github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

secure hot-fix.

feature/assist-websocket
Apex Liu 2022-08-17 00:24:06 +08:00
parent 805f5b312d
commit b17f793b1e
3 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -90,6 +90,9 @@ __pycache__
/client/tools/tprdp /client/tools/tprdp
/client/build-tp-player-* /client/build-tp-player-*
/client/tp_assist_macos/src/tp-player.app /client/tp_assist_macos/src/tp-player.app
/client/tp_assist_linux
/client/cfg/tp-assist.linux.json
/client/tp-player/res/cursor1.png
/server/tp_core/protocol/rdp /server/tp_core/protocol/rdp
/server/hot-fix /server/hot-fix
/server/tools/tpr2mp4 /server/tools/tpr2mp4
@ -113,6 +116,7 @@ xcuserdata
profile profile
*.moved-aside *.moved-aside
/server/share/tmp /server/share/tmp
*.pbxproj.backup.*
/server/tp_core/testssh/Debug /server/tp_core/testssh/Debug
/server/tp_core/testssh/Release /server/tp_core/testssh/Release

5
server/www/teleport/webroot/app/controller/audit.py
View File

@ -683,6 +683,11 @@ class DoGetFileHandler(TPBaseHandler):
self.set_status(400) # 400=错误请求 self.set_status(400) # 400=错误请求
return self.write('invalid param, `rid` and `f` must present.') return self.write('invalid param, `rid` and `f` must present.')
# 限制仅允许读取录像文件
if not filename.startswith('tp-'):
self.set_status(403) # 403=禁止
return self.write('you have no such privilege.')
if act not in ['size', 'read']: if act not in ['size', 'read']:
self.set_status(400) self.set_status(400)
return self.write('invalid param, `act` should be `size` or `read`.') return self.write('invalid param, `act` should be `size` or `read`.')

17
server/www/teleport/webroot/app/controller/auth.py
View File

@ -96,22 +96,25 @@ class DoLoginHandler(TPBaseJsonHandler):
]: ]:
return self.write_json(TPE_PARAM, '未知的认证方式') return self.write_json(TPE_PARAM, '未知的认证方式')
if len(username) == 0:
return self.write_json(TPE_PARAM, '未提供登录用户名')
if login_type in [TP_LOGIN_AUTH_USERNAME_PASSWORD, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
if password is None or len(password) == 0:
return self.write_json(TPE_PARAM, '未提供用户密码')
if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA: if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA:
oath = None oath = None
code = self.get_session('captcha') code = self.get_session('captcha')
if code is None: if code is None or len(code) == 0:
return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效') return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效')
if code.lower() != captcha.lower(): if code.lower() != captcha.lower():
return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误') return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误')
elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]: if login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
if len(oath) == 0: if oath is None or len(oath) == 0:
return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码') return self.write_json(TPE_PARAM, '未提供身份验证器动态验证码')
self.del_session('captcha') self.del_session('captcha')
if len(username) == 0:
return self.write_json(TPE_PARAM, '未提供登录用户名')
if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD, if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD,
TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH