X-Git-Url: https://git.ucc.asn.au/?a=blobdiff_plain;f=server%2Ffastcgi.c;h=d3e4b2869ff7fe5846df37160f7d5a3f5e4ce055;hb=826791abc3a3bb383c2908d7d39618b99ad7665c;hp=41def56924666e7778378595beabb9afff58ebf9;hpb=f7835777d9a2e85ab310919a150a200ea55c7222;p=matches%2FMCTX3420.git diff --git a/server/fastcgi.c b/server/fastcgi.c index 41def56..d3e4b28 100644 --- a/server/fastcgi.c +++ b/server/fastcgi.c @@ -33,7 +33,7 @@ */ static void IdentifyHandler(FCGIContext *context, char *params) { bool ident_sensors = false, ident_actuators = false; - + bool has_control = FCGI_HasControl(context, getenv("COOKIE_STRING")); int i; FCGIValue values[2] = {{"sensors", &ident_sensors, FCGI_BOOL_T}, @@ -45,8 +45,8 @@ static void IdentifyHandler(FCGIContext *context, char *params) { FCGI_JSONPair("description", "MCTX3420 Server API (2013)"); FCGI_JSONPair("build_date", __DATE__ " " __TIME__); FCGI_JSONLong("api_version", API_VERSION); - FCGI_JSONBool("logged_in", FCGI_HasControl(context, getenv("COOKIE_STRING"))); - FCGI_JSONPair("friendly_name", ""); + FCGI_JSONBool("logged_in", has_control); + FCGI_JSONPair("friendly_name", has_control ? context->friendly_name : ""); //Sensor and actuator information if (ident_sensors) { @@ -79,14 +79,14 @@ static void IdentifyHandler(FCGIContext *context, char *params) { * the system at any one time. The key can be forcibly generated, revoking * any previous control keys. To be used in conjunction with HTTP * basic authentication. - * This function will generate a JSON response that indicates success/failure. * @param context The context to work in * @param force Whether to force key generation or not. - */ -void FCGI_LockControl(FCGIContext *context, bool force) { + * @return true on success, false otherwise (eg someone else already in control) + */ +bool FCGI_LockControl(FCGIContext *context, bool force) { time_t now = time(NULL); bool expired = now - context->control_timestamp > CONTROL_TIMEOUT; - + if (force || !*(context->control_key) || expired) { SHA_CTX sha1ctx; @@ -102,7 +102,9 @@ void FCGI_LockControl(FCGIContext *context, bool force) { for (i = 0; i < 20; i++) sprintf(context->control_key + i * 2, "%02x", sha1[i]); snprintf(context->control_ip, 16, "%s", getenv("REMOTE_ADDR")); + return true; } + return false; } /** @@ -116,7 +118,8 @@ void FCGI_LockControl(FCGIContext *context, bool force) { bool FCGI_HasControl(FCGIContext *context, const char *key) { time_t now = time(NULL); int result = (now - context->control_timestamp) <= CONTROL_TIMEOUT && - key != NULL && !strcmp(context->control_key, key); + key != NULL && context->control_key[0] != '\0' && + !strcmp(context->control_key, key); if (result) { context->control_timestamp = now; //Update the control_timestamp } @@ -130,8 +133,6 @@ bool FCGI_HasControl(FCGIContext *context, const char *key) { */ void FCGI_ReleaseControl(FCGIContext *context) { *(context->control_key) = 0; - FCGI_BeginJSON(context, STATUS_OK); - FCGI_EndJSON(); return; } @@ -383,7 +384,7 @@ void FCGI_RejectJSONEx(FCGIContext *context, StatusCodes status, const char *des FCGI_BeginJSON(context, status); FCGI_JSONPair("description", description); FCGI_JSONLong("responsenumber", context->response_number); - //FCGI_JSONPair("params", getenv("QUERY_STRING")); + //FCGI_JSONPair("params", getenv("QUERY_STRING")); //A bad idea if contains password but also if contains unescaped stuff FCGI_JSONPair("host", getenv("SERVER_HOSTNAME")); FCGI_JSONPair("user", getenv("REMOTE_USER")); FCGI_JSONPair("ip", getenv("REMOTE_ADDR")); @@ -479,9 +480,6 @@ void * FCGI_RequestLoop (void *data) if (lastchar > 0 && module[lastchar] == '/') module[lastchar] = 0; - //Escape all special characters - FCGI_EscapeText(params); - //Default to the 'identify' module if none specified if (!*module) strcpy(module, "identify"); @@ -516,11 +514,16 @@ void * FCGI_RequestLoop (void *data) FCGI_RejectJSON(&context, "Please login."); continue; } + if (!FCGI_HasControl(&context, cookie)) { FCGI_RejectJSON(&context, "Invalid control key."); continue; } + + //Escape all special characters. + //Don't escape for login (password may have special chars?) + FCGI_EscapeText(params); } module_handler(&context, params);