Merge pull request #1081 from JackDandy/feature/ChangeMoreSecurity

Change add xsrf protection support to media processing scripts.
2025-01-06 01:53:37 +00:00 · 2018-04-04 16:34:02 +01:00 · 2018-04-04 16:34:02 +01:00 · 80bcee49bc
commit 80bcee49bc
parent cd1adfdcc2 91014078c0
3 changed files with 11 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -32,6 +32,7 @@
 [develop changelog]
 * Change pick up the stragglers late to the more security party
 * Change remove redundant xsrf handling for POSTs that don't use web and API
+* Change add xsrf protection support to media processing scripts


 ### 0.15.4 (2018-04-03 16:10:00 UTC)
--- a/autoProcessTV/SickGear-NG/SickGear-NG.py
+++ b/autoProcessTV/SickGear-NG/SickGear-NG.py
@ -485,7 +485,10 @@ def call_sickgear(nzb_name, dir_name, test=False):
        s = requests.Session()
        if username or password:
            login = '%s%s:%s%s/login' % (protocol, host, port, webroot)
+            r = s.get(login)
            login_params = {'username': username, 'password': password}
+            if 401 == r.status_code and r.cookies.get('_xsrf'):
+                login_params['_xsrf'] = r.cookies.get('_xsrf')
            s.post(login, data=login_params, stream=True, verify=False)
        r = s.get(url, auth=(username, password), params=params, stream=True, verify=False, timeout=900)
    except (StandardError, Exception):
--- a/autoProcessTV/autoProcessTV.py
+++ b/autoProcessTV/autoProcessTV.py
@ -132,7 +132,12 @@ def processEpisode(dir_to_process, org_NZB_name=None, status=None):

    try:
        sess = requests.Session()
-        sess.post(login_url, data={'username': username, 'password': password}, stream=True, verify=False)
+        if username or password:
+            r = sess.get(login_url)
+            login_params = {'username': username, 'password': password}
+            if 401 == r.status_code and r.cookies.get('_xsrf'):
+                login_params['_xsrf'] = r.cookies.get('_xsrf')
+            sess.post(login_url, data=login_params, stream=True, verify=False)
        result = sess.get(url, params=params, stream=True, verify=False)
        if result.status_code == 401:
            print('Verify and use correct username and password in autoProcessTV.cfg')
@ -150,4 +155,4 @@ def processEpisode(dir_to_process, org_NZB_name=None, status=None):
 if __name__ == '__main__':
    print ('This module is supposed to be used as import in other scripts and not run standalone.')
    print ('Use sabToSickBeard instead.')
-    sys.exit(1)
+    sys.exit(1)