Changed the storage of the web setup password to use base64 encoded sha1

as suggested by Doug Haber on the mailing list.

mythtv/libs/libmythupnp/htmlserver.cpp

@@ -69,25 +69,7 @@ bool HtmlServerExtension::ProcessRequest( HttpWorkerThread *, HTTPRequest *pRequ
     {
         if ( pRequest->m_sBaseUrl.startsWith("/") == false)
             return( false );
-/*
-        // Temporary until we get authentication enabled
-        if ((pRequest->m_sResourceUrl.startsWith("/setup")) &&
-            (!getenv("MYTHHTMLSETUP")))
-        {
-            QTextStream os(&pRequest->m_response);
-            os << "<html><body><h3>Web-based Setup is currently disabled.</h3>"
-                  "</body></html>";
-
-            pRequest->m_eResponseType = ResponseTypeHTML;
-            pRequest->m_mapRespHeaders[ "Cache-Control" ] =
-                "no-cache=\"Ext\", max-age = 0";
-
-            VERBOSE(VB_IMPORTANT, QString("WARNING: Attempt to access "
-                    "Web-based Setup which is currently disabled. URL: %1")
-                    .arg(pRequest->m_sResourceUrl));
-            return true;
-        }
-*/
+
         QFileInfo oInfo( m_sAbsoluteSharePath + pRequest->m_sResourceUrl );
 
         if (oInfo.isDir())
@@ -123,7 +105,6 @@ bool HtmlServerExtension::ProcessRequest( HttpWorkerThread *, HTTPRequest *pRequ
 
                     if (oInfo.suffix().compare( "qsp", Qt::CaseInsensitive ) == 0)
                     {
-
                         pRequest->m_eResponseType = ResponseTypeHTML;
 
                         QTextStream stream( &pRequest->m_response );

mythtv/libs/libmythupnp/httprequest.cpp

@@ -27,6 +27,7 @@
 #include <QFileInfo>
 #include <QTextCodec>
 #include <QStringList>
+#include <QCryptographicHash>
 
 #include "mythconfig.h"
 #if !( CONFIG_DARWIN || CONFIG_CYGWIN || defined(__FreeBSD__) || defined(USING_MINGW))
@@ -1484,9 +1485,16 @@ bool HTTPRequest::Authenticated()
     if (oList[0].compare( sUserName, Qt::CaseInsensitive ) != 0)
         return false;
 
-    QString sPassword = UPnp::g_pConfig->GetValue( "HTTP/Protected/Password", "mythtv" );
+    QString sPassword = UPnp::g_pConfig->GetValue( "HTTP/Protected/Password", 
+                                 /* mythtv */ "8hDRxR1+E/n3/s3YUOhF+lUw7n4=" );
 
-    if (oList[1] != sPassword )
+    QCryptographicHash crypto( QCryptographicHash::Sha1 );
+
+    crypto.addData( oList[1].toUtf8() );
+
+    QString sPasswordHash( crypto.result().toBase64() );
+
+    if (sPasswordHash != sPassword )
         return false;
 
     return true;

mythtv/programs/mythbackend/services/myth.cpp

@@ -22,6 +22,7 @@
 #include "myth.h"
 
 #include <QDir>
+#include <QCryptographicHash>
 
 #include "mythcorecontext.h"
 #include "storagegroup.h"
@@ -497,14 +498,22 @@ bool Myth::ChangePassword( const QString   &sUserName,
                          "password for '%1'." ).arg(sUserName) );
     }
 
-    if (sOldPassword !=
-        gCoreContext->GetSetting( "HTTP/Protected/Password", ""))
+    QCryptographicHash crypto( QCryptographicHash::Sha1 );
+
+    crypto.addData( sOldPassword.toUtf8() );
+
+    QString sPasswordHash( crypto.result().toBase64() );
+
+    if ( sPasswordHash != gCoreContext->GetSetting( "HTTP/Protected/Password", ""))
     {
         throw ( QString( "Incorrect Old Password supplied when trying to "
                          "change password for '%1'." ).arg(sUserName) );
     }
 
-    if (gCoreContext->SaveSettingOnHost( "HTTP/Protected/Password", sNewPassword,
+    crypto.reset();
+    crypto.addData( sNewPassword.toUtf8() );
+
+    if (gCoreContext->SaveSettingOnHost( "HTTP/Protected/Password", crypto.result().toBase64(),
                                     QString() ) )
     {
         gCoreContext->ClearSettingsCache();