github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

secure hot-fix

hotfix/3.6.5-rc6-secure-fix
Apex Liu 2022-08-17 00:36:44 +08:00
parent 37b697fd8b
commit 31b2382043
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/www/teleport/webroot/app/controller/audit.py
View File

@ -679,6 +679,11 @@ class DoGetFileHandler(TPBaseHandler):
self.set_status(400) # 400=错误请求 self.set_status(400) # 400=错误请求
return self.write('invalid param, `rid` and `f` must present.') return self.write('invalid param, `rid` and `f` must present.')
# 限制仅允许读取录像文件
if not filename.startswith('tp-'):
self.set_status(403) # 403=禁止
return self.write('you have no such privilege.')
if act not in ['size', 'read']: if act not in ['size', 'read']:
self.set_status(400) self.set_status(400)
return self.write('invalid param, `act` should be `size` or `read`.') return self.write('invalid param, `act` should be `size` or `read`.')

14
server/www/teleport/webroot/app/controller/auth.py
View File

@ -95,22 +95,26 @@ class DoLoginHandler(TPBaseJsonHandler):
]: ]:
return self.write_json(TPE_PARAM, '未知的认证方式') return self.write_json(TPE_PARAM, '未知的认证方式')
if len(username) == 0:
return self.write_json(TPE_PARAM, '未提供登录用户名')
if login_type in [TP_LOGIN_AUTH_USERNAME_PASSWORD, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
if password is None or len(password) == 0:
return self.write_json(TPE_PARAM, '未提供用户密码')
if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA: if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA:
oath = None oath = None
code = self.get_session('captcha') code = self.get_session('captcha')
if code is None: if code is None or len(code) == 0:
return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效') return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效')
if code.lower() != captcha.lower(): if code.lower() != captcha.lower():
return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误') return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误')
elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]: elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
if len(oath) == 0: if oath is None or len(oath) == 0:
return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码') return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码')
self.del_session('captcha') self.del_session('captcha')
if len(username) == 0:
return self.write_json(TPE_PARAM, '未提供登录用户名')
if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD, if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD,
TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH