[Core] Respect listen_reuse_port to randomize port on startup
The `listen_reuse_port` config is never respected in deluge.
Practically, this means that users cannot randomize the listen port on
startup. Before this change, this is what happens in `_set_listen_on`:
1. On run 1, `listen_random_port` is empty.
2. A random port is chosen, and its value is written into
`listen_random_port` in `core.conf`.
3. On all subsequent runs, `deluged` reads `core.conf` and picks up
`listen_random_port` from the previous run, so `listen_random_port`
will never be randomized again.
To fix this, we should read `listen_reuse_port` and if it's `false`,
always disregard the current `listen_random_port` and randomly
pick a new value for it.
Deluge-console broke on Windows after commit d559f67, which before that was working because it's source files getting included with rest UI/plugin data copied into place. This workaround here, copies back it's source files into place.
The underlying workarounded issues here is two-fold. It's not that anything is missing from the freezing, but rather that there at runtime is generated subparsers for the commands, using path_[0] (UI_PATH var in init.py, joined in console.py with rest path), so looking for files/paths not there anymore, as freezed now, and second, the use of 'overrides' decorator which breaks in freezed env since in decorators.py trying use inspect.stack()[2][4][0], and in freezed env inspect.stack()[2][4] is None, and hence any mention of former breaks with 'NoneType object is not subscriptable'. In non-freezed, it returns the call-context correctly, as source code readily available here.
GitHub Security Lab (GHSL) Vulnerability Report identified a potential
SSRF information leak and limited unauthenticated file write.
The report identified that the unsecured tracker endpoint was able to
be exploited to place an image file outside of the tracker icons
directory.
* Use `basename` to get only tracker domain name to prevent path
traversal.
* Require auth for tracker endpoint which also required modifying the
cookie path to base path not just `/json`. Note for not auth'd must
call server.NOT_DONE_YET after request.finish.
* Removed Deluge version from user-agent header to prevent attacker
identifying compromised versions. A future task would be to determine
if this should be a generic browser user-agent or configurable.
* Only auth when downloading tracker icon
* addCookie accepts str/bytes so use str, getCookie requires bytes only.
