a7ae455ac1
* Always check Origin if it is present, regardless of headers sent * Whitelist X-Requested-With header
357 lines
8.8 KiB
Go
357 lines
8.8 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"bitbucket.org/taruti/mimemagic"
|
|
"github.com/dchest/uniuri"
|
|
"github.com/zenazn/goji/web"
|
|
)
|
|
|
|
var fileBlacklist = map[string]bool{
|
|
"favicon.ico": true,
|
|
"index.htm": true,
|
|
"index.html": true,
|
|
"index.php": true,
|
|
"robots.txt": true,
|
|
"crossdomain.xml": true,
|
|
}
|
|
|
|
// Describes metadata directly from the user request
|
|
type UploadRequest struct {
|
|
src io.Reader
|
|
filename string
|
|
expiry time.Duration // Seconds until expiry, 0 = never
|
|
randomBarename bool
|
|
deletionKey string // Empty string if not defined
|
|
}
|
|
|
|
// Metadata associated with a file as it would actually be stored
|
|
type Upload struct {
|
|
Filename string // Final filename on disk
|
|
Metadata Metadata
|
|
}
|
|
|
|
func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
|
|
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
|
|
badRequestHandler(c, w, r)
|
|
return
|
|
}
|
|
|
|
upReq := UploadRequest{}
|
|
uploadHeaderProcess(r, &upReq)
|
|
|
|
contentType := r.Header.Get("Content-Type")
|
|
|
|
if strings.HasPrefix(contentType, "multipart/form-data") {
|
|
file, headers, err := r.FormFile("file")
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespHTML, "Could not upload file.")
|
|
return
|
|
}
|
|
defer file.Close()
|
|
|
|
r.ParseForm()
|
|
if r.Form.Get("randomize") == "true" {
|
|
upReq.randomBarename = true
|
|
}
|
|
upReq.expiry = parseExpiry(r.Form.Get("expires"))
|
|
upReq.src = file
|
|
upReq.filename = headers.Filename
|
|
} else {
|
|
if r.FormValue("content") == "" {
|
|
oopsHandler(c, w, r, RespHTML, "Empty file")
|
|
return
|
|
}
|
|
extension := r.FormValue("extension")
|
|
if extension == "" {
|
|
extension = "txt"
|
|
}
|
|
|
|
upReq.src = strings.NewReader(r.FormValue("content"))
|
|
upReq.expiry = parseExpiry(r.FormValue("expires"))
|
|
upReq.filename = r.FormValue("filename") + "." + extension
|
|
}
|
|
|
|
upload, err := processUpload(upReq)
|
|
|
|
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
js := generateJSONresponse(upload)
|
|
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
|
|
w.Write(js)
|
|
} else {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespHTML, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/"+upload.Filename, 303)
|
|
}
|
|
|
|
}
|
|
|
|
func uploadPutHandler(c web.C, w http.ResponseWriter, r *http.Request) {
|
|
upReq := UploadRequest{}
|
|
uploadHeaderProcess(r, &upReq)
|
|
|
|
defer r.Body.Close()
|
|
upReq.filename = c.URLParams["name"]
|
|
upReq.src = r.Body
|
|
|
|
upload, err := processUpload(upReq)
|
|
|
|
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
js := generateJSONresponse(upload)
|
|
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
|
|
w.Write(js)
|
|
} else {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespPLAIN, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
fmt.Fprintf(w, Config.siteURL+upload.Filename)
|
|
}
|
|
}
|
|
|
|
func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
|
|
if Config.remoteAuthFile != "" {
|
|
result, err := checkAuth(remoteAuthKeys, []byte(r.FormValue("key")))
|
|
if err != nil || !result {
|
|
unauthorizedHandler(c, w, r)
|
|
}
|
|
} else {
|
|
// strict referrer checking is mandatory without remote auth keys
|
|
if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
|
|
badRequestHandler(c, w, r)
|
|
return
|
|
}
|
|
}
|
|
|
|
if r.FormValue("url") == "" {
|
|
http.Redirect(w, r, "/", 303)
|
|
return
|
|
}
|
|
|
|
upReq := UploadRequest{}
|
|
grabUrl, _ := url.Parse(r.FormValue("url"))
|
|
|
|
resp, err := http.Get(grabUrl.String())
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespAUTO, "Could not retrieve URL")
|
|
return
|
|
}
|
|
|
|
upReq.filename = filepath.Base(grabUrl.Path)
|
|
upReq.src = resp.Body
|
|
upReq.deletionKey = r.FormValue("deletekey")
|
|
upReq.expiry = parseExpiry(r.FormValue("expiry"))
|
|
|
|
upload, err := processUpload(upReq)
|
|
|
|
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
js := generateJSONresponse(upload)
|
|
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
|
|
w.Write(js)
|
|
} else {
|
|
if err != nil {
|
|
oopsHandler(c, w, r, RespHTML, "Could not upload file: "+err.Error())
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/"+upload.Filename, 303)
|
|
}
|
|
}
|
|
|
|
func uploadHeaderProcess(r *http.Request, upReq *UploadRequest) {
|
|
if r.Header.Get("Linx-Randomize") == "yes" {
|
|
upReq.randomBarename = true
|
|
}
|
|
|
|
upReq.deletionKey = r.Header.Get("Linx-Delete-Key")
|
|
|
|
// Get seconds until expiry. Non-integer responses never expire.
|
|
expStr := r.Header.Get("Linx-Expiry")
|
|
upReq.expiry = parseExpiry(expStr)
|
|
|
|
}
|
|
|
|
func processUpload(upReq UploadRequest) (upload Upload, err error) {
|
|
// Determine the appropriate filename, then write to disk
|
|
barename, extension := barePlusExt(upReq.filename)
|
|
|
|
if upReq.randomBarename || len(barename) == 0 {
|
|
barename = generateBarename()
|
|
}
|
|
|
|
var header []byte
|
|
if len(extension) == 0 {
|
|
// Pull the first 512 bytes off for use in MIME detection
|
|
header = make([]byte, 512)
|
|
n, _ := upReq.src.Read(header)
|
|
if n == 0 {
|
|
return upload, errors.New("Empty file")
|
|
}
|
|
header = header[:n]
|
|
|
|
// Determine the type of file from header
|
|
mimetype := mimemagic.Match("", header)
|
|
|
|
// If the mime type is in our map, use that
|
|
// otherwise just use "ext"
|
|
if val, exists := mimeToExtension[mimetype]; exists {
|
|
extension = val
|
|
} else {
|
|
extension = "ext"
|
|
}
|
|
}
|
|
|
|
upload.Filename = strings.Join([]string{barename, extension}, ".")
|
|
|
|
_, err = os.Stat(path.Join(Config.filesDir, upload.Filename))
|
|
|
|
fileexists := err == nil
|
|
// Check if the delete key matches, in which case overwrite
|
|
if fileexists {
|
|
metad, merr := metadataRead(upload.Filename)
|
|
if merr == nil {
|
|
if upReq.deletionKey == metad.DeleteKey {
|
|
fileexists = false
|
|
}
|
|
}
|
|
}
|
|
|
|
for fileexists {
|
|
counter, err := strconv.Atoi(string(barename[len(barename)-1]))
|
|
if err != nil {
|
|
barename = barename + "1"
|
|
} else {
|
|
barename = barename[:len(barename)-1] + strconv.Itoa(counter+1)
|
|
}
|
|
upload.Filename = strings.Join([]string{barename, extension}, ".")
|
|
|
|
_, err = os.Stat(path.Join(Config.filesDir, upload.Filename))
|
|
fileexists = err == nil
|
|
}
|
|
|
|
if fileBlacklist[strings.ToLower(upload.Filename)] {
|
|
return upload, errors.New("Prohibited filename")
|
|
}
|
|
|
|
dst, err := os.Create(path.Join(Config.filesDir, upload.Filename))
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer dst.Close()
|
|
|
|
// Get the rest of the metadata needed for storage
|
|
var expiry time.Time
|
|
if upReq.expiry == 0 {
|
|
expiry = neverExpire
|
|
} else {
|
|
expiry = time.Now().Add(upReq.expiry)
|
|
}
|
|
|
|
bytes, err := io.Copy(dst, io.MultiReader(bytes.NewReader(header), upReq.src))
|
|
if bytes == 0 {
|
|
os.Remove(path.Join(Config.filesDir, upload.Filename))
|
|
return upload, errors.New("Empty file")
|
|
|
|
} else if err != nil {
|
|
os.Remove(path.Join(Config.filesDir, upload.Filename))
|
|
return
|
|
} else if bytes > Config.maxSize {
|
|
os.Remove(path.Join(Config.filesDir, upload.Filename))
|
|
return upload, errors.New("File too large")
|
|
}
|
|
|
|
upload.Metadata, err = generateMetadata(upload.Filename, expiry, upReq.deletionKey)
|
|
if err != nil {
|
|
os.Remove(path.Join(Config.filesDir, upload.Filename))
|
|
os.Remove(path.Join(Config.metaDir, upload.Filename))
|
|
return
|
|
}
|
|
err = metadataWrite(upload.Filename, &upload.Metadata)
|
|
if err != nil {
|
|
os.Remove(path.Join(Config.filesDir, upload.Filename))
|
|
os.Remove(path.Join(Config.metaDir, upload.Filename))
|
|
return
|
|
}
|
|
return
|
|
}
|
|
|
|
func generateBarename() string {
|
|
return uniuri.NewLenChars(8, []byte("abcdefghijklmnopqrstuvwxyz0123456789"))
|
|
}
|
|
|
|
func generateJSONresponse(upload Upload) []byte {
|
|
js, _ := json.Marshal(map[string]string{
|
|
"url": Config.siteURL + upload.Filename,
|
|
"filename": upload.Filename,
|
|
"delete_key": upload.Metadata.DeleteKey,
|
|
"expiry": strconv.FormatInt(upload.Metadata.Expiry.Unix(), 10),
|
|
"size": strconv.FormatInt(upload.Metadata.Size, 10),
|
|
"mimetype": upload.Metadata.Mimetype,
|
|
"sha256sum": upload.Metadata.Sha256sum,
|
|
})
|
|
|
|
return js
|
|
}
|
|
|
|
var barePlusRe = regexp.MustCompile(`[^A-Za-z0-9\-]`)
|
|
|
|
func barePlusExt(filename string) (barename, extension string) {
|
|
|
|
filename = strings.TrimSpace(filename)
|
|
filename = strings.ToLower(filename)
|
|
|
|
extension = path.Ext(filename)
|
|
barename = filename[:len(filename)-len(extension)]
|
|
|
|
extension = barePlusRe.ReplaceAllString(extension, "")
|
|
barename = barePlusRe.ReplaceAllString(barename, "")
|
|
|
|
return
|
|
}
|
|
|
|
func parseExpiry(expStr string) time.Duration {
|
|
if expStr == "" {
|
|
return 0
|
|
} else {
|
|
expiry, err := strconv.ParseInt(expStr, 10, 64)
|
|
if err != nil {
|
|
return 0
|
|
} else {
|
|
return time.Duration(expiry) * time.Second
|
|
}
|
|
}
|
|
}
|