Version: (using KDE Devel) Installed from: Compiled sources Hi all, In the upcoming G2.2, we are introducing a security mechanism to protect against cross-site scripting attacks that will probably require that you update your clients. Basically, each request made through the Gallery protocol will return an additional property: auth_token. You will need to send the auth_token received in the previous response when you make your next request, as the URL parameter g2_authToken. Commands such as login and no-op do not require an auth_token. You'll find a bit more details at the brand-new documentation page for the protocol: <http://codex.gallery2.org/index.php/Gallery_Remote:Protocol> The change has not yet been commited to SVN, but it will be shortly. Pierre, author of Gallery Remote
Thanks for the heads-up on this Pierre. I'll look into ensuring that this plugin supports this additional change.
SVN commit 619005 by cguthrie: Implement new security feature required by upcoming Gallery v2.2. This is as yet untested but I have tested with Gallery v2.1 to ensure no regressions. Hopefully when Gallery v2.2 is releases this will Just Work(tm), if not then I will have to patch it accordingly. I have assumed as per the spec doc suggests that the auth token will not change since login. BUG: 137582 M +7 -3 TODO M +3 -0 gallerympform.cpp M +11 -4 gallerytalker.cpp M +4 -1 gallerytalker.h --- trunk/extragear/libs/kipi-plugins/galleryexport/TODO #619004:619005 @@ -1,9 +1,13 @@ Somewhat immediate implementation needed: -* return more sensible error strings -* implement logging to backtrace problems +* Implement *.ui files for all dialogs that don't want to be kdialog[base] based +* Return more sensible error strings +* Implement logging to backtrace problems +* Abstract the communications layer 100% +* Rename to websync +* Add support for other web backends For the lazy times: -* polish the html code used to render the thumbnails, better +* Polish the html code used to render the thumbnails, better fonts sizes and layout --- trunk/extragear/libs/kipi-plugins/galleryexport/gallerympform.cpp #619004:619005 @@ -45,6 +45,9 @@ if (GalleryTalker::isGallery2()) { addPairRaw("g2_controller", "remote:GalleryRemote"); + QString auth_token = GalleryTalker::getAuthToken(); + if (!auth_token.isEmpty()) + addPairRaw("g2_authToken", auth_token); } } --- trunk/extragear/libs/kipi-plugins/galleryexport/gallerytalker.cpp #619004:619005 @@ -54,6 +54,7 @@ } bool GalleryTalker::s_using_gallery2 = true; +QString GalleryTalker::s_authToken = ""; bool GalleryTalker::loggedIn() const { @@ -329,6 +330,8 @@ QString line; bool foundResponse = false; + m_loggedIn = false; + while (!ts.atEnd()) { line = ts.readLine(); @@ -342,10 +345,14 @@ QStringList strlist = QStringList::split("=", line); if (strlist.count() == 2) { - m_loggedIn = (strlist[0] == "status") && - (strlist[1] == "0"); - if (m_loggedIn) - break; + if (("status" == strlist[0]) && ("0" == strlist[1])) + { + m_loggedIn = true; + } + else if (strlist[0] == "auth_token") + { + s_authToken = strlist[1]; + } } } } --- trunk/extragear/libs/kipi-plugins/galleryexport/gallerytalker.h #619004:619005 @@ -55,6 +55,8 @@ static void setGallery2(bool usegallery2) {s_using_gallery2 = usegallery2;}; static bool isGallery2() {return s_using_gallery2;}; + + static QString getAuthToken() {return s_authToken;}; bool loggedIn() const; @@ -83,7 +85,8 @@ bool m_loggedIn; QByteArray m_buffer; - static bool s_using_gallery2; + static bool s_using_gallery2; + static QString s_authToken; private: