From af1b16b954d3ff05d57fae3dd0982ab6a4507f91 Mon Sep 17 00:00:00 2001 From: Sophist Date: Mon, 23 Sep 2013 19:06:02 +0100 Subject: [PATCH 1/3] Use SSL for personal data Currently only user name/password is encrypted using HTTP basic encryption, but user's personal data (e.g. collections) is not encrypted. It is now generally accepted that all personal data should be encrypted, and this fix applies encryption to any mblogin network requests (which implies personal data is being loaded / saved). --- NEWS.txt | 1 + picard/webservice.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/NEWS.txt b/NEWS.txt index db0a829c4..3569df032 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -11,6 +11,7 @@ * Fix Options / File naming examples to handle primary/secondary release types (PICARD-516) * A new advanced option is available to permanently set the starting directory for the file browser and "Add files/folder" buttons. + * Requests to Musicbrainz against your own account e.g. for collections are now handled through SSL (PICARD-337) Version 1.2 - 2013-03-30 * Picard now requires at least Python 2.6 diff --git a/picard/webservice.py b/picard/webservice.py index 151f3c163..94c15a2f7 100644 --- a/picard/webservice.py +++ b/picard/webservice.py @@ -169,8 +169,14 @@ class XmlWebService(QtCore.QObject): def _start_request(self, method, host, port, path, data, handler, xml, mblogin=False, cacheloadcontrol=None): - log.debug("%s http://%s:%d%s", method, host, port, path) - url = QUrl.fromEncoded("http://%s:%d%s" % (host, port, path)) + if mblogin and host=='musicbrainz.org' and port==80: + # mblogin implies call to musicbrainz which supports SSL so switch port to 443 for actual call + ssl = "s" + port = 443 + else: + ssl = "" + log.debug("%s http%s://%s:%d%s", method, ssl, host, port, path) + url = QUrl.fromEncoded("http%s://%s:%d%s" % (ssl, host, port, path)) if mblogin: url.setUserName(config.setting["username"]) url.setPassword(config.setting["password"]) From 5e1ab48349b65a12087c38171efd50a427c8c76b Mon Sep 17 00:00:00 2001 From: Sophist Date: Tue, 24 Sep 2013 08:17:24 +0100 Subject: [PATCH 2/3] Address bitmap review comment 1 This is definitely nicer code. --- picard/webservice.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/picard/webservice.py b/picard/webservice.py index 94c15a2f7..1a20a9a01 100644 --- a/picard/webservice.py +++ b/picard/webservice.py @@ -170,13 +170,11 @@ class XmlWebService(QtCore.QObject): def _start_request(self, method, host, port, path, data, handler, xml, mblogin=False, cacheloadcontrol=None): if mblogin and host=='musicbrainz.org' and port==80: - # mblogin implies call to musicbrainz which supports SSL so switch port to 443 for actual call - ssl = "s" - port = 443 + urlstring = "https://%s%s" % (host, path) else: - ssl = "" - log.debug("%s http%s://%s:%d%s", method, ssl, host, port, path) - url = QUrl.fromEncoded("http%s://%s:%d%s" % (ssl, host, port, path)) + urlstring = "http://%s:%d%s" % (host, port, path) + log.debug("%s %s", method, urlstring) + url = QUrl.fromEncoded(urlstring) if mblogin: url.setUserName(config.setting["username"]) url.setPassword(config.setting["password"]) From a5d8317101fdae9d186ac59dcfce6555141503ee Mon Sep 17 00:00:00 2001 From: Sophist Date: Tue, 24 Sep 2013 10:07:07 +0100 Subject: [PATCH 3/3] Address bitmap comments Add MUSICBRAINZ_SERVERS constant and use this in options/general and to decide SSL for mblogin webservice. --- picard/const.py | 6 ++++++ picard/ui/options/general.py | 8 +++----- picard/webservice.py | 5 +++-- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/picard/const.py b/picard/const.py index bcf9527da..63bdb2ae2 100644 --- a/picard/const.py +++ b/picard/const.py @@ -861,3 +861,9 @@ ALIAS_LOCALES = { u'zu': 'Zulu', u'zu_ZA': 'Zulu (South Africa)', } + +# List of official musicbrainz servers - must support SSL for mblogin requests (such as collections). +MUSICBRAINZ_SERVERS = [ + 'musicbrainz.org', + 'beta.musicbrainz.org', +] diff --git a/picard/ui/options/general.py b/picard/ui/options/general.py index 0f8d82797..18ba43557 100644 --- a/picard/ui/options/general.py +++ b/picard/ui/options/general.py @@ -21,6 +21,7 @@ from picard import config from picard.ui.options import OptionsPage, register_options_page from picard.ui.ui_options_general import Ui_GeneralOptionsPage from picard.util import rot13 +from picard.const import MUSICBRAINZ_SERVERS class GeneralOptionsPage(OptionsPage): @@ -32,7 +33,7 @@ class GeneralOptionsPage(OptionsPage): ACTIVE = True options = [ - config.TextOption("setting", "server_host", "musicbrainz.org"), + config.TextOption("setting", "server_host", MUSICBRAINZ_SERVERS[0]), config.IntOption("setting", "server_port", 80), config.TextOption("setting", "username", ""), config.PasswordOption("setting", "password", ""), @@ -44,10 +45,7 @@ class GeneralOptionsPage(OptionsPage): super(GeneralOptionsPage, self).__init__(parent) self.ui = Ui_GeneralOptionsPage() self.ui.setupUi(self) - mirror_servers = [ - "musicbrainz.org", - ] - self.ui.server_host.addItems(sorted(mirror_servers)) + self.ui.server_host.addItems(MUSICBRAINZ_SERVERS) def load(self): self.ui.server_host.setEditText(config.setting["server_host"]) diff --git a/picard/webservice.py b/picard/webservice.py index 1a20a9a01..64cf405b9 100644 --- a/picard/webservice.py +++ b/picard/webservice.py @@ -37,7 +37,8 @@ from picard.const import (ACOUSTID_KEY, ACOUSTID_HOST, ACOUSTID_PORT, CAA_HOST, - CAA_PORT) + CAA_PORT, + MUSICBRAINZ_SERVERS) REQUEST_DELAY = defaultdict(lambda: 1000) @@ -169,7 +170,7 @@ class XmlWebService(QtCore.QObject): def _start_request(self, method, host, port, path, data, handler, xml, mblogin=False, cacheloadcontrol=None): - if mblogin and host=='musicbrainz.org' and port==80: + if mblogin and host in MUSICBRAINZ_SERVERS and port==80: urlstring = "https://%s%s" % (host, path) else: urlstring = "http://%s:%d%s" % (host, port, path)