mirror of
https://github.com/StuffAnThings/qbit_manage.git
synced 2025-10-21 19:27:27 +08:00
d280787bd1
- Require reauthentication to update security settings via API (API key or username/password; accepted in body or headers) - Add current_username/current_password/current_api_key to request model for secure updates - Mitigate timing attacks in Basic auth by verifying password using a dummy hash when username mismatches; improve failure logging - Enforce restrictive permissions (0600) on qbm_settings.yml during load/save; warn and attempt automatic correction if permissive - Lock down CORS defaults: no origins allowed, credentials disabled, explicit methods/headers only - Prevent path traversal on config filenames via strict validation and resolve checks - Automatically redact secrets in logs by registering sensitive fields (passwords, tokens, keys) - Redact password_hash and api_key in security settings responses - Audit log security setting changes and reload middleware on save BREAKING CHANGE: CORS is now denied by default (no allowed origins, credentials disabled). Cross-origin clients must be explicitly allowed. Updating security settings now requires current credentials (API key or username/password). |
||
|---|---|---|
| .. | ||
| core | ||
| __init__.py | ||
| apprise.py | ||
| auth.py | ||
| config.py | ||
| logs.py | ||
| notifiarr.py | ||
| qbit_error_handler.py | ||
| qbittorrent.py | ||
| scheduler.py | ||
| torrent_hash_generator.py | ||
| util.py | ||
| web_api.py | ||
| webhooks.py | ||