secure hot-fix.

2022-08-17 00:24:06 +08:00 · 2022-08-17 00:24:06 +08:00 · b17f793b1e
parent 805f5b312d
commit b17f793b1e
3 changed files with 19 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -90,6 +90,9 @@ __pycache__
 /client/tools/tprdp
 /client/build-tp-player-*
 /client/tp_assist_macos/src/tp-player.app
+/client/tp_assist_linux
+/client/cfg/tp-assist.linux.json
+/client/tp-player/res/cursor1.png
 /server/tp_core/protocol/rdp
 /server/hot-fix
 /server/tools/tpr2mp4
@ -113,6 +116,7 @@ xcuserdata
 profile
 *.moved-aside
 /server/share/tmp
+*.pbxproj.backup.*

 /server/tp_core/testssh/Debug
 /server/tp_core/testssh/Release
--- a/server/www/teleport/webroot/app/controller/audit.py
+++ b/server/www/teleport/webroot/app/controller/audit.py
@ -683,6 +683,11 @@ class DoGetFileHandler(TPBaseHandler):
            self.set_status(400)  # 400=错误请求
            return self.write('invalid param, `rid` and `f` must present.')

+        # 限制仅允许读取录像文件
+        if not filename.startswith('tp-'):
+            self.set_status(403)  # 403=禁止
+            return self.write('you have no such privilege.')
+
        if act not in ['size', 'read']:
            self.set_status(400)
            return self.write('invalid param, `act` should be `size` or `read`.')
--- a/server/www/teleport/webroot/app/controller/auth.py
+++ b/server/www/teleport/webroot/app/controller/auth.py
@ -96,22 +96,25 @@ class DoLoginHandler(TPBaseJsonHandler):
                              ]:
            return self.write_json(TPE_PARAM, '未知的认证方式')

+        if len(username) == 0:
+            return self.write_json(TPE_PARAM, '未提供登录用户名')
+
+        if login_type in [TP_LOGIN_AUTH_USERNAME_PASSWORD, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
+            if password is None or len(password) == 0:
+                return self.write_json(TPE_PARAM, '未提供用户密码')
        if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA:
            oath = None
            code = self.get_session('captcha')
-            if code is None:
+            if code is None or len(code) == 0:
                return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效')
            if code.lower() != captcha.lower():
                return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误')
-        elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
-            if len(oath) == 0:
-                return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码')
+        if login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
+            if oath is None or len(oath) == 0:
+                return self.write_json(TPE_PARAM, '未提供身份验证器动态验证码')

        self.del_session('captcha')

-        if len(username) == 0:
-            return self.write_json(TPE_PARAM, '未提供登录用户名')
-
        if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD,
                              TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
                              TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH