[vlc-commits] lua/http: disable if password is unset

Pierre Ynard git at videolan.org
Mon Sep 7 19:43:47 CEST 2020


vlc | branch: master | Pierre Ynard <linkfanel at yahoo.fr> | Mon Sep  7 19:42:34 2020 +0200| [ab87d0a17baa980f132221f5c99a64b74c243c57] | committer: Pierre Ynard

lua/http: disable if password is unset

There is currently a feature doing this in the lua bindings, but it is
problematic for several reasons: it doesn't reject insecure requests,
but only masks their output, while actually still going ahead and
silently honoring them; the web interface still recurses through its
directory and registers all endpoints, and exposes their existence by
answering differently depending on the request URL; the lua bindings are
the wrong level to do this, as it precludes any other lua user of the
HTTPd than the web interface; and it hijacks the response body to inject
its own regardless of the declared content type, potentially resulting
in getting it wrongly displayed.

Instead, this simply loads a single notice handler, and prints helpful
messages, directly from within the web interface module.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ab87d0a17baa980f132221f5c99a64b74c243c57
---

 share/lua/intf/http.lua | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua
index ed0c3583eb..29fa9dd6e4 100644
--- a/share/lua/intf/http.lua
+++ b/share/lua/intf/http.lua
@@ -105,6 +105,15 @@ function process(filename)
 end
 
 
+-- TODO: print localized error message
+-- For now this relies on lua bindings inappropriately doing so
+local function callback_nopassword()
+    return [[Status: 403
+Content-Length: 0
+
+]]
+end
+
 function callback_error(path,url,msg)
     local url = url or "<page unknown>"
     return  [[<html xmlns="http://www.w3.org/1999/xhtml">
@@ -328,5 +337,11 @@ end
 password = vlc.var.inherit(nil,"http-password")
 
 h = vlc.httpd()
-load_dir( http_dir )
-a = h:handler("/art",nil,password,callback_art,nil)
+if password == "" then
+    vlc.msg.err("Password unset, insecure web interface disabled")
+    vlc.msg.info("Set --http-password on the command line if you want to enable the web interface.")
+    p = h:handler("/",nil,nil,callback_nopassword,nil)
+else
+    load_dir( http_dir )
+    a = h:handler("/art",nil,password,callback_art,nil)
+end



More information about the vlc-commits mailing list