core: security fix, authorization first in download / blackhole links (#6825)

2025-09-17 17:34:09 +02:00 · 2020-01-05 07:41:01 +01:00
parent 7e93a86ae0
commit 45b205ddc3
2 changed files with 12 additions and 12 deletions
--- a/src/Jackett.Server/Controllers/BlackholeController.cs
+++ b/src/Jackett.Server/Controllers/BlackholeController.cs
@@ -20,14 +20,14 @@ namespace Jackett.Server.Controllers
    {
        private Logger logger;
        private IIndexerManagerService indexerService;
-        private readonly ServerConfig serverConfig;
+        private ServerConfig serverConfig;
        private IProtectionService protectionService;
-        public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig config, IProtectionService ps)
+        public BlackholeController(IIndexerManagerService i, Logger l, ServerConfig sConfig, IProtectionService ps)
        {
            logger = l;
            indexerService = i;
-            serverConfig = config;
+            serverConfig = sConfig;
            protectionService = ps;
        }
@@ -37,6 +37,9 @@ namespace Jackett.Server.Controllers
            var jsonReply = new JObject();
            try
            {
                if (serverConfig.APIKey != jackett_apikey)
                    return Unauthorized();
                var indexer = indexerService.GetWebIndexer(indexerID);
                if (!indexer.IsConfigured)
                {
@@ -44,9 +47,6 @@ namespace Jackett.Server.Controllers
                    throw new Exception("This indexer is not configured.");
                }
                if (serverConfig.APIKey != jackett_apikey)
                    throw new Exception("Incorrect API key");
                path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
                path = protectionService.UnProtect(path);
                var remoteFile = new Uri(path, UriKind.RelativeOrAbsolute);
--- a/src/Jackett.Server/Controllers/DownloadController.cs
+++ b/src/Jackett.Server/Controllers/DownloadController.cs
@@ -17,14 +17,14 @@ namespace Jackett.Server.Controllers
    [Route("dl/{indexerID}")]
    public class DownloadController : Controller
    {
-        private ServerConfig config;
+        private ServerConfig serverConfig;
        private Logger logger;
        private IIndexerManagerService indexerService;
        private IProtectionService protectionService;
-        public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig serverConfig)
+        public DownloadController(IIndexerManagerService i, Logger l, IProtectionService ps, ServerConfig sConfig)
        {
-            config = serverConfig;
+            serverConfig = sConfig;
            logger = l;
            indexerService = i;
            protectionService = ps;
@@ -35,6 +35,9 @@ namespace Jackett.Server.Controllers
        {
            try
            {
                if (serverConfig.APIKey != jackett_apikey)
                    return Unauthorized();
                var indexer = indexerService.GetWebIndexer(indexerID);
                if (!indexer.IsConfigured)
@@ -46,9 +49,6 @@ namespace Jackett.Server.Controllers
                path = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(path));
                path = protectionService.UnProtect(path);
                if (config.APIKey != jackett_apikey)
                    return Unauthorized();
                var target = new Uri(path, UriKind.RelativeOrAbsolute);
                var downloadBytes = await indexer.Download(target);