Merge pull request #267 from djbadders/develop
Fixes security issues around configuration download
This commit is contained in:
commit
0a15c7c8c9
|
@ -0,0 +1,5 @@
|
||||||
|
@page
|
||||||
|
@model DownloadFileModel
|
||||||
|
@{
|
||||||
|
Layout = null;
|
||||||
|
}
|
|
@ -0,0 +1,47 @@
|
||||||
|
using System;
|
||||||
|
using System.Collections;
|
||||||
|
using System.IO;
|
||||||
|
using Microsoft.Net.Http.Headers;
|
||||||
|
using Core.Helper;
|
||||||
|
|
||||||
|
namespace Monitor.Pages {
|
||||||
|
public class DownloadFileModel : _Internal.BasePageModelSecure {
|
||||||
|
|
||||||
|
public void OnGet() {
|
||||||
|
// Initialize Config
|
||||||
|
base.Init();
|
||||||
|
|
||||||
|
// Check we have a log in
|
||||||
|
if (base.IsLoggedIn(this.HttpContext))
|
||||||
|
{
|
||||||
|
InitializeDownload();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async void InitializeDownload() {
|
||||||
|
// Zip the file in an non web accessible folder
|
||||||
|
string fileName = GetStringParameter("f", "");
|
||||||
|
string tempFolder = PTMagicMonitorBasePath + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
|
||||||
|
|
||||||
|
if (System.IO.File.Exists(PTMagicBasePath + fileName)) {
|
||||||
|
if (!System.IO.Directory.Exists(tempFolder)) {
|
||||||
|
System.IO.Directory.CreateDirectory(tempFolder);
|
||||||
|
}
|
||||||
|
|
||||||
|
string sourcefilePath = PTMagicBasePath + fileName;
|
||||||
|
string destinationFilePath = tempFolder + fileName + ".zip";
|
||||||
|
|
||||||
|
ZIPHelper.CreateZipFile(new ArrayList() { sourcefilePath }, destinationFilePath);
|
||||||
|
|
||||||
|
// Write out the file
|
||||||
|
var data = System.IO.File.ReadAllBytes(destinationFilePath);
|
||||||
|
|
||||||
|
Response.ContentType = "application/zip";
|
||||||
|
Response.Headers[HeaderNames.CacheControl] = "no-cache";
|
||||||
|
Response.Headers[HeaderNames.ContentDisposition] = String.Format("attachment; filename={0}", fileName);
|
||||||
|
await Response.BodyWriter.WriteAsync(new Memory<byte>(data));
|
||||||
|
Response.BodyWriter.Complete();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
|
||||||
using Microsoft.Extensions.DependencyInjection;
|
using Microsoft.Extensions.DependencyInjection;
|
||||||
using Microsoft.AspNetCore.Server.Kestrel.Core;
|
using Microsoft.AspNetCore.Server.Kestrel.Core;
|
||||||
using Core.Main;
|
using Core.Main;
|
||||||
|
using Core.Helper;
|
||||||
using System.Runtime.InteropServices;
|
using System.Runtime.InteropServices;
|
||||||
using System.Diagnostics;
|
using System.Diagnostics;
|
||||||
|
|
||||||
|
@ -58,6 +59,13 @@ namespace Monitor
|
||||||
{
|
{
|
||||||
options.AllowSynchronousIO = true;
|
options.AllowSynchronousIO = true;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// Remove the old tmp folder if it exists
|
||||||
|
string oldTmpFolder = monitorBasePath + System.IO.Path.DirectorySeparatorChar + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
|
||||||
|
if (System.IO.Directory.Exists(oldTmpFolder))
|
||||||
|
{
|
||||||
|
System.IO.Directory.Delete(oldTmpFolder, true);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
|
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
|
||||||
|
|
|
@ -7,13 +7,48 @@ namespace Monitor._Internal
|
||||||
{
|
{
|
||||||
public class BasePageModelSecure : BasePageModel
|
public class BasePageModelSecure : BasePageModel
|
||||||
{
|
{
|
||||||
|
// The string to redirect to if it fails security
|
||||||
|
protected string _redirectUrl;
|
||||||
|
|
||||||
|
public BasePageModelSecure(string redirect = null)
|
||||||
|
{
|
||||||
|
// Configure redirect URL
|
||||||
|
_redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Must be called from inheritting pages to check security
|
||||||
|
/// </summary>
|
||||||
public void Init()
|
public void Init()
|
||||||
{
|
{
|
||||||
|
// Initialise base class
|
||||||
base.PreInit();
|
base.PreInit();
|
||||||
|
|
||||||
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
|
// Security check
|
||||||
|
if (!IsLoggedIn(this.HttpContext))
|
||||||
{
|
{
|
||||||
bool redirectToLogin = true;
|
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Check to see a user if logged in interactively
|
||||||
|
/// </summary>
|
||||||
|
/// <returns>Boolean - User logged in or not</returns>
|
||||||
|
protected Boolean IsLoggedIn(HttpContext context)
|
||||||
|
{
|
||||||
|
bool isLoggedIn = false;
|
||||||
|
|
||||||
|
if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
|
||||||
|
{
|
||||||
|
// Do we have a session active?
|
||||||
|
if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
|
||||||
|
{
|
||||||
|
isLoggedIn = true;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// Do we have a auto login cookie?
|
||||||
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
|
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
|
||||||
{
|
{
|
||||||
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
|
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
|
||||||
|
@ -22,17 +57,22 @@ namespace Monitor._Internal
|
||||||
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
|
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
|
||||||
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
|
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
|
||||||
{
|
{
|
||||||
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
|
context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
|
||||||
redirectToLogin = false;
|
isLoggedIn = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// No password required
|
||||||
|
isLoggedIn = true;
|
||||||
|
}
|
||||||
|
|
||||||
if (redirectToLogin)
|
return isLoggedIn;
|
||||||
{
|
|
||||||
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,49 +1,12 @@
|
||||||
using System;
|
namespace Monitor._Internal
|
||||||
using System.IO;
|
|
||||||
using Microsoft.AspNetCore.Http;
|
|
||||||
using Microsoft.AspNetCore.Mvc;
|
|
||||||
using Microsoft.AspNetCore.Mvc.RazorPages;
|
|
||||||
using Microsoft.Extensions.Configuration;
|
|
||||||
using Microsoft.Extensions.DependencyInjection;
|
|
||||||
using Newtonsoft.Json;
|
|
||||||
using Core.Main;
|
|
||||||
using Core.Helper;
|
|
||||||
using Core.Main.DataObjects.PTMagicData;
|
|
||||||
using Core.MarketAnalyzer;
|
|
||||||
using Core.ProfitTrailer;
|
|
||||||
using Microsoft.Extensions.Primitives;
|
|
||||||
|
|
||||||
namespace Monitor._Internal
|
|
||||||
{
|
{
|
||||||
|
|
||||||
public class BasePageModelSecureAJAX : BasePageModel
|
public class BasePageModelSecureAJAX : BasePageModelSecure
|
||||||
{
|
{
|
||||||
public void Init()
|
public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
|
||||||
{
|
// Logic in base class
|
||||||
base.PreInit();
|
|
||||||
|
|
||||||
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
|
|
||||||
{
|
|
||||||
bool redirectToLogin = true;
|
|
||||||
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
|
|
||||||
{
|
|
||||||
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
|
|
||||||
if (!rememberMeKey.Equals(""))
|
|
||||||
{
|
|
||||||
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
|
|
||||||
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
|
|
||||||
{
|
|
||||||
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
|
|
||||||
redirectToLogin = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (redirectToLogin)
|
|
||||||
{
|
|
||||||
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue