fixes #1619 Secure PhantomJS Png rendering

removes auth hack to allow phantomjs to query pages as a user without auth. Instead we pass phantomjs the session cookie, which it then includes in the request.
2024-12-28 18:01:40 -06:00 · 2015-03-21 07:14:13 +08:00 · 2015-03-21 07:14:13 +08:00 · 7010df0fe8
commit 7010df0fe8
parent 5d6583ef7b
4 changed files with 20 additions and 17 deletions
--- a/pkg/api/render.go
+++ b/pkg/api/render.go
@ -12,12 +12,13 @@ import (

 func RenderToPng(c *middleware.Context) {
 	queryReader := util.NewUrlQueryReader(c.Req.URL)
-	queryParams := fmt.Sprintf("?render=1&%s=%d&%s", middleware.SESS_KEY_USERID, c.UserId, c.Req.URL.RawQuery)
+	queryParams := fmt.Sprintf("?%s", c.Req.URL.RawQuery)

 	renderOpts := &renderer.RenderOpts{
-		Url:    c.Params("*") + queryParams,
-		Width:  queryReader.Get("width", "800"),
-		Height: queryReader.Get("height", "400"),
+		Url:       c.Params("*") + queryParams,
+		Width:     queryReader.Get("width", "800"),
+		Height:    queryReader.Get("height", "400"),
+		SessionId: c.Session.ID(),
 	}

 	renderOpts.Url = setting.ToAbsUrl(renderOpts.Url)
--- a/pkg/components/renderer/renderer.go
+++ b/pkg/components/renderer/renderer.go
@ -14,9 +14,10 @@ import (
 )

 type RenderOpts struct {
-	Url    string
-	Width  string
-	Height string
+	Url       string
+	Width     string
+	Height    string
+	SessionId string
 }

 func RenderToPng(params *RenderOpts) (string, error) {
@ -26,7 +27,9 @@ func RenderToPng(params *RenderOpts) (string, error) {
 	pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, getHash(params.Url)))
 	pngPath = pngPath + ".png"

-	cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width, "height="+params.Height, "png="+pngPath)
+	cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width,
+		"height="+params.Height, "png="+pngPath, "cookiename="+setting.SessionOptions.CookieName,
+		"domain="+setting.Domain, "sessionid="+params.SessionId)
 	stdout, err := cmd.StdoutPipe()

 	if err != nil {
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@ -22,13 +22,6 @@ func getRequestUserId(c *Context) int64 {
 		return userId.(int64)
 	}

-	// TODO: figure out a way to secure this
-	if c.Req.URL.Query().Get("render") == "1" {
-		userId := c.QueryInt64(SESS_KEY_USERID)
-		c.Session.Set(SESS_KEY_USERID, userId)
-		return userId
-	}
-
 	return 0
 }

--- a/vendor/phantomjs/render.js
+++ b/vendor/phantomjs/render.js
@ -9,13 +9,19 @@ args.forEach(function(arg) {
  params[parts[1]] = parts[2];
 });

-var usage = "url=<url> png=<filename> width=<width> height=<height>";
+var usage = "url=<url> png=<filename> width=<width> height=<height> cookiename=<cookiename> sessionid=<sessionid> domain=<domain>";

-if (!params.url || !params.png) {
+if (!params.url || !params.png || !params.cookiename || ! params.sessionid || !params.domain) {
  console.log(usage);
  phantom.exit();
 }

+phantom.addCookie({
+  'name': params.cookiename,
+  'value': params.sessionid,
+  'domain': params.domain
+});
+
 page.viewportSize = {
  width: params.width || '800',
  height: params.height || '400'