IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

fixes #1619 Secure PhantomJS Png rendering

Browse Source 
removes auth hack to allow phantomjs to query pages as a user
without auth.  Instead we pass phantomjs the session cookie,
which it then includes in the request.
This commit is contained in:
Anthony Woods
2015-03-21 07:14:13 +08:00
parent 5d6583ef7b
commit 7010df0fe8
4 changed files with 20 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/api/render.go
View File

@@ -12,12 +12,13 @@ import (
func RenderToPng(c *middleware.Context) { func RenderToPng(c *middleware.Context) {
queryReader := util.NewUrlQueryReader(c.Req.URL) queryReader := util.NewUrlQueryReader(c.Req.URL)
queryParams := fmt.Sprintf("?render=1&%s=%d&%s", middleware.SESS_KEY_USERID, c.UserId, c.Req.URL.RawQuery) queryParams := fmt.Sprintf("?%s", c.Req.URL.RawQuery)
renderOpts := &renderer.RenderOpts{ renderOpts := &renderer.RenderOpts{
Url: c.Params("*") + queryParams, Url: c.Params("*") + queryParams,
Width: queryReader.Get("width", "800"), Width: queryReader.Get("width", "800"),
Height: queryReader.Get("height", "400"), Height: queryReader.Get("height", "400"),
SessionId: c.Session.ID(),
} }
renderOpts.Url = setting.ToAbsUrl(renderOpts.Url) renderOpts.Url = setting.ToAbsUrl(renderOpts.Url)

5
pkg/components/renderer/renderer.go
View File

@@ -17,6 +17,7 @@ type RenderOpts struct {
Url string Url string
Width string Width string
Height string Height string
SessionId string
} }
func RenderToPng(params *RenderOpts) (string, error) { func RenderToPng(params *RenderOpts) (string, error) {
@@ -26,7 +27,9 @@ func RenderToPng(params *RenderOpts) (string, error) {
pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, getHash(params.Url))) pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, getHash(params.Url)))
pngPath = pngPath + ".png" pngPath = pngPath + ".png"
cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width, "height="+params.Height, "png="+pngPath) cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width,
"height="+params.Height, "png="+pngPath, "cookiename="+setting.SessionOptions.CookieName,
"domain="+setting.Domain, "sessionid="+params.SessionId)
stdout, err := cmd.StdoutPipe() stdout, err := cmd.StdoutPipe()
if err != nil { if err != nil {

7
pkg/middleware/auth.go
View File

@@ -22,13 +22,6 @@ func getRequestUserId(c *Context) int64 {
return userId.(int64) return userId.(int64)
} }
// TODO: figure out a way to secure this
if c.Req.URL.Query().Get("render") == "1" {
userId := c.QueryInt64(SESS_KEY_USERID)
c.Session.Set(SESS_KEY_USERID, userId)
return userId
}
return 0 return 0
} }

10
vendor/phantomjs/render.js vendored
View File

@@ -9,13 +9,19 @@ args.forEach(function(arg) {
params[parts[1]] = parts[2]; params[parts[1]] = parts[2];
}); });
var usage = "url=<url> png=<filename> width=<width> height=<height>"; var usage = "url=<url> png=<filename> width=<width> height=<height> cookiename=<cookiename> sessionid=<sessionid> domain=<domain>";
if (!params.url || !params.png) { if (!params.url || !params.png || !params.cookiename || ! params.sessionid || !params.domain) {
console.log(usage); console.log(usage);
phantom.exit(); phantom.exit();
} }
phantom.addCookie({
'name': params.cookiename,
'value': params.sessionid,
'domain': params.domain
});
page.viewportSize = { page.viewportSize = {
width: params.width || '800', width: params.width || '800',
height: params.height || '400' height: params.height || '400'