[vlc-devel] [PATCH] lua/http: disable if password is unset
Pierre Ynard
linkfanel at yahoo.fr
Fri Sep 4 07:47:10 CEST 2020
There is currently a feature doing this in the lua bindings, but it is
problematic for several reasons: it doesn't reject insecure requests,
but only masks their output, while actually still going ahead and
silently honoring them; the web interface still recurses through its
directory and registers all endpoints, and exposes their existence by
answering differently depending on the request URL; the lua bindings are
the wrong level to do this, as it precludes any other lua user of the
HTTPd than the web interface; and it hijacks the response body to inject
its own regardless of the declared content type, potentially resulting
in getting it wrongly displayed.
Was there any rationale for that implementation?
Instead, this simply loads a single notice handler, and prints helpful
messages, directly from within the web interface module.
If you test this, be advised of #25086
diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua
index ed0c358..29fa9dd 100644
--- a/share/lua/intf/http.lua
+++ b/share/lua/intf/http.lua
@@ -105,6 +105,15 @@ function process(filename)
end
+-- TODO: print localized error message
+-- For now this relies on lua bindings inappropriately doing so
+local function callback_nopassword()
+ return [[Status: 403
+Content-Length: 0
+
+]]
+end
+
function callback_error(path,url,msg)
local url = url or "<page unknown>"
return [[<html xmlns="http://www.w3.org/1999/xhtml">
@@ -328,5 +337,11 @@ end
password = vlc.var.inherit(nil,"http-password")
h = vlc.httpd()
-load_dir( http_dir )
-a = h:handler("/art",nil,password,callback_art,nil)
+if password == "" then
+ vlc.msg.err("Password unset, insecure web interface disabled")
+ vlc.msg.info("Set --http-password on the command line if you want to enable the web interface.")
+ p = h:handler("/",nil,nil,callback_nopassword,nil)
+else
+ load_dir( http_dir )
+ a = h:handler("/art",nil,password,callback_art,nil)
+end
--
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."
More information about the vlc-devel
mailing list