Merge pull request #1621 from raintank/1619

fixes #1619 Secure PhantomJS Png rendering

Merge pull request #1621 from raintank/1619
fixes #1619 Secure PhantomJS Png rendering
306358e7 · Torkel Ödegaard · 36a94896 · 7010df0f · 306358e7 · 306358e7
Commit 306358e7 authored Mar 20, 2015 by Torkel Ödegaard
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 11 deletions

pkg/api/render.go
+2 -1

pkg/components/renderer/renderer.go
+4 -1

pkg/middleware/auth.go
+0 -7

vendor/phantomjs/render.js
+8 -2

No files found.
--- a/pkg/api/render.go
+++ b/pkg/api/render.go
@@ -12,12 +12,13 @@ import (

 func RenderToPng(c *middleware.Context) {
 	queryReader := util.NewUrlQueryReader(c.Req.URL)
-	queryParams := fmt.Sprintf("?render=1&%s=%d&%s", middleware.SESS_KEY_USERID, c.UserId, c.Req.URL.RawQuery)
+	queryParams := fmt.Sprintf("?%s", c.Req.URL.RawQuery)

 	renderOpts := &renderer.RenderOpts{
 		Url:       c.Params("*") + queryParams,
 		Width:     queryReader.Get("width", "800"),
 		Height:    queryReader.Get("height", "400"),
+		SessionId: c.Session.ID(),
 	}

 	renderOpts.Url = setting.ToAbsUrl(renderOpts.Url)

--- a/pkg/components/renderer/renderer.go
+++ b/pkg/components/renderer/renderer.go
@@ -17,6 +17,7 @@ type RenderOpts struct {
 	Url       string
 	Width     string
 	Height    string
+	SessionId string
 }

 func RenderToPng(params *RenderOpts) (string, error) {
@@ -26,7 +27,9 @@ func RenderToPng(params *RenderOpts) (string, error) {
 	pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, getHash(params.Url)))
 	pngPath = pngPath + ".png"

-	cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width, "height="+params.Height, "png="+pngPath)
+	cmd := exec.Command(binPath, scriptPath, "url="+params.Url, "width="+params.Width,
+		"height="+params.Height, "png="+pngPath, "cookiename="+setting.SessionOptions.CookieName,
+		"domain="+setting.Domain, "sessionid="+params.SessionId)
 	stdout, err := cmd.StdoutPipe()

 	if err != nil {

--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -22,13 +22,6 @@ func getRequestUserId(c *Context) int64 {
 		return userId.(int64)
 	}

-	// TODO: figure out a way to secure this
-	if c.Req.URL.Query().Get("render") == "1" {
-		userId := c.QueryInt64(SESS_KEY_USERID)
-		c.Session.Set(SESS_KEY_USERID, userId)
-		return userId
-	}
-
 	return 0
 }


--- a/vendor/phantomjs/render.js
+++ b/vendor/phantomjs/render.js
@@ -9,13 +9,19 @@ args.forEach(function(arg) {
  params[parts[1]] = parts[2];
 });

-var usage = "url=<url> png=<filename> width=<width> height=<height>";
+var usage = "url=<url> png=<filename> width=<width> height=<height> cookiename=<cookiename> sessionid=<sessionid> domain=<domain>";

-if (!params.url || !params.png) {
+if (!params.url || !params.png || !params.cookiename || ! params.sessionid || !params.domain) {
  console.log(usage);
  phantom.exit();
 }

+phantom.addCookie({
+  'name': params.cookiename,
+  'value': params.sessionid,
+  'domain': params.domain
+});
+
 page.viewportSize = {
  width: params.width || '800',
  height: params.height || '400'