From 250e0c75dfaebca54e93be6c11c70cb0d19e589a Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Wed, 17 Apr 2019 22:31:06 -0400 Subject: [PATCH 1/6] Add MethodNotAllowedException with code 405 --- Emby.Server.Implementations/HttpServer/HttpListenerHost.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs index e8d47cad52..831391cee6 100644 --- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs +++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs @@ -203,6 +203,7 @@ namespace Emby.Server.Implementations.HttpServer case DirectoryNotFoundException _: case FileNotFoundException _: case ResourceNotFoundException _: return 404; + case MethodNotAllowedException _: return 405; case RemoteServiceUnavailableException _: return 502; default: return 500; } From e790f024c2da2b3104ad698abfbd74fdf273bb9f Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Wed, 17 Apr 2019 22:31:17 -0400 Subject: [PATCH 2/6] Return MethodNotAllowedException if Pw is not set Don't accept pre-hashed (not-plaintext) passwords as the auth provider no longer supports this due to sha1+salting the passwords in the database. --- MediaBrowser.Api/UserService.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs index a6849f75f5..0db62098ca 100644 --- a/MediaBrowser.Api/UserService.cs +++ b/MediaBrowser.Api/UserService.cs @@ -379,6 +379,11 @@ namespace MediaBrowser.Api throw new ResourceNotFoundException("User not found"); } + if (!request.Pw) + { + throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API."); + } + return Post(new AuthenticateUserByName { Username = user.Name, From ca3bb308b3b20327ee96ea914cdaf02fa51374cd Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Wed, 17 Apr 2019 22:46:26 -0400 Subject: [PATCH 3/6] Add the proper Class too --- .../Extensions/ResourceNotFoundException.cs | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs b/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs index f62c65fd7f..9f70ae7d89 100644 --- a/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs +++ b/MediaBrowser.Common/Extensions/ResourceNotFoundException.cs @@ -26,6 +26,30 @@ namespace MediaBrowser.Common.Extensions } } + /// + /// Class MethodNotAllowedException + /// + public class MethodNotAllowedException : Exception + { + /// + /// Initializes a new instance of the class. + /// + public MethodNotAllowedException() + { + + } + + /// + /// Initializes a new instance of the class. + /// + /// The message. + public MethodNotAllowedException(string message) + : base(message) + { + + } + } + public class RemoteServiceUnavailableException : Exception { public RemoteServiceUnavailableException() From eaa1ac80133e766a1d3ab4e0f5a07bc48619cd44 Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Wed, 17 Apr 2019 22:49:17 -0400 Subject: [PATCH 4/6] Apparently strings can't be !'d --- MediaBrowser.Api/UserService.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs index 0db62098ca..119c423e60 100644 --- a/MediaBrowser.Api/UserService.cs +++ b/MediaBrowser.Api/UserService.cs @@ -379,7 +379,7 @@ namespace MediaBrowser.Api throw new ResourceNotFoundException("User not found"); } - if (!request.Pw) + if (request.Pw == "") { throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API."); } From 10f33b027345193f91b91600473222797ae9bef5 Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Thu, 18 Apr 2019 09:31:30 -0400 Subject: [PATCH 5/6] Update conditional to be correct --- MediaBrowser.Api/UserService.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs index 119c423e60..7628a2f0fa 100644 --- a/MediaBrowser.Api/UserService.cs +++ b/MediaBrowser.Api/UserService.cs @@ -379,7 +379,7 @@ namespace MediaBrowser.Api throw new ResourceNotFoundException("User not found"); } - if (request.Pw == "") + if (!string.IsNullOrEmpty(request.Password) || string.IsNullOrEmpty(request.Pw)) { throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API."); } From 31ad366aa93e8bc07f6e120320f3abd27d9dfd49 Mon Sep 17 00:00:00 2001 From: Joshua Boniface Date: Thu, 18 Apr 2019 10:24:08 -0400 Subject: [PATCH 6/6] Implemented suggested conditional --- MediaBrowser.Api/UserService.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs index 7628a2f0fa..497800d263 100644 --- a/MediaBrowser.Api/UserService.cs +++ b/MediaBrowser.Api/UserService.cs @@ -379,7 +379,7 @@ namespace MediaBrowser.Api throw new ResourceNotFoundException("User not found"); } - if (!string.IsNullOrEmpty(request.Password) || string.IsNullOrEmpty(request.Pw)) + if (!string.IsNullOrEmpty(request.Password) && string.IsNullOrEmpty(request.Pw)) { throw new MethodNotAllowedException("Hashed-only passwords are not valid for this API."); } @@ -387,7 +387,7 @@ namespace MediaBrowser.Api return Post(new AuthenticateUserByName { Username = user.Name, - Password = request.Password, + Password = null, // This should always be null Pw = request.Pw }); }