diff --git a/src/cpp/ripple/HTTPRequest.cpp b/src/cpp/ripple/HTTPRequest.cpp index b4420a2434..6823dbc62e 100644 --- a/src/cpp/ripple/HTTPRequest.cpp +++ b/src/cpp/ripple/HTTPRequest.cpp @@ -11,7 +11,7 @@ SETUP_LOG(); void HTTPRequest::reset() { - vHeaders.clear(); + mHeaders.clear(); sRequestBody.clear(); sAuthorization.clear(); iDataSize = 0; @@ -67,8 +67,6 @@ HTTPRequestAction HTTPRequest::consume(boost::asio::streambuf& buf) eState = getting_body; return haREAD_RAW; } - vHeaders.push_back(line); - size_t colon = line.find(':'); if (colon != std::string::npos) { @@ -79,6 +77,8 @@ HTTPRequestAction HTTPRequest::consume(boost::asio::streambuf& buf) std::string headerValue = line.substr(colon+1); boost::trim(headerValue); + mHeaders[headerName] += headerValue; + if (headerName == "connection") { boost::to_lower(headerValue); diff --git a/src/cpp/ripple/HTTPRequest.h b/src/cpp/ripple/HTTPRequest.h index 1ad3081f0e..a9d1fae6a8 100644 --- a/src/cpp/ripple/HTTPRequest.h +++ b/src/cpp/ripple/HTTPRequest.h @@ -2,7 +2,7 @@ #define HTTPREQUEST__HPP #include -#include +#include #include @@ -32,7 +32,7 @@ protected: std::string sRequestBody; std::string sAuthorization; - std::vector vHeaders; + std::map mHeaders; int iDataSize; bool bShouldClose; @@ -49,7 +49,7 @@ public: std::string& peekAuth() { return sAuthorization; } std::string getAuth() { return sAuthorization; } - std::vector& peekHeaders() { return vHeaders; } + std::map& peekHeaders() { return mHeaders; } std::string getReplyHeaders(bool forceClose); HTTPRequestAction consume(boost::asio::streambuf&); diff --git a/src/cpp/ripple/RPC.h b/src/cpp/ripple/RPC.h index 61d42a6be9..475cff6497 100644 --- a/src/cpp/ripple/RPC.h +++ b/src/cpp/ripple/RPC.h @@ -41,4 +41,6 @@ extern std::string JSONRPCReply(const Json::Value& result, const Json::Value& er extern Json::Value JSONRPCError(int code, const std::string& message); +extern bool HTTPAuthorized(const std::map& mapHeaders); + #endif diff --git a/src/cpp/ripple/RPCServer.cpp b/src/cpp/ripple/RPCServer.cpp index d56ddd8034..cd74742612 100644 --- a/src/cpp/ripple/RPCServer.cpp +++ b/src/cpp/ripple/RPCServer.cpp @@ -47,7 +47,12 @@ void RPCServer::handle_read_req(const boost::system::error_code& e) } req += strCopy(mQueryVec); - mReplyStr = handleRequest(req); + + if (!HTTPAuthorized(mHTTPRequest.peekHeaders())) + mReplyStr = HTTPReply(403, "Forbidden"); + else + mReplyStr = handleRequest(req); + boost::asio::async_write(mSocket, boost::asio::buffer(mReplyStr), boost::bind(&RPCServer::handle_write, shared_from_this(), boost::asio::placeholders::error)); } @@ -108,6 +113,7 @@ void RPCServer::handle_read_line(const boost::system::error_code& e) std::string RPCServer::handleRequest(const std::string& requestStr) { cLog(lsTRACE) << "handleRequest " << requestStr; + Json::Value id; // Parse request diff --git a/src/cpp/ripple/rpc.cpp b/src/cpp/ripple/rpc.cpp index 6219ce527d..095ed977e0 100644 --- a/src/cpp/ripple/rpc.cpp +++ b/src/cpp/ripple/rpc.cpp @@ -204,17 +204,19 @@ std::string DecodeBase64(std::string s) return result; } -bool HTTPAuthorized(std::map& mapHeaders) -{ // This is currently not used - std::string strAuth = mapHeaders["authorization"]; - if (strAuth.substr(0,6) != "Basic ") - return theConfig.RPC_ADMIN_USER.empty() && theConfig.RPC_ADMIN_PASSWORD.empty(); - std::string strUserPass64 = strAuth.substr(6); +bool HTTPAuthorized(const std::map& mapHeaders) +{ + std::map::const_iterator it = mapHeaders.find("authorization"); + if ((it == mapHeaders.end()) || (it->second.substr(0,6) != "Basic ")) + return theConfig.RPC_USER.empty() && theConfig.RPC_PASSWORD.empty(); + + std::string strUserPass64 = it->second.substr(6); boost::trim(strUserPass64); std::string strUserPass = DecodeBase64(strUserPass64); std::string::size_type nColon = strUserPass.find(":"); if (nColon == std::string::npos) return false; + std::string strUser = strUserPass.substr(0, nColon); std::string strPassword = strUserPass.substr(nColon+1); return (strUser == theConfig.RPC_USER) && (strPassword == theConfig.RPC_PASSWORD);