Security fix: Companion shall not send Plex token

This commit is contained in:
tomkat83 2017-12-09 13:54:30 +01:00
parent 843bedbee6
commit 73c7f866e6
3 changed files with 11 additions and 7 deletions

View file

@ -13,7 +13,7 @@ log = logging.getLogger("PLEX."+__name__)
############################################################################### ###############################################################################
def getXArgsDeviceInfo(options=None): def getXArgsDeviceInfo(options=None, include_token=True):
""" """
Returns a dictionary that can be used as headers for GET and POST Returns a dictionary that can be used as headers for GET and POST
requests. An authentication option is NOT yet added. requests. An authentication option is NOT yet added.
@ -21,6 +21,8 @@ def getXArgsDeviceInfo(options=None):
Inputs: Inputs:
options: dictionary of options that will override the options: dictionary of options that will override the
standard header options otherwise set. standard header options otherwise set.
include_token: set to False if you don't want to include the Plex token
(e.g. for Companion communication)
Output: Output:
header dictionary header dictionary
""" """
@ -41,7 +43,7 @@ def getXArgsDeviceInfo(options=None):
'X-Plex-Client-Identifier': getDeviceId(), 'X-Plex-Client-Identifier': getDeviceId(),
'X-Plex-Provides': 'client,controller,player,pubsub-player', 'X-Plex-Provides': 'client,controller,player,pubsub-player',
} }
if window('pms_token'): if include_token and window('pms_token'):
xargs['X-Plex-Token'] = window('pms_token') xargs['X-Plex-Token'] = window('pms_token')
if options is not None: if options is not None:
xargs.update(options) xargs.update(options)

View file

@ -126,9 +126,10 @@ class MyHandler(BaseHTTPRequestHandler):
settings['platform'], settings['platform'],
settings['plexbmc_version'])) settings['plexbmc_version']))
log.debug("crafted resources response: %s" % resp) log.debug("crafted resources response: %s" % resp)
self.response(resp, getXArgsDeviceInfo()) self.response(resp, getXArgsDeviceInfo(include_token=False))
elif "/subscribe" in request_path: elif "/subscribe" in request_path:
self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo()) self.response(v.COMPANION_OK_MESSAGE,
getXArgsDeviceInfo(include_token=False))
protocol = params.get('protocol', False) protocol = params.get('protocol', False)
host = self.client_address[0] host = self.client_address[0]
port = params.get('port', False) port = params.get('port', False)
@ -155,14 +156,15 @@ class MyHandler(BaseHTTPRequestHandler):
'Content-Type': 'text/xml' 'Content-Type': 'text/xml'
}) })
elif "/unsubscribe" in request_path: elif "/unsubscribe" in request_path:
self.response(v.COMPANION_OK_MESSAGE, getXArgsDeviceInfo()) self.response(v.COMPANION_OK_MESSAGE,
getXArgsDeviceInfo(include_token=False))
uuid = self.headers.get('X-Plex-Client-Identifier', False) \ uuid = self.headers.get('X-Plex-Client-Identifier', False) \
or self.client_address[0] or self.client_address[0]
subMgr.removeSubscriber(uuid) subMgr.removeSubscriber(uuid)
else: else:
# Throw it to companion.py # Throw it to companion.py
process_command(request_path, params, self.server.queue) process_command(request_path, params, self.server.queue)
self.response('', getXArgsDeviceInfo()) self.response('', getXArgsDeviceInfo(include_token=False))
subMgr.notify() subMgr.notify()
except: except:
log.error('Error encountered. Traceback:') log.error('Error encountered. Traceback:')

View file

@ -176,7 +176,7 @@ class SubscriptionManager:
def _sendNotification(self, info, playerid): def _sendNotification(self, info, playerid):
playqueue = self.playqueue.playqueues[playerid] playqueue = self.playqueue.playqueues[playerid]
xargs = getXArgsDeviceInfo() xargs = getXArgsDeviceInfo(include_token=False)
params = { params = {
'containerKey': self.containerKey or "/library/metadata/900000", 'containerKey': self.containerKey or "/library/metadata/900000",
'key': self.lastkey or "/library/metadata/900000", 'key': self.lastkey or "/library/metadata/900000",