--- ../strings.txt 2005-01-07 11:40:21.015625000 -0800
+++ strings.txt 2005-01-07 11:48:08.062500000 -0800
@@ -4505,6 +4505,12 @@ SETUP_TITLEFORMATWEB
PT TÃtulo da Web actual
SE Aktuellt titelformat för webgränssnittet
+SETUP_CSRFPROTECTIONLEVEL
+ EN CSRF Protection Level
+
+SETUP_CSRFPROTECTIONLEVEL_DESC
+ EN To protect against "Cross Site Request Forgery" (CSRF) security threats, SlimServer applies special scrutiny to HTTP requests for functions that can make changes to your system or manipulate playlists or players. You may choose the level of scrutiny for the server to use. The default is Medium. <a href="http://localhost:9000/html/docs/http.html#csrf">See Help Section</a> for more details.
+
SETUP_IPFILTER_HEAD
DE Blockieren eingehender Verbindungen
DK Blokér indgående forbindelser
@@ -5555,6 +5561,12 @@ HUGE
FR Très grand
JP 特大
+NONE
+ EN None
+
+HIGH
+ EN High
+
TITLEFORMAT
DE Titel Format
DK Format for sangtitler
@@ -7547,6 +7559,12 @@ NEED_PLAYLIST_PATH
PT Deve especificar a directoria que contêm os ficheiros de playlist.
SE Du måste ange en sökväg till en mapp för dina sparade låtlistor.
+CSRF_ERROR_INFO
+ EN In order to request this URL from a Bookmark/Favorite, or some means other than following a link from the SlimServer web interface, you will need to use a URL with a \"cauth\" security parameter. If you received this error when following a link from the SlimServer web interface, you will want to make sure your web browser software (including proxy servers and spyware/privacy software) is allowing \"Referer\" headers to be sent. Below is the appropriate URL for the URL you attempted.
+
+CSRF_ERROR_MEDIUM
+ EN <p>Because your CSRF protection level is set at 'MEDIUM', you can use the same ";cauth=" value for any URL; this means you should be more careful who you share your URLs with.</p>
+
CLICK_HERE
DE Hier klicken
DK Klik her
Only in Slim/Buttons: BrowseMenu.pm
Only in Slim/Buttons/Input: Bar.pm.old
Only in Slim/Buttons: SearchFor.pm
Only in Slim/Buttons: plugins.diff
Only in Slim/Formats: Parse.pm.rej
Only in Slim/Music: DBI.pm
Only in Slim/Music: DataSource.pm
Only in Slim/Music: Info.pm.orig
Only in Slim/Music: Info.pm.rej
Only in Slim/Music: LocalDataSource.pm
Only in Slim/Music: ape-playback.diff
Only in Slim/Web/CVS: Entries~
diff -upBr ../Slim/Web/HTTP.pm Slim/Web/HTTP.pm
--- ../Slim/Web/HTTP.pm 2005-01-07 18:01:00.000000000 -0800
+++ Slim/Web/HTTP.pm 2005-01-07 11:52:05.625000000 -0800
@@ -1746,7 +1746,7 @@ sub isCsrfAuthCodeValid($) {
$::d_http && msg("Server unable to determine CRSF protection level due to missing server pref\n");
return 0;
}
- if ( $csrfProtectionLevel eq 'NONE' ) {
+ if ( !$csrfProtectionLevel) {
# no protection, so we don't care
return 1;
}
@@ -1770,7 +1770,7 @@ sub isCsrfAuthCodeValid($) {
$mediumHash->add($secret);
# a "HIGH" hash is always accepted
if ( $code eq $highHash->hexdigest() ) { return 1; }
- if ( $csrfProtectionLevel eq 'MEDIUM' ) {
+ if ( $csrfProtectionLevel == 1 ) {
# at "MEDIUM" level, we'll take the $mediumHash, too
if ( $code eq $mediumHash->hexdigest() ) { return 1; }
}
@@ -1823,7 +1823,7 @@ sub makeAuthorizedURI($) {
return 0;
}
my $hash = new Digest::MD5;
- if ( $csrfProtectionLevel eq 'HIGH' ) {
+ if ( $csrfProtectionLevel == 2 ) {
# different code for each different URI
$hash->add($uri);
}
@@ -1842,12 +1842,12 @@ sub throwCSRFError($$$$) {
# add a long SGML comment so Internet Explorer displays the page
my $msg = "<!--" . ( '.' x 500 ) . "-->\n<p>";
# BUG: stringify the following, as this message needs to be translatable!
- $msg .= "In order to request this URL from a Bookmark/Favorite, or some means other than following a link from the SlimServer web interface, you will need to use a URL with a \"cauth\" security parameter. If you received this error when following a link from the SlimServer web interface, you will want to make sure your web browser software (including proxy servers and spyware/privacy software) is allowing \"Referer\" headers to be sent. Below is the appropriate URL for the URL you attempted.";
+ $msg .= string('CSRF_ERROR_INFO');
$msg .= "<br>\n<br>\n<A HREF=\"${authURI}\">${authURL}</A></p>";
my $csrfProtectionLevel = Slim::Utils::Prefs::get("csrfProtectionLevel");
- if ( defined($csrfProtectionLevel) && $csrfProtectionLevel eq 'MEDIUM' ) {
+ if ( defined($csrfProtectionLevel) && $csrfProtectionLevel == 1 ) {
# BUG: stringify the following, as this message needs to be translatable!
- $msg .= "<p>Because your CSRF protection level is set at 'MEDIUM', you can use the same ";cauth=" value for any URL; this means you should be more careful who you share your URLs with.</p>";
+ $msg .= string('CSRF_ERROR_MEDIUM');
}
$params->{'validURL'} = $msg;
# add the appropriate URL in a response header to make automated
Only in Slim/Web: HTTP.pm.orig
diff -upBr ../Slim/Web/Setup.pm Slim/Web/Setup.pm
--- ../Slim/Web/Setup.pm 2005-01-07 04:52:00.000000000 -0800
+++ Slim/Web/Setup.pm 2005-01-07 11:17:50.015625000 -0800
@@ -1751,7 +1751,7 @@ sub initSetupConfig {
,'GroupOrder' => ['BasicAuth','Default']
,'Groups' => {
'Default' => {
- 'PrefOrder' => ['filterHosts', 'allowedHosts']
+ 'PrefOrder' => ['filterHosts', 'allowedHosts','csrfProtectionLevel']
}
,'BasicAuth' => {
'PrefOrder' => ['authorize','username','password']
@@ -1789,6 +1789,17 @@ sub initSetupConfig {
,'1' => string('SETUP_IPFILTER')
}
}
+ ,'csrfProtectionLevel' => {
+ 'validate' => \&validateInt
+ ,'validateArgs' => [0,2,1,1]
+ ,'optionSort' => 'V'
+ ,'options' => {
+ '0' => string('NONE')
+ ,'1' => string('MEDIUM')
+ ,'2' => string('HIGH')
+
+ }
+ }
,'allowedHosts' => {
'validate' => \&validateAllowedHosts
,'PrefHead' => string('SETUP_FILTERRULE_HEAD')
--- ../http.html 2005-01-07 18:01:00.000000000 -0800
+++ HTML/EN/html/docs/http.html 2005-01-07 11:32:10.203125000 -0800
@@ -335,6 +335,7 @@
to have infrared debugging output.</td>
</tr>
</table>
+<a name=csrf>
<h4>CSRF Security Measures</h4>
<p>To protect against "Cross Site Request Forgery" (CSRF) security threats, SlimServer applies special scrutiny to HTTP requests for functions that can make changes to your system or manipulate playlists or players.
This scrutiny is important to understand if you want to "bookmark" such a URL, or control SlimServer via the HTTP interface.