From 6e776d638330a588b938585172b6d6721e2e7e1a Mon Sep 17 00:00:00 2001
From: amcmanu3 <mcdeweykp@gmail.com>
Date: Sun, 28 Jan 2024 12:15:00 -0500
Subject: [PATCH 1/4] Allow http to be disabled by config.json

---
 app/classes/web/tornado_handler.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/classes/web/tornado_handler.py b/app/classes/web/tornado_handler.py
index f5501d31..82ae081c 100644
--- a/app/classes/web/tornado_handler.py
+++ b/app/classes/web/tornado_handler.py
@@ -112,7 +112,7 @@ class Webserver:
             cookie_secret = self.helper.random_string_generator(32)
             HelpersManagement.set_cookie_secret(cookie_secret)
 
-        if not http_port:
+        if not http_port and http_port != 0:
             http_port = 8000
 
         if not https_port:
@@ -190,9 +190,12 @@ class Webserver:
             login_url="/login",
             serve_traceback=debug_errors,
         )
-
-        self.http_server = tornado.httpserver.HTTPServer(http_app)
-        self.http_server.listen(http_port)
+        print(http_port)
+        if http_port != 0:
+            self.http_server = tornado.httpserver.HTTPServer(http_app)
+            self.http_server.listen(http_port)
+        else:
+            logger.info("http port disabled by config")
 
         self.https_server = tornado.httpserver.HTTPServer(app, ssl_options=cert_objects)
         self.https_server.listen(https_port)

From a26159f510d42308fd405f06c031bb1dfa32ca55 Mon Sep 17 00:00:00 2001
From: computergeek125 <computergeek125@gmail.com>
Date: Wed, 31 Jan 2024 01:33:39 -0600
Subject: [PATCH 2/4] Added timeout to http calls, switched get to head

---
 app/classes/web/http_handler.py      | 4 ++--
 app/classes/web/http_handler_page.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/classes/web/http_handler.py b/app/classes/web/http_handler.py
index ca340c66..32676d59 100644
--- a/app/classes/web/http_handler.py
+++ b/app/classes/web/http_handler.py
@@ -17,7 +17,7 @@ class HTTPHandler(BaseHandler):
             url = "https://" + url
         db_port = self.helper.get_setting("https_port")
         try:
-            resp = requests.get(url + ":" + str(port))
+            resp = requests.head(url + ":" + str(port), timeout=(0.5, 5))
             resp.raise_for_status()
         except Exception:
             port = db_port
@@ -35,7 +35,7 @@ class HTTPHandlerPage(BaseHandler):
             url = "https://" + url
         db_port = self.helper.get_setting("https_port")
         try:
-            resp = requests.get(url + ":" + str(port))
+            resp = requests.head(url + ":" + str(port), timeout=(0.5, 5))
             resp.raise_for_status()
         except Exception:
             port = db_port
diff --git a/app/classes/web/http_handler_page.py b/app/classes/web/http_handler_page.py
index 30a8aaa1..77161577 100644
--- a/app/classes/web/http_handler_page.py
+++ b/app/classes/web/http_handler_page.py
@@ -25,7 +25,7 @@ class HTTPHandlerPage(BaseHandler):
             backup_url = url + str(self.helper.get_setting("https_port"))
 
         try:
-            resp = requests.get(primary_url)
+            resp = requests.head(primary_url, timeout=(0.5, 5))
             resp.raise_for_status()
             url = primary_url
         except Exception:

From ccf67002cd76bb95c1e4fede47a9d94b22ff243f Mon Sep 17 00:00:00 2001
From: Andrew <mcdeweykp@gmail.com>
Date: Wed, 31 Jan 2024 19:17:13 -0500
Subject: [PATCH 3/4] Remove print statement

---
 app/classes/web/tornado_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/classes/web/tornado_handler.py b/app/classes/web/tornado_handler.py
index 82ae081c..fbcf970f 100644
--- a/app/classes/web/tornado_handler.py
+++ b/app/classes/web/tornado_handler.py
@@ -190,7 +190,7 @@ class Webserver:
             login_url="/login",
             serve_traceback=debug_errors,
         )
-        print(http_port)
+
         if http_port != 0:
             self.http_server = tornado.httpserver.HTTPServer(http_app)
             self.http_server.listen(http_port)

From 798a9524d7a8a08a17622e534de8948c8d7c1225 Mon Sep 17 00:00:00 2001
From: Zedifus <zedifus@zediverse.gg>
Date: Fri, 2 Feb 2024 20:45:28 +0000
Subject: [PATCH 4/4] Update changelog !704

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6590c19..70eb4d89 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 ### Refactor
 - Refactor subpage perm checks ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/695))
 ### Bug fixes
+- [`CVE-2024-1064`] Security-related fix to resolve an issue with the HTTP listener ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/704))
 - Fix bukkit and downstream fork MOTD crash ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/686))
 - Fix bug where invalid server Id leads to stack ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/690))
 - Fix indent on public status check box ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/691))