Skip to content

throttle: apply throttle server-side so raw commands need no whitelisting#3079

Merged
xirvik merged 1 commit into
Novik:masterfrom
adenwuts:fix/throttle-plugin-unsafe-commands
Jul 7, 2026
Merged

throttle: apply throttle server-side so raw commands need no whitelisting#3079
xirvik merged 1 commit into
Novik:masterfrom
adenwuts:fix/throttle-plugin-unsafe-commands

Conversation

@adenwuts

@adenwuts adenwuts commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Since raw XMLRPC from the client is now forwarded as untrusted (subject to rtorrent's command whitelist), the throttle plugin's per-torrent apply broke: it built d.stop / d.set_throttle_name / d.start commands in the browser and sent them as raw RPC. Making that work again would mean whitelisting stop/start/throttle-name for all untrusted callers.

Instead, route the action through the plugin's own action.php: the client posts only the throttle value and a hash list, and the new rThrottle::apply() validates each hash (40 hex chars) and issues the commands over the trusted connection

…ting

Since raw XMLRPC from the client is now forwarded as untrusted (subject
to rtorrent's command whitelist), the throttle plugin's per-torrent
apply broke: it built d.stop / d.set_throttle_name / d.start commands
in the browser and sent them as raw RPC. Making that work again would
mean whitelisting stop/start/throttle-name for all untrusted callers.

Instead, route the action through the plugin's own action.php: the
client posts only the throttle value and a hash list, and the new
rThrottle::apply() validates each hash (40 hex chars) and issues the
commands over the trusted connection
@xirvik xirvik merged commit f5cff13 into Novik:master Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants