github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

download improvements; CSRF token commented

pull/144/head
Henrique Dias 2016-10-22 15:45:45 +01:00
parent d96bbff550
commit 4e7c730faf
2 changed files with 58 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
filemanager.go
View File

@ -43,6 +43,10 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
return f.Next.ServeHTTP(w, r)
}
w.Header().Set("x-frame-options", "SAMEORIGIN")
w.Header().Set("x-content-type", "nosniff")
w.Header().Set("x-xss-protection", "1; mode=block")
c = &f.Configs[i]
// Checks if the URL matches the Assets URL. Returns the asset if the
@ -65,6 +69,10 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
// Checks if the request URL is for the WebDav server
if strings.HasPrefix(r.URL.Path, c.WebDavURL) {
// if !c.CheckToken(r) {
// return http.StatusForbidden, nil
// }
// Checks for user permissions relatively to this PATH
if !user.Allowed(strings.TrimPrefix(r.URL.Path, c.WebDavURL)) {
return http.StatusForbidden, nil
@ -105,6 +113,36 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
}
if r.Method == http.MethodGet {
// Generate anti security token.
/* c.GenerateToken()
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: c.Token,
Path: "/",
HttpOnly: true,
})
co, err := r.Cookie("token")
fmt.Println(co.Value) */
/* Name string
Value string
Path string // optional
Domain string // optional
Expires time.Time // optional
RawExpires string // for reading cookies only
// MaxAge=0 means no 'Max-Age' attribute specified.
// MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'
// MaxAge>0 means Max-Age attribute present and given in seconds
MaxAge int
Secure bool
HttpOnly bool
Raw string
Unparsed []string // Raw text of unparsed attribute-value pairs*/
// Gets the information of the directory/file
fi, code, err = file.GetInfo(r.URL, c, user)
if err != nil {
@ -121,9 +159,6 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
return 0, nil
}
// Generate anti security token.
c.GenerateToken()
switch {
case r.URL.Query().Get("download") != "":
code, err = handlers.Download(w, r, c, fi)
@ -146,9 +181,9 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
if r.Method == http.MethodPost {
// TODO: This anti CSCF measure is not being applied to requests
// to the WebDav URL namespace. Anyone has ideas?
if !c.CheckToken(r) {
return http.StatusForbidden, nil
}
// if !c.CheckToken(r) {
// return http.StatusForbidden, nil
// }
// VCS commands.
if r.Header.Get("Command") != "" {

21
handlers/download.go
View File

@ -6,6 +6,7 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"github.com/hacdias/caddy-filemanager/config"
"github.com/hacdias/caddy-filemanager/file"
@ -23,6 +24,18 @@ func Download(w http.ResponseWriter, r *http.Request, c *config.Config, i *file.
return 0, nil
}
files := []string{}
names := strings.Split(r.URL.Query().Get("files"), ",")
if len(names) != 0 {
for _, name := range names {
files = append(files, filepath.Join(i.Path, name))
}
} else {
files = append(files, i.Path)
}
if query == "true" {
query = "zip"
}
@ -44,13 +57,13 @@ func Download(w http.ResponseWriter, r *http.Request, c *config.Config, i *file.
switch query {
case "zip":
extension, err = ".zip", archiver.Zip.Make(tempfile, []string{i.Path})
extension, err = ".zip", archiver.Zip.Make(tempfile, files)
case "tar":
extension, err = ".tar", archiver.Tar.Make(tempfile, []string{i.Path})
extension, err = ".tar", archiver.Tar.Make(tempfile, files)
case "targz":
extension, err = ".tar.gz", archiver.TarGz.Make(tempfile, []string{i.Path})
extension, err = ".tar.gz", archiver.TarGz.Make(tempfile, files)
case "tarbz2":
extension, err = ".tar.bz2", archiver.TarBz2.Make(tempfile, []string{i.Path})
extension, err = ".tar.bz2", archiver.TarBz2.Make(tempfile, files)
default:
return http.StatusNotImplemented, nil
}