danfozzy Posted May 25, 2008 Report Share Posted May 25, 2008 hey man, thanks for bringing to light this little script you made its spot on! ive got it working with the public tracker site but im having problems using the private tracker im a VIP at, torrentleech.orgwhen clicking on the torrent download link it sends me to the webUI, but there is no sign of the torrent at all, every site ive tried works except this. An example of the download link form torrentleech is:http://www.torrentleech.org/download.php/91607/\"name_of_torrent_file\".torrentis there anything that can be done to get this working for this torrent site?once again thanks for your hard work matedanfozzy Link to comment Share on other sites More sharing options...
Lord Alderaan Posted May 25, 2008 Report Share Posted May 25, 2008 I don't think it will work with private sites because those require cookie info.You could try using the remote .torrent file handler instead. It downloads the torrent and then sends the .torrent file to µtorrent.(This bookmarklet simply gives µtorrent the url and µtorrent then tries to download it. This works for public sites but for private sites µtorrent get redirected to the login page and thus fails.) Link to comment Share on other sites More sharing options...
kentyman Posted May 27, 2008 Author Report Share Posted May 27, 2008 You can actually easily extend this bookmarklet for any sites that require cookies. Basically, you need to conditionally add the :COOKIE: method to your URLs, as mentioned here.Here's what that would look like:javascript:(function() { var host = "http://<HOST>/gui/"; for (var i = 0; i < document.links.length; i++) { document.links[i].href = "javascript:(function() { var img = document.createElement('img'); img.setAttribute('src', '"+ host + "?action=add-url&s=" + encodeURIComponent(document.links[i].href) + (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "") + "'); img.setAttribute('style', 'visibility:hidden'); document.body.appendChild(img); setTimeout('window.open(\"" + host + (navigator.userAgent.match(/iP(hone|od)/i) ? "iphone/i.html" : "") + "\", \"_self\");', 4000); })();"; } })();All I did was add this code in:+ (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "")You can add one of these for each site you frequent. Just fill in the right <DOMAIN>, <UID>, and <PASS>, and you're good to go. Link to comment Share on other sites More sharing options...
Lord Alderaan Posted May 27, 2008 Report Share Posted May 27, 2008 Doh! Yes. That should work I was afraid of suggesting automated solutions because that would open the bookmarklet to accusations of being a XSS hack (which it technically could be but because the expected, intended and actual behavior matches it wouldn't be). And you don't want the people with the target painters running around on the internet to cook up yet another avalanche of FUD. But having to create an individual bookmark for every private tracker you use and entering the login info manually into the link of each bookmarklet pretty much removes that large flashy 'accuse me' signal. Link to comment Share on other sites More sharing options...
jewelisheaven Posted May 27, 2008 Report Share Posted May 27, 2008 Excellent... one query related to the example... URLs don't generally understand "" in them correct? Link to comment Share on other sites More sharing options...
Ultima Posted May 27, 2008 Report Share Posted May 27, 2008 (URLs shouldn't have quotes in them at all) Why? Link to comment Share on other sites More sharing options...
kentyman Posted May 27, 2008 Author Report Share Posted May 27, 2008 @Lord Alderaan:Actually, since each :COOKIE: part is only added if it matches the correct target domain, you don't need a separate bookmarklet for each private tracker. You can add as many conditional concatenations as you like to your one master bookmarklet. For example:+ (/*matches domain1*/ ? /*cookie1*/ : "") + (/*matches domain2*/ ? /*cookie2*/ : "")As long as each match condition is mutually exclusive (meaning no domain is a substring of another), then it should all work fine.@jewelisheaven:Is your concern that I have quotes in my javascript? I assure you it all works well on Firefox, Internet Explorer, and Mobile Safari. If it's the actual "" in the code that worries you, that just means the empty string. Link to comment Share on other sites More sharing options...
danfozzy Posted May 28, 2008 Report Share Posted May 28, 2008 Thanks 4 the help guys just now need to find out wat the domain is, is it just the URL to the private tracker site??once again, thanks Link to comment Share on other sites More sharing options...
Lord Alderaan Posted May 28, 2008 Report Share Posted May 28, 2008 For www.google.com the domain would be googleIn firefox you can find out the uid and pass strings by going to Tools -=> Options -=> Privacy -=> Show Cookies -=> search for the domain and look for the cookie with the Cookie Name uid and pass. For each of the two cookies: Select it and copy the stuff from the Content field into your bookmarklet. (no idea how-to in IE)For example it might look something like this:+ (document.links[i].href.match(/myprivatetracker/i) ? ":COOKIE:uid=312;pass=834e934b902034a87d9d2b3c87fe4837" : "") Link to comment Share on other sites More sharing options...
kentyman Posted May 28, 2008 Author Report Share Posted May 28, 2008 Exactly! Well actually, I would've used "google.com" instead of "google" just to ensure it's differentiated from "googlesucks.org" or whatnot. Then again, that doesn't differentiate it from "suckitgoogle.com", so maybe there's no point. Perhaps I should make a little app/site/whatever that lets you fill in your host and port, along with a set of domain/uid/pass combinations and have it spit out a bookmarklet for you? Link to comment Share on other sites More sharing options...
Lord Alderaan Posted May 29, 2008 Report Share Posted May 29, 2008 Yeah. But I'm a regex geek and when I read google.com as a match pattern I read google[any character]com and using it would also match on for example www.googlescom.nu but indeed that is even less likely then the suckitgoogle.com.In any case chances are very slim for either google or google.com to get false positives. Link to comment Share on other sites More sharing options...
danfozzy Posted May 29, 2008 Report Share Posted May 29, 2008 thanks guys its working like a charm, thanks for your time and effort! Link to comment Share on other sites More sharing options...
kentyman Posted May 29, 2008 Author Report Share Posted May 29, 2008 Yeah, "google\\.com" would be better, but you're right that at some point there are diminishing returns.Glad it's working for you, danfozzy!Edit:The owner of this website contacted me through email:http://www.davidraso.com/utorrent-iphone/He mentioned the following to me:They are changing the way the webui service works in the next version of utorrent to fix a possible exploit.In a nut shell they are changing the service (/gui/) to not accept any commands unless it contains a token which you get from the ui before sending the action.When is this happening. Can someone point me to more details? Link to comment Share on other sites More sharing options...
fallenturtle Posted August 1, 2008 Report Share Posted August 1, 2008 So does this not work with uTorrent 1.8? Link to comment Share on other sites More sharing options...
Lord Alderaan Posted August 1, 2008 Report Share Posted August 1, 2008 *snip* Link to comment Share on other sites More sharing options...
kentyman Posted August 1, 2008 Author Report Share Posted August 1, 2008 I honestly don't know. Has anyone tried it?Does anyone have any details on the changes I mentioned in my post above? Link to comment Share on other sites More sharing options...
Beeblebear Posted August 5, 2008 Report Share Posted August 5, 2008 Hi. I registered just now, so that I could thank you for this great little Javascript!It works brilliantly from within my LAN (I haven't tried the webUI from WAN side, yet), but I'm sure it will work fine after a little tweaking to my firewall and NAT.It works fine on uTorrent 1.8rc6 (with webUI 0.315) and my iPod Touch (2.0 Firmware). I'll go to someware with WiFi access and try it out.kentyman - The only clue I could find about the changes you mentioned above was in this post: http://forum.utorrent.com/viewtopic.php?id=42218. A couple of the guys from this post were on that thread, but it seems to me that Firon seemed to know a little bit about it, so you might want to consider PM-ing (or emailing).Thanks. Link to comment Share on other sites More sharing options...
Ultima Posted August 5, 2008 Report Share Posted August 5, 2008 The token auth system will indeed break this script, as each URL would require a (periodically changing) token to be included as a GET variable in order for µTorrent to accept the request. The token can't be determined via Javascript, so there wouldn't be any workaround for this script (other than to disable the token auth system entirely). Link to comment Share on other sites More sharing options...
Beeblebear Posted August 5, 2008 Report Share Posted August 5, 2008 I was checking my options and saw the setting for it at the very bottom of the advanced settings list. It is set to false (disabled) as default, at the moment: "webui.token_auth" = "false".This will, no doubt be set to active in the final release. Link to comment Share on other sites More sharing options...
Ultima Posted August 5, 2008 Report Share Posted August 5, 2008 No, not necessarily. Link to comment Share on other sites More sharing options...
Lord Alderaan Posted August 5, 2008 Report Share Posted August 5, 2008 If the token can't be determined via javascript how can the original webui work A future system will probably require two requests. One to login and get the token. The second to do the actual request. As such this bookmarklet system is either gona break or be very complicated. Other community efforts might be more easily converted.If the token system is enabled by default in future builds we'll just have to add something along the lines of "For this gadget to work the webui token system has to be disabled. Warning this will reduce the general security of your webui. You can disable the token system by setting webui.token_auth to false in the µtorrent advanced preferences." to the first post. Link to comment Share on other sites More sharing options...
Ultima Posted August 5, 2008 Report Share Posted August 5, 2008 A bit of search/replace magic, as well as access to a particular file (can't remember what file in particular). It won't be made into a separate request (not a separate API request anyway). And yeah, the original webui (v0.310) doesn't work with the token auth -- that's what v0.315 was for. Link to comment Share on other sites More sharing options...
kentyman Posted August 7, 2008 Author Report Share Posted August 7, 2008 OK, so they can either disable webui.token_auth, or I can try to change the bookmarklet to work with it. Where can I read up on how to get it to work with token_auth? Link to comment Share on other sites More sharing options...
Firon Posted August 7, 2008 Report Share Posted August 7, 2008 http://trac.utorrent.com/trac/wiki/TokenSystem Link to comment Share on other sites More sharing options...
Ultima Posted August 7, 2008 Report Share Posted August 7, 2008 As I said, you can't get the token auth to work with the bookmarklet via Javascript. The point behind the token auth system is to prevent a potential CSRF issue. If a bookmarklet could work around it, then it would be completely useless a system -- any website would be able to continue using the CSRF "exploit" as well ;\In this case, flexibility is an unfortunate tradeoff for security. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.