From 31b23820437b6b26aad9d414cdea1ccd39b9dd13 Mon Sep 17 00:00:00 2001
From: Apex Liu <apex.liu@qq.com>
Date: Wed, 17 Aug 2022 00:36:44 +0800
Subject: [PATCH] secure hot-fix

---
 .../www/teleport/webroot/app/controller/audit.py   |  5 +++++
 server/www/teleport/webroot/app/controller/auth.py | 14 +++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/server/www/teleport/webroot/app/controller/audit.py b/server/www/teleport/webroot/app/controller/audit.py
index 529b03a..4a35904 100644
--- a/server/www/teleport/webroot/app/controller/audit.py
+++ b/server/www/teleport/webroot/app/controller/audit.py
@@ -679,6 +679,11 @@ class DoGetFileHandler(TPBaseHandler):
             self.set_status(400)  # 400=错误请求
             return self.write('invalid param, `rid` and `f` must present.')
 
+        # 限制仅允许读取录像文件
+        if not filename.startswith('tp-'):
+            self.set_status(403)  # 403=禁止
+            return self.write('you have no such privilege.')
+
         if act not in ['size', 'read']:
             self.set_status(400)
             return self.write('invalid param, `act` should be `size` or `read`.')
diff --git a/server/www/teleport/webroot/app/controller/auth.py b/server/www/teleport/webroot/app/controller/auth.py
index b022dcd..d02fc9d 100644
--- a/server/www/teleport/webroot/app/controller/auth.py
+++ b/server/www/teleport/webroot/app/controller/auth.py
@@ -95,22 +95,26 @@ class DoLoginHandler(TPBaseJsonHandler):
                               ]:
             return self.write_json(TPE_PARAM, '未知的认证方式')
 
+        if len(username) == 0:
+            return self.write_json(TPE_PARAM, '未提供登录用户名')
+
+        if login_type in [TP_LOGIN_AUTH_USERNAME_PASSWORD, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
+            if password is None or len(password) == 0:
+                return self.write_json(TPE_PARAM, '未提供用户密码')
+
         if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA:
             oath = None
             code = self.get_session('captcha')
-            if code is None:
+            if code is None or len(code) == 0:
                 return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效')
             if code.lower() != captcha.lower():
                 return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误')
         elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
-            if len(oath) == 0:
+            if oath is None or len(oath) == 0:
                 return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码')
 
         self.del_session('captcha')
 
-        if len(username) == 0:
-            return self.write_json(TPE_PARAM, '未提供登录用户名')
-
         if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD,
                               TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
                               TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH