From f1724d2f23c0c39c34dd90fd68297d9e75029035 Mon Sep 17 00:00:00 2001 From: mrkubax10 Date: Tue, 12 Sep 2023 20:21:15 +0200 Subject: [PATCH] Frontend: Don't allow viewing private channel logs without access --- frontend.pm | 14 +++++++++++++- frontend_routes.pm | 47 ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 56 insertions(+), 5 deletions(-) diff --git a/frontend.pm b/frontend.pm index e4e694d..f5cd2f9 100644 --- a/frontend.pm +++ b/frontend.pm @@ -297,6 +297,18 @@ sub sendBadRequest { $aClient->send($response); } +sub sendUnauthorized { + my $aClient = $_[0]; + my $aMessage = $_[1]; + + my $content = "

401 Unauthorized

irclogger_web
Error: $aMessage"; + my $response = getBaseResponse(401, "Unauthorized"); + $response.="Content-Type: text/html, charset=utf-8\r\n"; + $response.="Content-Length: ".length($content)."\r\n\r\n"; + $response.=$content; + $aClient->send($response); +} + sub sendForbidden { my $aClient = $_[0]; my $aMessage = $_[1]; @@ -429,7 +441,7 @@ sub sendResponse { my $aRequest = $_[1]; my $aConnection = $_[2]; - if($aRequest->{"version"} ne "HTTP/1.1") { + if($aRequest->{"version"} ne "HTTP/1.0" && $aRequest->{"version"} ne "HTTP/1.1") { sendNotImplemented($aClient); return; } diff --git a/frontend_routes.pm b/frontend_routes.pm index d8988a8..656cb40 100644 --- a/frontend_routes.pm +++ b/frontend_routes.pm @@ -26,6 +26,35 @@ use feature qw(switch); use strict; use warnings; +sub verifyChannelAccess { + my $aRequest = $_[0]; + my $aClient = $_[1]; + my $aConnection = $_[2]; + my $aChannelID = $_[3]; + + if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) { + frontend::sendUnauthorized($aClient, "You need to log in to view this resource"); + return 0; + } + my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}}; + my $query = $aConnection->prepare(qq(select id, privileges from users where name=?;)); + $query->execute($session->{"username"}); + my @row = $query->fetchrow_array(); + my $userID = $row[0]; + my $privileges = $row[1]; + if($privileges>0) { + return 1; + } + $query = $aConnection->prepare(qq(select user_id from accessors where channel_id=$aChannelID and user_id=$userID;)); + $query->execute($session->{"username"}); + @row = $query->fetchrow_array(); + if(scalar(@row)==0) { + frontend::sendForbidden($aClient, "You don't have access to this channel logs"); + return 0; + } + return 1; +} + sub handlePath { my $aClient = $_[0]; my $aPath = $_[1]; @@ -337,7 +366,7 @@ sub handlePath { return 1; } - my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;)); + my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;)); $query->execute($channelID); my @row = $query->fetchrow_array(); if(scalar(@row)==0) { @@ -345,7 +374,12 @@ sub handlePath { return 1; } my $channelName = $row[0]; - my $serverName = $row[1]; + $channelName =~ s/%23/#/; + my $channelPublic = $row[1]; + if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) { + return 1; + } + my $serverName = $row[2]; my $logsPath = "logs/".$serverName."/".$channelName; my $result = opendir(my $folder, $logsPath); @@ -375,7 +409,7 @@ sub handlePath { return 1; } - my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;)); + my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;)); $query->execute($channelID); my @row = $query->fetchrow_array(); if(scalar(@row)==0) { @@ -383,7 +417,12 @@ sub handlePath { return 1; } my $channelName = $row[0]; - my $serverName = $row[1]; + $channelName =~ s/%23/#/; + my $channelPublic = $row[1]; + if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) { + return 1; + } + my $serverName = $row[2]; my $logFilePath = "logs/".$serverName."/".$channelName."/".$logFile; my $result = open(my $file, "<", $logFilePath);