tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Require 'Accept' header for API requests (except for GET) 

fixes #10548
This commit is contained in:
Michael Friedrich 2015-11-05 15:18:53 +01:00
parent a3d5d2488e
commit 7e5f5544fc
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/remote/apiclient.cpp
View File

@ -51,6 +51,7 @@ void ApiClient::GetTypes(const TypesCompletionCallback& callback) const
req->RequestMethod = "GET";
req->RequestUrl = url;
req->AddHeader("Authorization", "Basic " + Base64::Encode(m_User + ":" + m_Password));
req->AddHeader("Accept", "application/json");
m_Connection->SubmitRequest(req, boost::bind(TypesHttpCompletionCallback, _1, _2, callback));
} catch (const std::exception& ex) {
callback(boost::current_exception(), std::vector<ApiType::Ptr>());
@ -134,6 +135,7 @@ void ApiClient::GetObjects(const String& pluralType, const ObjectsCompletionCall
req->RequestMethod = "GET";
req->RequestUrl = url;
req->AddHeader("Authorization", "Basic " + Base64::Encode(m_User + ":" + m_Password));
req->AddHeader("Accept", "application/json");
m_Connection->SubmitRequest(req, boost::bind(ObjectsHttpCompletionCallback, _1, _2, callback));
} catch (const std::exception& ex) {
callback(boost::current_exception(), std::vector<ApiObject::Ptr>());
@ -231,6 +233,7 @@ void ApiClient::ExecuteScript(const String& session, const String& command, bool
req->RequestMethod = "POST";
req->RequestUrl = url;
req->AddHeader("Authorization", "Basic " + Base64::Encode(m_User + ":" + m_Password));
req->AddHeader("Accept", "application/json");
m_Connection->SubmitRequest(req, boost::bind(ExecuteScriptHttpCompletionCallback, _1, _2, callback));
} catch (const std::exception& ex) {
callback(boost::current_exception(), Empty);
@ -315,6 +318,7 @@ void ApiClient::AutocompleteScript(const String& session, const String& command,
req->RequestMethod = "POST";
req->RequestUrl = url;
req->AddHeader("Authorization", "Basic " + Base64::Encode(m_User + ":" + m_Password));
req->AddHeader("Accept", "application/json");
m_Connection->SubmitRequest(req, boost::bind(AutocompleteScriptHttpCompletionCallback, _1, _2, callback));
} catch (const std::exception& ex) {
callback(boost::current_exception(), Array::Ptr());

5
lib/remote/configfileshandler.cpp
View File

@ -49,6 +49,11 @@ bool ConfigFilesHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& re
params->Set("path", boost::algorithm::join(tmpPath, "/"));
}
if (request.Headers->Get("accept") == "application/json") {
HttpUtility::SendJsonError(response, 400, "Invalid Accept header. Either remove the Accept header or set it to 'application/octet-stream'.");
return true;
}
FilterUtility::CheckPermission(user, "config/query");
String packageName = HttpUtility::GetLastParameter(params, "package");

9
lib/remote/httpserverconnection.cpp
View File

@ -161,7 +161,14 @@ void HttpServerConnection::ProcessMessageAsync(HttpRequest& request)
HttpResponse response(m_Stream, request);
if (!user) {
String accept_header = request.Headers->Get("accept");
if (request.RequestMethod != "GET" && accept_header != "application/json") {
response.SetStatus(400, "Wrong Accept header");
response.AddHeader("Content-Type", "text/html");
String msg = "<h1>Accept header is missing or not set to 'application/json'.</h1>";
response.WriteBody(msg.CStr(), msg.GetLength());
} else if (!user) {
Log(LogWarning, "HttpServerConnection")
<< "Unauthorized request: " << request.RequestMethod << " " << requestUrl;
response.SetStatus(401, "Unauthorized");