song_print: hide HTTP password in playlist

Added the uri_remove_auth() library function which strips username and password from a HTTP URI, and use it in song_print_url(). This allows you to add HTTP URIs to the playlist including secret username and password, without disclosing it to all MPD clients.
2009-02-27 19:20:11 +01:00 · 2009-02-27 19:20:11 +01:00 · eae0287466
parent 9dd00dfab7
commit eae0287466
4 changed files with 53 additions and 1 deletions
--- a/1
+++ b/1
@ -2,6 +2,7 @@ ver 0.15 - (200?/??/??)
 * input:
  - parse Icy-Metadata
  - added support for the MMS protocol
+  - hide HTTP password in playlist
 * tags:
  - support the "album artist" tag
  - support MusicBrainz tags
--- a/src/song_print.c
+++ b/src/song_print.c
@ -22,6 +22,7 @@
 #include "directory.h"
 #include "tag_print.h"
 #include "client.h"
+#include "uri.h"

 void
 song_print_url(struct client *client, struct song *song)
@ -30,7 +31,16 @@ song_print_url(struct client *client, struct song *song)
 		client_printf(client, "%s%s/%s\n", SONG_FILE,
 			      directory_get_path(song->parent), song->url);
 	} else {
-		client_printf(client, "%s%s\n", SONG_FILE, song->url);
+		char *allocated;
+		const char *uri;
+
+		uri = allocated = uri_remove_auth(song->url);
+		if (uri == NULL)
+			uri = song->url;
+
+		client_printf(client, "%s%s\n", SONG_FILE, uri);
+
+		g_free(allocated);
 	}
 }

--- a/src/uri.c
+++ b/src/uri.c
@ -35,3 +35,35 @@ uri_get_suffix(const char *uri)

 	return dot != NULL ? dot + 1 : NULL;
 }
+
+char *
+uri_remove_auth(const char *uri)
+{
+	const char *auth, *slash, *at;
+	char *p;
+
+	if (strncmp(uri, "http://", 7) == 0)
+		auth = uri + 7;
+	else if (strncmp(uri, "https://", 8) == 0)
+		auth = uri + 8;
+	else
+		/* unrecognized URI */
+		return NULL;
+
+	slash = strchr(auth, '/');
+	if (slash == NULL)
+		slash = auth + strlen(auth);
+
+	at = memchr(auth, '@', slash - auth);
+	if (at == NULL)
+		/* no auth info present, do nothing */
+		return NULL;
+
+	/* duplicate the full URI and then delete the auth
+	   information */
+	p = g_strdup(uri);
+	memmove(p + (auth - uri), p + (at + 1 - uri),
+		strlen(at));
+
+	return p;
+}
--- a/src/uri.h
+++ b/src/uri.h
@ -30,4 +30,13 @@ bool uri_has_scheme(const char *uri);
 const char *
 uri_get_suffix(const char *uri);

+/**
+ * Removes HTTP username and password from the URI.  This may be
+ * useful for displaying an URI without disclosing secrets.  Returns
+ * NULL if nothing needs to be removed, or if the URI is not
+ * recognized.
+ */
+char *
+uri_remove_auth(const char *uri);
+
 #endif