.StartsWith(CAPTCHA_IMAGE_URI, StringComparison.OrdinalIgnoreCase) && request.Method == "GET") { limitedAccess = false; } if (limitedAccess) { if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token)) { var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES); m_activexsrf[xsrf_token] = expires; response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires)); } else { response.Status = System.Net.HttpStatusCode.BadRequest; response.Reason = "Missing XSRF Token. Please reload the page"; return(true); } } if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword)) { return(false); } foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key)) { m_activeTokens.TryRemove(k, out tmpDateTime); } // If we have a valid token, proceed if (!string.IsNullOrWhiteSpace(auth_token)) { DateTime expires; var found = m_activeTokens.TryGetValue(auth_token, out expires); if (!found) { auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token); found = m_activeTokens.TryGetValue(auth_token, out expires); } if (found && DateTime.UtcNow < expires) { expires = DateTime.UtcNow.AddHours(1); m_activeTokens[auth_token] = expires; response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires)); return(false); } } if ("/".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.OrdinalIgnoreCase)) { response.Redirect("/login.html"); return(true); } if (limitedAccess) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Not logged in"; response.AddHeader("Location", "login.html"); return(true); } return(false); }
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session) { HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString; var authcookie = request.Cookies[AUTH_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(AUTH_COOKIE_NAME)]; var authinput = input["auth-token"] ?? input[Library.Utility.Uri.UrlEncode("auth-token")]; var auth_token = authcookie == null || string.IsNullOrWhiteSpace(authcookie.Value) ? null : authcookie.Value; if (authinput != null && !string.IsNullOrWhiteSpace(authinput.Value)) { auth_token = input["auth-token"].Value; } if (request.Uri.AbsolutePath == "/logout.cgi") { if (!string.IsNullOrWhiteSpace(auth_token)) { if (m_activeTokens.ContainsKey(auth_token)) { m_activeTokens.Remove(auth_token); } } response.Status = System.Net.HttpStatusCode.NoContent; response.Reason = "OK"; return(true); } else if (request.Uri.AbsolutePath == "/login.cgi") { foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList()) { m_activeNonces.Remove(k); } if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value)) { if (m_activeNonces.Count > 50) { response.Status = System.Net.HttpStatusCode.ServiceUnavailable; response.Reason = "Too many active login attempts"; return(true); } var buf = new byte[32]; var expires = DateTime.UtcNow.AddMinutes(10); m_prng.GetBytes(buf); var nonce = Convert.ToBase64String(buf); var sha256 = System.Security.Cryptography.SHA256.Create(); sha256.TransformBlock(buf, 0, buf.Length, buf, 0); buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword); sha256.TransformFinalBlock(buf, 0, buf.Length); var pwd = Convert.ToBase64String(sha256.Hash); m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd)); response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires)); using (var bw = new BodyWriter(response)) { bw.OutputOK(new { Status = "OK", Nonce = nonce, Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt }); } return(true); } else { if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value)) { var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)]; var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value; var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce); if (m_activeNonces.ContainsKey(urldecoded)) { nonce = urldecoded; } if (!m_activeNonces.ContainsKey(nonce)) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var pwd = m_activeNonces[nonce].Item2; m_activeNonces.Remove(nonce); if (pwd != input["password"].Value) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var buf = new byte[32]; var expires = DateTime.UtcNow.AddHours(1); m_prng.GetBytes(buf); var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf); while (token.Length > 0 && token.EndsWith("=")) { token = token.Substring(0, token.Length - 1); } m_activeTokens.Add(token, expires); response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires)); using (var bw = new BodyWriter(response)) bw.OutputOK(); return(true); } } } if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword)) { return(false); } foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList()) { m_activeTokens.Remove(k); } // If we have a valid token, proceeed if (!string.IsNullOrWhiteSpace(auth_token)) { DateTime expires; var found = m_activeTokens.TryGetValue(auth_token, out expires); if (!found) { auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token); found = m_activeTokens.TryGetValue(auth_token, out expires); } if (found && DateTime.UtcNow < expires) { expires = DateTime.UtcNow.AddHours(1); m_activeTokens[auth_token] = expires; response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires)); return(false); } } if (request.Uri.AbsolutePath == "/" || request.Uri.AbsolutePath == "/index.html") { response.Redirect("/login.html"); return(true); } if (request.Uri.AbsolutePath == "/control.cgi") { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Not logged in"; response.AddHeader("Location", "login.html"); return(true); } return(false); }
public override bool Process(HttpServer.IHttpRequest request, HttpServer.IHttpResponse response, HttpServer.Sessions.IHttpSession session) { HttpServer.HttpInput input = request.Method.ToUpper() == "POST" ? request.Form : request.QueryString; var auth_token = FindAuthCookie(request); var xsrf_token = FindXSRFToken(request); if (!HasXSRFCookie(request)) { var cookieAdded = AddXSRFTokenToRespone(response); if (!cookieAdded) { response.Status = System.Net.HttpStatusCode.ServiceUnavailable; response.Reason = "Too Many Concurrent Request, try again later"; return(true); } } if (LOGOUT_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)) { if (!string.IsNullOrWhiteSpace(auth_token)) { if (m_activeTokens.ContainsKey(auth_token)) { m_activeTokens.Remove(auth_token); } } response.Status = System.Net.HttpStatusCode.NoContent; response.Reason = "OK"; return(true); } else if (LOGIN_SCRIPT_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)) { foreach (var k in (from n in m_activeNonces where DateTime.UtcNow > n.Value.Item1 select n.Key).ToList()) { m_activeNonces.Remove(k); } if (input["get-nonce"] != null && !string.IsNullOrWhiteSpace(input["get-nonce"].Value)) { if (m_activeNonces.Count > 50) { response.Status = System.Net.HttpStatusCode.ServiceUnavailable; response.Reason = "Too many active login attempts"; return(true); } var buf = new byte[32]; var expires = DateTime.UtcNow.AddMinutes(AUTH_TIMEOUT_MINUTES); m_prng.GetBytes(buf); var nonce = Convert.ToBase64String(buf); var sha256 = System.Security.Cryptography.SHA256.Create(); sha256.TransformBlock(buf, 0, buf.Length, buf, 0); buf = Convert.FromBase64String(Program.DataConnection.ApplicationSettings.WebserverPassword); sha256.TransformFinalBlock(buf, 0, buf.Length); var pwd = Convert.ToBase64String(sha256.Hash); m_activeNonces.Add(nonce, new Tuple <DateTime, string>(expires, pwd)); response.Cookies.Add(new HttpServer.ResponseCookie(NONCE_COOKIE_NAME, nonce, expires)); using (var bw = new BodyWriter(response, request)) { bw.OutputOK(new { Status = "OK", Nonce = nonce, Salt = Program.DataConnection.ApplicationSettings.WebserverPasswordSalt }); } return(true); } else { if (input["password"] != null && !string.IsNullOrWhiteSpace(input["password"].Value)) { var nonce_el = request.Cookies[NONCE_COOKIE_NAME] ?? request.Cookies[Library.Utility.Uri.UrlEncode(NONCE_COOKIE_NAME)]; var nonce = nonce_el == null || string.IsNullOrWhiteSpace(nonce_el.Value) ? "" : nonce_el.Value; var urldecoded = nonce == null ? "" : Duplicati.Library.Utility.Uri.UrlDecode(nonce); if (m_activeNonces.ContainsKey(urldecoded)) { nonce = urldecoded; } if (!m_activeNonces.ContainsKey(nonce)) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var pwd = m_activeNonces[nonce].Item2; m_activeNonces.Remove(nonce); if (pwd != input["password"].Value) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Unauthorized"; response.ContentType = "application/json"; return(true); } var buf = new byte[32]; var expires = DateTime.UtcNow.AddHours(1); m_prng.GetBytes(buf); var token = Duplicati.Library.Utility.Utility.Base64UrlEncode(buf); while (token.Length > 0 && token.EndsWith("=")) { token = token.Substring(0, token.Length - 1); } m_activeTokens.Add(token, expires); response.Cookies.Add(new HttpServer.ResponseCookie(AUTH_COOKIE_NAME, token, expires)); using (var bw = new BodyWriter(response, request)) bw.OutputOK(); return(true); } } } var limitedAccess = ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase) || request.Uri.AbsolutePath.StartsWith(RESTHandler.API_URI_PATH, StringComparison.InvariantCultureIgnoreCase) ; if (limitedAccess) { if (xsrf_token != null && m_activexsrf.ContainsKey(xsrf_token)) { var expires = DateTime.UtcNow.AddMinutes(XSRF_TIMEOUT_MINUTES); m_activexsrf[xsrf_token] = expires; response.Cookies.Add(new ResponseCookie(XSRF_COOKIE_NAME, xsrf_token, expires)); } else { response.Status = System.Net.HttpStatusCode.BadRequest; response.Reason = "Missing XSRF Token"; return(true); } } if (string.IsNullOrWhiteSpace(Program.DataConnection.ApplicationSettings.WebserverPassword)) { return(false); } foreach (var k in (from n in m_activeTokens where DateTime.UtcNow > n.Value select n.Key).ToList()) { m_activeTokens.Remove(k); } // If we have a valid token, proceeed if (!string.IsNullOrWhiteSpace(auth_token)) { DateTime expires; var found = m_activeTokens.TryGetValue(auth_token, out expires); if (!found) { auth_token = Duplicati.Library.Utility.Uri.UrlDecode(auth_token); found = m_activeTokens.TryGetValue(auth_token, out expires); } if (found && DateTime.UtcNow < expires) { expires = DateTime.UtcNow.AddHours(1); m_activeTokens[auth_token] = expires; response.Cookies.Add(new ResponseCookie(AUTH_COOKIE_NAME, auth_token, expires)); return(false); } } if ("/".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase) || "/index.html".Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)) { response.Redirect("/login.html"); return(true); } if (ControlHandler.CONTROL_HANDLER_URI.Equals(request.Uri.AbsolutePath, StringComparison.InvariantCultureIgnoreCase)) { response.Status = System.Net.HttpStatusCode.Unauthorized; response.Reason = "Not logged in"; response.AddHeader("Location", "login.html"); return(true); } return(false); }