From 73c7f866e6d48864ba4fb8e3537dd2357ebdb690 Mon Sep 17 00:00:00 2001 From: tomkat83 Date: Sat, 9 Dec 2017 13:54:30 +0100 Subject: [PATCH] Security fix: Companion shall not send Plex token --- resources/lib/clientinfo.py | 6 ++++-- resources/lib/plexbmchelper/listener.py | 10 ++++++---- resources/lib/plexbmchelper/subscribers.py | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/resources/lib/clientinfo.py b/resources/lib/clientinfo.py index dfddae5f..4a1da15d 100644 --- a/resources/lib/clientinfo.py +++ b/resources/lib/clientinfo.py @@ -13,7 +13,7 @@ log = logging.getLogger("PLEX."+__name__) ############################################################################### -def getXArgsDeviceInfo(options=None): +def getXArgsDeviceInfo(options=None, include_token=True): """ Returns a dictionary that can be used as headers for GET and POST requests. An authentication option is NOT yet added. @@ -21,6 +21,8 @@ def getXArgsDeviceInfo(options=None): Inputs: options: dictionary of options that will override the standard header options otherwise set. + include_token: set to False if you don't want to include the Plex token + (e.g. for Companion communication) Output: header dictionary """ @@ -41,7 +43,7 @@ def getXArgsDeviceInfo(options=None): 'X-Plex-Client-Identifier': getDeviceId(), 'X-Plex-Provides': 'client,controller,player,pubsub-player', } - if window('pms_token'): + if include_token and window('pms_token'): xargs['X-Plex-Token'] = window('pms_token') if options is not None: xargs.update(options) diff --git a/resources/lib/plexbmchelper/listener.py b/resources/lib/plexbmchelper/listener.py index e177212f..e93f07de 100644 --- a/resources/lib/plexbmchelper/listener.py +++ b/resources/lib/plexbmchelper/listener.py @@ -126,9 +126,10 @@ class MyHandler(BaseHTTPRequestHandler): settings['platform'], settings['plexbmc_version'])) log.debug("crafted resources response: %s" % resp) - self.response(resp, getXArgsDeviceInfo()) + self.response(resp, getXArgsDeviceInfo(include_token=False)) elif "/subscribe" in request_path: - self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo()) + self.response(v.COMPANION_OK_MESSAGE, + getXArgsDeviceInfo(include_token=False)) protocol = params.get('protocol', False) host = self.client_address[0] port = params.get('port', False) @@ -155,14 +156,15 @@ class MyHandler(BaseHTTPRequestHandler): 'Content-Type': 'text/xml' }) elif "/unsubscribe" in request_path: - self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo()) + self.response(v.COMPANION_OK_MESSAGE, + getXArgsDeviceInfo(include_token=False)) uuid = self.headers.get('X-Plex-Client-Identifier', False) \ or self.client_address[0] subMgr.removeSubscriber(uuid) else: # Throw it to companion.py process_command(request_path, params, self.server.queue) - self.response('', getXArgsDeviceInfo()) + self.response('', getXArgsDeviceInfo(include_token=False)) subMgr.notify() except: log.error('Error encountered. Traceback:') diff --git a/resources/lib/plexbmchelper/subscribers.py b/resources/lib/plexbmchelper/subscribers.py index 5345fea4..f6e40ef1 100644 --- a/resources/lib/plexbmchelper/subscribers.py +++ b/resources/lib/plexbmchelper/subscribers.py @@ -176,7 +176,7 @@ class SubscriptionManager: def _sendNotification(self, info, playerid): playqueue = self.playqueue.playqueues[playerid] - xargs = getXArgsDeviceInfo() + xargs = getXArgsDeviceInfo(include_token=False) params = { 'containerKey': self.containerKey or "/library/metadata/900000", 'key': self.lastkey or "/library/metadata/900000",