[Libreoffice-commits] online.git: loolwsd.xml.in wsd/Admin.cpp wsd/Admin.hpp wsd/FileServer.cpp wsd/LOOLWSD.cpp wsd/LOOLWSD.hpp

Michael Meeks michael.meeks at collabora.com
Tue Apr 17 19:48:00 UTC 2018


 loolwsd.xml.in     |    1 +
 wsd/Admin.cpp      |   12 ++++++++++++
 wsd/Admin.hpp      |    6 +-----
 wsd/FileServer.cpp |    7 +++++++
 wsd/LOOLWSD.cpp    |    2 ++
 wsd/LOOLWSD.hpp    |    1 +
 6 files changed, 24 insertions(+), 5 deletions(-)

New commits:
commit ce06a9ae3778c45ab146ecb5b8fc839f9e4f2e7d
Author: Michael Meeks <michael.meeks at collabora.com>
Date:   Tue Apr 17 20:47:17 2018 +0100

    Allow the Admin console to be disabled in the configuration.
    
    Change-Id: Iacde8e891f42e9ef9399ebbebbd2b2978188d4c4

diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index 38e81a2b0..456790005 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -107,6 +107,7 @@
     <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent>
 
     <admin_console desc="Web admin console settings.">
+        <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
         <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="true">true</enable_pam>
         <username desc="The username of the admin console. Must be set, if PAM is not enabled, otherwise it's optional."></username>
         <password desc="The password of the admin console. Deprecated on most platforms. Instead, use loolconfig to set up a secure password."></password>
diff --git a/wsd/Admin.cpp b/wsd/Admin.cpp
index 41407d071..dc1ff562f 100644
--- a/wsd/Admin.cpp
+++ b/wsd/Admin.cpp
@@ -294,6 +294,12 @@ bool AdminSocketHandler::handleInitialRequest(
     const std::weak_ptr<StreamSocket> &socketWeak,
     const Poco::Net::HTTPRequest& request)
 {
+    if (!LOOLWSD::AdminEnabled)
+    {
+        LOG_ERR("Request for disabled admin console");
+        return false;
+    }
+
     std::shared_ptr<StreamSocket> socket = socketWeak.lock();
 
     // Different session id pool for admin sessions (?)
@@ -607,4 +613,10 @@ void Admin::dumpState(std::ostream& os)
     SocketPoll::dumpState(os);
 }
 
+void Admin::start()
+{
+    if (LOOLWSD::AdminEnabled)
+        startThread();
+}
+
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/wsd/Admin.hpp b/wsd/Admin.hpp
index 571979401..49107d5c9 100644
--- a/wsd/Admin.hpp
+++ b/wsd/Admin.hpp
@@ -60,11 +60,7 @@ public:
         return admin;
     }
 
-    void start()
-    {
-        // FIXME: not if admin console is not enabled ?
-        startThread();
-    }
+    void start();
 
     /// Custom poll thread function
     void pollingThread() override;
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 24ab20b01..b4c66056b 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -113,6 +113,8 @@ bool isPamAuthOk(const std::string& user, const std::string& pass)
 bool FileServerRequestHandler::isAdminLoggedIn(const HTTPRequest& request,
                                                HTTPResponse &response)
 {
+    assert(LOOLWSD::AdminEnabled);
+
     const auto& config = Application::instance().config();
     const std::string sslKeyPath = config.getString("ssl.key_file_path", "");
 
@@ -250,11 +252,16 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
         if (request.getMethod() == HTTPRequest::HTTP_GET)
         {
             if (endPoint == "admin.html" ||
+                endPoint == "admin-bundle.js" ||
+                endPoint == "admin-localizations.js" ||
                 endPoint == "adminSettings.html" ||
                 endPoint == "adminAnalytics.html")
             {
                 noCache = true;
 
+                if (!LOOLWSD::AdminEnabled)
+                    throw Poco::FileAccessDeniedException("Admin console disabled");
+
                 if (!FileServerRequestHandler::isAdminLoggedIn(request, response))
                     throw Poco::Net::NotAuthenticatedException("Invalid admin login");
 
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index da4280ffb..5249e2880 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -569,6 +569,7 @@ std::atomic<int> LOOLWSD::ForKitProcId(-1);
 #endif
 bool LOOLWSD::NoSeccomp = false;
 bool LOOLWSD::NoCapsForKit = false;
+bool LOOLWSD::AdminEnabled = true;
 #ifdef FUZZER
 bool LOOLWSD::DummyLOK = false;
 std::string LOOLWSD::FuzzFileName;
@@ -856,6 +857,7 @@ void LOOLWSD::initialize(Application& self)
 
     NoSeccomp = !getConfigValue<bool>(conf, "security.seccomp", true);
     NoCapsForKit = !getConfigValue<bool>(conf, "security.capabilities", true);
+    AdminEnabled = getConfigValue<bool>(conf, "admin_console.enable", true);
 
 #if ENABLE_SUPPORT_KEY
     const std::string supportKeyString = getConfigValue<std::string>(conf, "support_key", "");
diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp
index 55e060217..3ec79c867 100644
--- a/wsd/LOOLWSD.hpp
+++ b/wsd/LOOLWSD.hpp
@@ -44,6 +44,7 @@ public:
     static unsigned int NumPreSpawnedChildren;
     static bool NoCapsForKit;
     static bool NoSeccomp;
+    static bool AdminEnabled;
     static std::atomic<int> ForKitWritePipe;
     static std::atomic<int> ForKitProcId;
     static bool DummyLOK;


More information about the Libreoffice-commits mailing list