From e016ced1195f441b7532f0c6a8ec129bd00b72d5 Mon Sep 17 00:00:00 2001 From: Julien BLACHE Date: Sat, 30 Jan 2010 16:50:00 +0100 Subject: [PATCH] Authenticate Remote clients by their pairing-guid Remote clients have a waiver for HTTP authentication; they are authenticated by their pairing-guid given during the pairing process. --- src/httpd_daap.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/httpd_daap.c b/src/httpd_daap.c index 77b7c848..51feb2a1 100644 --- a/src/httpd_daap.c +++ b/src/httpd_daap.c @@ -782,7 +782,10 @@ daap_reply_content_codes(struct evhttp_request *req, struct evbuffer *evbuf, cha static void daap_reply_login(struct evhttp_request *req, struct evbuffer *evbuf, char **uri, struct evkeyvalq *query) { + struct pairing_info pi; struct daap_session *s; + const char *ua; + const char *guid; int ret; ret = evbuffer_expand(evbuf, 32); @@ -794,6 +797,43 @@ daap_reply_login(struct evhttp_request *req, struct evbuffer *evbuf, char **uri, return; } + ua = evhttp_find_header(req->input_headers, "User-Agent"); + if (!ua) + { + DPRINTF(E_LOG, L_DAAP, "No User-Agent header, rejecting login request\n"); + + evhttp_send_error(req, 403, "Forbidden"); + return; + } + + if (strncmp(ua, "Remote", strlen("Remote")) == 0) + { + guid = evhttp_find_header(query, "pairing-guid"); + if (!guid) + { + DPRINTF(E_LOG, L_DAAP, "Login attempt with U-A: Remote and no pairing-guid\n"); + + evhttp_send_error(req, 403, "Forbidden"); + return; + } + + memset(&pi, 0, sizeof(struct pairing_info)); + pi.guid = strdup(guid + 2); /* Skip leading 0X */ + + ret = db_pairing_fetch_byguid(&pi); + if (ret < 0) + { + DPRINTF(E_LOG, L_DAAP, "Login attempt with invalid pairing-guid\n"); + + free_pi(&pi, 1); + evhttp_send_error(req, 403, "Forbidden"); + return; + } + + DPRINTF(E_INFO, L_DAAP, "Remote '%s' logging in with GUID %s\n", pi.name, pi.guid); + free_pi(&pi, 1); + } + s = daap_session_register(); if (!s) {