From aec651c6d65b469747528bd5bb3442dd5e31da44 Mon Sep 17 00:00:00 2001
From: Brett Bryant <bbryant@digium.com>
Date: Fri, 23 May 2008 21:37:07 +0000
Subject: [PATCH] Merged revisions 118161 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/trunk

........
r118161 | bbryant | 2008-05-23 16:19:42 -0500 (Fri, 23 May 2008) | 3 lines

Add new functionality to http server that requires manager authentication for any path that includes a directory named 'private'. This patch also
requires manager authentication for any POST's being sent to the server as well to help secure uploads.

........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@118168 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 include/asterisk/manager.h |  3 +++
 main/http.c                | 16 ++++++++++++++++
 main/manager.c             | 21 ++++++++++++++++++---
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h
index e654b7a582..ecc0478293 100644
--- a/include/asterisk/manager.h
+++ b/include/asterisk/manager.h
@@ -203,6 +203,9 @@ void astman_send_listack(struct mansession *s, const struct message *m, char *ms
 
 void __attribute__ ((format (printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...);
 
+/*! \brief Determinie if a manager session ident is authenticated */
+int astman_is_authed(uint32_t ident);
+
 /*! \brief Called by Asterisk initialization */
 int init_manager(void);
 
diff --git a/main/http.c b/main/http.c
index edcbf386f8..10eab25c33 100644
--- a/main/http.c
+++ b/main/http.c
@@ -145,6 +145,18 @@ static const char *ftype2mtype(const char *ftype, char *wkspace, int wkspacelen)
 	return wkspace;
 }
 
+static uint32_t manid_from_vars(struct ast_variable *sid) {
+	uint32_t mngid;
+
+	while (sid && strcmp(sid->name, "mansession_id"))
+		sid = sid->next;
+	
+	if (!sid || sscanf(sid->value, "%x", &mngid) != 1)
+		return 0;
+	
+	return mngid;
+}
+
 static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser, const char *uri, struct ast_variable *vars, int *status, char **title, int *contentlength)
 {
 	char *path;
@@ -187,6 +199,10 @@ static struct ast_str *static_callback(struct ast_tcptls_session_instance *ser,
 	if (fd < 0)
 		goto out403;
 
+	if (strstr(path, "/private/") && !astman_is_authed(manid_from_vars(vars))) {
+		goto out403;
+	}
+
 	ast_strftime(buf, sizeof(buf), "%a, %d %b %Y %H:%M:%S %Z", ast_localtime(&tv, &tm, "GMT"));
 	fprintf(ser->f, "HTTP/1.1 200 OK\r\n"
 		"Server: Asterisk/%s\r\n"
diff --git a/main/manager.c b/main/manager.c
index 27bac86344..64be6d2268 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -3140,7 +3140,7 @@ static char *contenttype[] = {
  * the value of the mansession_id cookie (0 is not valid and means
  * a session on the AMI socket).
  */
-static struct mansession *find_session(uint32_t ident)
+static struct mansession *find_session(uint32_t ident, int incinuse)
 {
 	struct mansession *s;
 
@@ -3151,7 +3151,7 @@ static struct mansession *find_session(uint32_t ident)
 	AST_LIST_TRAVERSE(&sessions, s, list) {
 		ast_mutex_lock(&s->__lock);
 		if (s->managerid == ident && !s->needdestroy) {
-			ast_atomic_fetchadd_int(&s->inuse, 1);
+			ast_atomic_fetchadd_int(&s->inuse, incinuse ? 1 : 0);
 			break;
 		}
 		ast_mutex_unlock(&s->__lock);
@@ -3161,6 +3161,21 @@ static struct mansession *find_session(uint32_t ident)
 	return s;
 }
 
+int astman_is_authed(uint32_t ident) 
+{
+	int authed;
+	struct mansession *s;
+
+	if (!(s = find_session(ident, 0)))
+		return 0;
+
+	authed = (s->authenticated != 0);
+
+	ast_mutex_unlock(&s->__lock);
+
+	return authed;
+}
+
 int astman_verify_session_readpermissions(uint32_t ident, int perm)
 {
 	int result = 0;
@@ -3451,7 +3466,7 @@ static struct ast_str *generic_http_callback(enum output_format format,
 		}
 	}
 
-	if (!(s = find_session(ident))) {
+	if (!(s = find_session(ident, 1))) {
 		/* Create new session.
 		 * While it is not in the list we don't need any locking
 		 */