uTorrent Bookmarklet, or "Add new torrents from your iPhone"

[danfozzy]

hey man, thanks for bringing to light this little script you made its spot on! ive got it working with the public tracker site but im having problems using the private tracker im a VIP at, torrentleech.org

when clicking on the torrent download link it sends me to the webUI, but there is no sign of the torrent at all, every site ive tried works except this. An example of the download link form torrentleech is:

http://www.torrentleech.org/download.php/91607/\"name_of_torrent_file\".torrent

is there anything that can be done to get this working for this torrent site?

once again thanks for your hard work mate

danfozzy

[Lord Alderaan]

I don't think it will work with private sites because those require cookie info.

You could try using the remote .torrent file handler instead. It downloads the torrent and then sends the .torrent file to µtorrent.

(This bookmarklet simply gives µtorrent the url and µtorrent then tries to download it. This works for public sites but for private sites µtorrent get redirected to the login page and thus fails.)

[kentyman]

You can actually easily extend this bookmarklet for any sites that require cookies. Basically, you need to conditionally add the :COOKIE: method to your URLs, as mentioned here.

Here's what that would look like:

javascript:(function() { var host = "http://<HOST>/gui/"; for (var i = 0; i < document.links.length; i++) { document.links[i].href = "javascript:(function() { var img = document.createElement('img'); img.setAttribute('src', '"+ host + "?action=add-url&s=" + encodeURIComponent(document.links[i].href) + (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "") + "'); img.setAttribute('style', 'visibility:hidden'); document.body.appendChild(img); setTimeout('window.open(\"" + host + (navigator.userAgent.match(/iP(hone|od)/i) ? "iphone/i.html" : "") + "\", \"_self\");', 4000); })();"; } })();

All I did was add this code in:

+ (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "")

You can add one of these for each site you frequent. Just fill in the right <DOMAIN>, <UID>, and <PASS>, and you're good to go.

[Lord Alderaan]

Doh! Yes. That should work

I was afraid of suggesting automated solutions because that would open the bookmarklet to accusations of being a XSS hack (which it technically could be but because the expected, intended and actual behavior matches it wouldn't be). And you don't want the people with the target painters running around on the internet to cook up yet another avalanche of FUD.

But having to create an individual bookmark for every private tracker you use and entering the login info manually into the link of each bookmarklet pretty much removes that large flashy 'accuse me' signal.

[jewelisheaven]

Excellent... one query related to the example... URLs don't generally understand "" in them correct?

[Ultima]

(URLs shouldn't have quotes in them at all) Why?

[kentyman]

@Lord Alderaan:

Actually, since each :COOKIE: part is only added if it matches the correct target domain, you don't need a separate bookmarklet for each private tracker. You can add as many conditional concatenations as you like to your one master bookmarklet. For example:

+ (/*matches domain1*/ ? /*cookie1*/ : "") + (/*matches domain2*/ ? /*cookie2*/ : "")

As long as each match condition is mutually exclusive (meaning no domain is a substring of another), then it should all work fine.

@jewelisheaven:

Is your concern that I have quotes in my javascript? I assure you it all works well on Firefox, Internet Explorer, and Mobile Safari. If it's the actual "" in the code that worries you, that just means the empty string.

[danfozzy]

Thanks 4 the help guys just now need to find out wat the domain is, is it just the URL to the private tracker site??

once again, thanks

[Lord Alderaan]

For www.google.com the domain would be google

In firefox you can find out the uid and pass strings by going to Tools -=> Options -=> Privacy -=> Show Cookies -=> search for the domain and look for the cookie with the Cookie Name uid and pass. For each of the two cookies: Select it and copy the stuff from the Content field into your bookmarklet. (no idea how-to in IE)

For example it might look something like this:

+ (document.links[i].href.match(/myprivatetracker/i) ? ":COOKIE:uid=312;pass=834e934b902034a87d9d2b3c87fe4837" : "")

[kentyman]

Exactly! Well actually, I would've used "google.com" instead of "google" just to ensure it's differentiated from "googlesucks.org" or whatnot. Then again, that doesn't differentiate it from "suckitgoogle.com", so maybe there's no point.

Perhaps I should make a little app/site/whatever that lets you fill in your host and port, along with a set of domain/uid/pass combinations and have it spit out a bookmarklet for you?

[Lord Alderaan]

Yeah. But I'm a regex geek and when I read google.com as a match pattern I read google[any character]com and using it would also match on for example www.googlescom.nu but indeed that is even less likely then the suckitgoogle.com.

In any case chances are very slim for either google or google.com to get false positives.

[danfozzy]

thanks guys its working like a charm, thanks for your time and effort!

[kentyman]

Yeah, "google\\.com" would be better, but you're right that at some point there are diminishing returns.

Glad it's working for you, danfozzy!

Edit:

The owner of this website contacted me through email:

http://www.davidraso.com/utorrent-iphone/

He mentioned the following to me:

They are changing the way the webui service works in the next version of utorrent to fix a possible exploit.

In a nut shell they are changing the service (/gui/) to not accept any commands unless it contains a token which you get from the ui before sending the action.

When is this happening. Can someone point me to more details?

[fallenturtle]

So does this not work with uTorrent 1.8?

[Lord Alderaan]

*snip*

[kentyman]

I honestly don't know. Has anyone tried it?

Does anyone have any details on the changes I mentioned in my post above?

[Beeblebear]

Hi. I registered just now, so that I could thank you for this great little Javascript!

It works brilliantly from within my LAN (I haven't tried the webUI from WAN side, yet), but I'm sure it will work fine after a little tweaking to my firewall and NAT.

It works fine on uTorrent 1.8rc6 (with webUI 0.315) and my iPod Touch (2.0 Firmware). I'll go to someware with WiFi access and try it out.

kentyman - The only clue I could find about the changes you mentioned above was in this post: http://forum.utorrent.com/viewtopic.php?id=42218. A couple of the guys from this post were on that thread, but it seems to me that Firon seemed to know a little bit about it, so you might want to consider PM-ing (or emailing).

Thanks.

[Ultima]

The token auth system will indeed break this script, as each URL would require a (periodically changing) token to be included as a GET variable in order for µTorrent to accept the request. The token can't be determined via Javascript, so there wouldn't be any workaround for this script (other than to disable the token auth system entirely).

[Beeblebear]

I was checking my options and saw the setting for it at the very bottom of the advanced settings list. It is set to false (disabled) as default, at the moment: "webui.token_auth" = "false".

This will, no doubt be set to active in the final release.

[Ultima]

No, not necessarily.

[Lord Alderaan]

If the token can't be determined via javascript how can the original webui work

A future system will probably require two requests. One to login and get the token. The second to do the actual request. As such this bookmarklet system is either gona break or be very complicated. Other community efforts might be more easily converted.

If the token system is enabled by default in future builds we'll just have to add something along the lines of "For this gadget to work the webui token system has to be disabled. Warning this will reduce the general security of your webui. You can disable the token system by setting webui.token_auth to false in the µtorrent advanced preferences." to the first post.

[Ultima]

A bit of search/replace magic, as well as access to a particular file (can't remember what file in particular). It won't be made into a separate request (not a separate API request anyway). And yeah, the original webui (v0.310) doesn't work with the token auth -- that's what v0.315 was for.

[kentyman]

OK, so they can either disable webui.token_auth, or I can try to change the bookmarklet to work with it. Where can I read up on how to get it to work with token_auth?

[Firon]

http://trac.utorrent.com/trac/wiki/TokenSystem

[Ultima]

As I said, you can't get the token auth to work with the bookmarklet via Javascript. The point behind the token auth system is to prevent a potential CSRF issue. If a bookmarklet could work around it, then it would be completely useless a system -- any website would be able to continue using the CSRF "exploit" as well ;\

In this case, flexibility is an unfortunate tradeoff for security.