diff options
author | Ed Tanous <ed@tanous.net> | 2020-07-21 18:46:25 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2021-12-20 04:00:35 +0300 |
commit | af4edf686e684d728fccbb69a8f550fd2adab46a (patch) | |
tree | 1c97b4f7b75a310105ab7ba86fdbf100117c3782 /include/login_routes.hpp | |
parent | 47c9e106e0057dd70133d50e928e48cbc68e709a (diff) | |
download | bmcweb-af4edf686e684d728fccbb69a8f550fd2adab46a.tar.xz |
Implement MIME parsing
This commit adds two core features to bmcweb:
1. A multipart mime parser that can read multipart form requests into
bmcweb. This is implemented as a generic parser that identifies the
content-type strings and parses them into structures.
2. A /login route that can be logged into with a multipart form. This
is to allow changing the login screen to a purely forms based
implementation, thus removing the very large whitelist we currently have
to maintain, and removing javascript from our threat envelope.
More testing is still needed, as this is a parser that exists outside of
the secured areas, but in this simple example, it seems to work well.
Tested: curl -vvvvv --insecure -X POST -F 'username=root' -F
'password=0penBmc' https://<bmc ip address>:18080/login
Returned; { "data": "User 'root' logged in", "message": "200 OK",
"status": "ok" }
Change-Id: Icc3f4c082d584170b65b9e82f7876926cd38035d
Signed-off-by: Ed Tanous<ed@tanous.net>
Signed-off-by: George Liu <liuxiwei@inspur.com>
Diffstat (limited to 'include/login_routes.hpp')
-rw-r--r-- | include/login_routes.hpp | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/include/login_routes.hpp b/include/login_routes.hpp index 881035619a..858968bfd9 100644 --- a/include/login_routes.hpp +++ b/include/login_routes.hpp @@ -1,5 +1,7 @@ #pragma once +#include "multipart_parser.hpp" + #include <app.hpp> #include <boost/container/flat_set.hpp> #include <common.hpp> @@ -121,6 +123,50 @@ inline void requestRoutes(App& app) } } } + else if (boost::starts_with(contentType, "multipart/form-data")) + { + looksLikePhosphorRest = true; + MultipartParser parser; + ParserError ec = parser.parse(req); + if (ec != ParserError::PARSER_SUCCESS) + { + // handle error + BMCWEB_LOG_ERROR << "MIME parse failed, ec : " + << static_cast<int>(ec); + asyncResp->res.result( + boost::beast::http::status::bad_request); + return; + } + + for (const FormPart& formpart : parser.mime_fields) + { + boost::beast::http::fields::const_iterator it = + formpart.fields.find("Content-Disposition"); + if (it == formpart.fields.end()) + { + BMCWEB_LOG_ERROR << "Couldn't find Content-Disposition"; + asyncResp->res.result( + boost::beast::http::status::bad_request); + continue; + } + + BMCWEB_LOG_INFO << "Parsing value " << it->value(); + + if (it->value() == "form-data; name=\"username\"") + { + username = formpart.content; + } + else if (it->value() == "form-data; name=\"password\"") + { + password = formpart.content; + } + else + { + BMCWEB_LOG_INFO << "Extra format, ignore it." + << it->value(); + } + } + } else { // check if auth was provided as a headers |