Security fix: Companion shall not send Plex token

resources/lib/clientinfo.py

@@ -13,7 +13,7 @@ log = logging.getLogger("PLEX."+__name__)
 ###############################################################################
 
 
-def getXArgsDeviceInfo(options=None):
+def getXArgsDeviceInfo(options=None, include_token=True):
     """
     Returns a dictionary that can be used as headers for GET and POST
     requests. An authentication option is NOT yet added.
@@ -21,6 +21,8 @@ def getXArgsDeviceInfo(options=None):
     Inputs:
         options:        dictionary of options that will override the
                         standard header options otherwise set.
+        include_token:  set to False if you don't want to include the Plex token
+                        (e.g. for Companion communication)
     Output:
         header dictionary
     """
@@ -41,7 +43,7 @@ def getXArgsDeviceInfo(options=None):
         'X-Plex-Client-Identifier': getDeviceId(),
         'X-Plex-Provides': 'client,controller,player,pubsub-player',
     }
-    if window('pms_token'):
+    if include_token and window('pms_token'):
         xargs['X-Plex-Token'] = window('pms_token')
     if options is not None:
         xargs.update(options)

resources/lib/plexbmchelper/listener.py

@@ -126,9 +126,10 @@ class MyHandler(BaseHTTPRequestHandler):
                            settings['platform'],
                            settings['plexbmc_version']))
                 log.debug("crafted resources response: %s" % resp)
-                self.response(resp, getXArgsDeviceInfo())
+                self.response(resp, getXArgsDeviceInfo(include_token=False))
             elif "/subscribe" in request_path:
-                self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo())
+                self.response(v.COMPANION_OK_MESSAGE,
+                              getXArgsDeviceInfo(include_token=False))
                 protocol = params.get('protocol', False)
                 host = self.client_address[0]
                 port = params.get('port', False)
@@ -155,14 +156,15 @@ class MyHandler(BaseHTTPRequestHandler):
                         'Content-Type': 'text/xml'
                     })
             elif "/unsubscribe" in request_path:
-                self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo())
+                self.response(v.COMPANION_OK_MESSAGE,
+                              getXArgsDeviceInfo(include_token=False))
                 uuid = self.headers.get('X-Plex-Client-Identifier', False) \
                     or self.client_address[0]
                 subMgr.removeSubscriber(uuid)
             else:
                 # Throw it to companion.py
                 process_command(request_path, params, self.server.queue)
-                self.response('', getXArgsDeviceInfo())
+                self.response('', getXArgsDeviceInfo(include_token=False))
                 subMgr.notify()
         except:
             log.error('Error encountered. Traceback:')

resources/lib/plexbmchelper/subscribers.py

@@ -176,7 +176,7 @@ class SubscriptionManager:
 
     def _sendNotification(self, info, playerid):
         playqueue = self.playqueue.playqueues[playerid]
-        xargs = getXArgsDeviceInfo()
+        xargs = getXArgsDeviceInfo(include_token=False)
         params = {
             'containerKey': self.containerKey or "/library/metadata/900000",
             'key': self.lastkey or "/library/metadata/900000",