[vlc-commits] lua/http: disable if password is unset
Pierre Ynard
git at videolan.org
Mon Sep 7 19:43:47 CEST 2020
vlc | branch: master | Pierre Ynard <linkfanel at yahoo.fr> | Mon Sep 7 19:42:34 2020 +0200| [ab87d0a17baa980f132221f5c99a64b74c243c57] | committer: Pierre Ynard
lua/http: disable if password is unset
There is currently a feature doing this in the lua bindings, but it is
problematic for several reasons: it doesn't reject insecure requests,
but only masks their output, while actually still going ahead and
silently honoring them; the web interface still recurses through its
directory and registers all endpoints, and exposes their existence by
answering differently depending on the request URL; the lua bindings are
the wrong level to do this, as it precludes any other lua user of the
HTTPd than the web interface; and it hijacks the response body to inject
its own regardless of the declared content type, potentially resulting
in getting it wrongly displayed.
Instead, this simply loads a single notice handler, and prints helpful
messages, directly from within the web interface module.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ab87d0a17baa980f132221f5c99a64b74c243c57
---
share/lua/intf/http.lua | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua
index ed0c3583eb..29fa9dd6e4 100644
--- a/share/lua/intf/http.lua
+++ b/share/lua/intf/http.lua
@@ -105,6 +105,15 @@ function process(filename)
end
+-- TODO: print localized error message
+-- For now this relies on lua bindings inappropriately doing so
+local function callback_nopassword()
+ return [[Status: 403
+Content-Length: 0
+
+]]
+end
+
function callback_error(path,url,msg)
local url = url or "<page unknown>"
return [[<html xmlns="http://www.w3.org/1999/xhtml">
@@ -328,5 +337,11 @@ end
password = vlc.var.inherit(nil,"http-password")
h = vlc.httpd()
-load_dir( http_dir )
-a = h:handler("/art",nil,password,callback_art,nil)
+if password == "" then
+ vlc.msg.err("Password unset, insecure web interface disabled")
+ vlc.msg.info("Set --http-password on the command line if you want to enable the web interface.")
+ p = h:handler("/",nil,nil,callback_nopassword,nil)
+else
+ load_dir( http_dir )
+ a = h:handler("/art",nil,password,callback_art,nil)
+end
More information about the vlc-commits
mailing list