ProfouzorsLinx/fileserve.go

package main

import (
	"net/http"
	"net/url"
	"strings"

	"github.com/andreimarcu/linx-server/backends"
	"github.com/zenazn/goji/web"
)

func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
	fileName := c.URLParams["name"]

	err := checkFile(fileName)
	if err == NotFoundErr {
		notFoundHandler(c, w, r)
		return
	} else if err == backends.BadMetadata {
		oopsHandler(c, w, r, RespAUTO, "Corrupt metadata.")
		return
	}

	if !Config.allowHotlink {
		referer := r.Header.Get("Referer")
		u, _ := url.Parse(referer)
		p, _ := url.Parse(getSiteURL(r))
		if referer != "" && !sameOrigin(u, p) {
			http.Redirect(w, r, Config.sitePath+fileName, 303)
			return
		}
	}

	w.Header().Set("Content-Security-Policy", Config.fileContentSecurityPolicy)
	w.Header().Set("Referrer-Policy", Config.fileReferrerPolicy)

	fileBackend.ServeFile(fileName, w, r)
}

func staticHandler(c web.C, w http.ResponseWriter, r *http.Request) {
	path := r.URL.Path
	if path[len(path)-1:] == "/" {
		notFoundHandler(c, w, r)
		return
	} else {
		if path == "/favicon.ico" {
			path = Config.sitePath + "/static/images/favicon.gif"
		}

		filePath := strings.TrimPrefix(path, Config.sitePath+"static/")
		file, err := staticBox.Open(filePath)
		if err != nil {
			notFoundHandler(c, w, r)
			return
		}

		w.Header().Set("Etag", timeStartedStr)
		w.Header().Set("Cache-Control", "max-age=86400")
		http.ServeContent(w, r, filePath, timeStarted, file)
		return
	}
}

func checkFile(filename string) error {
	_, err := fileBackend.Exists(filename)
	if err != nil {
		return NotFoundErr
	}

	expired, err := isFileExpired(filename)
	if err != nil {
		return err
	}

	if expired {
		fileBackend.Delete(filename)
		metaStorageBackend.Delete(filename)
		return NotFoundErr
	}

	return nil
}
this file might be useful to add here 2015-09-25 01:58:50 +02:00			`package main`

			`import (`
			`"net/http"`
do a proper same-origin check String prefix matching is hacky and provides insufficient checking if it does not end with a /. 2015-10-14 04:52:55 +02:00			`"net/url"`
Implement hotlink protection 2015-09-30 01:28:10 +02:00			`"strings"`
this file might be useful to add here 2015-09-25 01:58:50 +02:00
Add linx-cleanup tool This doesn't completely fix #116, but it makes setting up a cron job to do cleanup much more pleasant. 2017-05-02 06:25:56 +02:00			`"github.com/andreimarcu/linx-server/backends"`
this file might be useful to add here 2015-09-25 01:58:50 +02:00			`"github.com/zenazn/goji/web"`
			`)`

			`func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {`
Add basic video support Additionally use filePath instead of absPath, and fileName instead of filename. 2015-09-25 04:20:44 +02:00			`fileName := c.URLParams["name"]`
this file might be useful to add here 2015-09-25 01:58:50 +02:00
Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`err := checkFile(fileName)`
			`if err == NotFoundErr {`
Performance improvements, custom 404+500, -nologs, PUT uploads fix 2015-09-25 18:00:14 +02:00			`notFoundHandler(c, w, r)`
this file might be useful to add here 2015-09-25 01:58:50 +02:00			`return`
Add linx-cleanup tool This doesn't completely fix #116, but it makes setting up a cron job to do cleanup much more pleasant. 2017-05-02 06:25:56 +02:00			`} else if err == backends.BadMetadata {`
Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`oopsHandler(c, w, r, RespAUTO, "Corrupt metadata.")`
			`return`
this file might be useful to add here 2015-09-25 01:58:50 +02:00			`}`

Implement hotlink protection 2015-09-30 01:28:10 +02:00			`if !Config.allowHotlink {`
			`referer := r.Header.Get("Referer")`
do a proper same-origin check String prefix matching is hacky and provides insufficient checking if it does not end with a /. 2015-10-14 04:52:55 +02:00			`u, _ := url.Parse(referer)`
Infer site URL from host and headers We can use the Host property of the request and the X-Forwarded-Proto to infer the site URL. To reduce complexity, the path is not inferred, and it is assumed that linx-server is running at /. If this is not the case, the site URL must be manually configured; this is no different than it was before. 2016-06-04 10:22:01 +02:00			`p, _ := url.Parse(getSiteURL(r))`
do a proper same-origin check String prefix matching is hacky and provides insufficient checking if it does not end with a /. 2015-10-14 04:52:55 +02:00			`if referer != "" && !sameOrigin(u, p) {`
Redirect hotlink instead of 403. Fixes #69 2015-11-12 06:56:22 +01:00			`http.Redirect(w, r, Config.sitePath+fileName, 303)`
Implement hotlink protection 2015-09-30 01:28:10 +02:00			`return`
			`}`
			`}`

add support for some security headers This commit adds support for Content-Security-Policy and X-Frame-Options using the ContentSecurityPolicy middleware. 2015-10-04 23:58:00 +02:00			`w.Header().Set("Content-Security-Policy", Config.fileContentSecurityPolicy)`
Switch to Referrer-Policy header (#149) Use of the Content-Security-Policy header to specify a referrer policy was deprecated in favor of a [new header](https://github.com/w3c/webappsec-referrer-policy/commit/fc55d917bee0d5636f52a19a5aefa65f8995c766). This change changes the existing referrer policy directives to use this header and adds corresponding config options/command line flags. 2019-01-08 20:56:09 +01:00			`w.Header().Set("Referrer-Policy", Config.fileReferrerPolicy)`
add support for some security headers This commit adds support for Content-Security-Policy and X-Frame-Options using the ContentSecurityPolicy middleware. 2015-10-04 23:58:00 +02:00
use abstracted storage for flexibility I moved the storage functionality into the StorageBackend interface, which is currently only implemented by LocalfsBackend. 2016-06-07 08:37:42 +02:00			`fileBackend.ServeFile(fileName, w, r)`
upload expiry/barename respect, random fixes 2015-09-28 06:25:57 +02:00			`}`
Add preliminary metadata support 2015-09-28 04:17:12 +02:00
Fix static directory listing recursion 2015-09-30 21:54:30 +02:00			`func staticHandler(c web.C, w http.ResponseWriter, r *http.Request) {`
			`path := r.URL.Path`
			`if path[len(path)-1:] == "/" {`
			`notFoundHandler(c, w, r)`
			`return`
			`} else {`
Add /favicon.ico route 2015-10-04 18:58:30 +02:00			`if path == "/favicon.ico" {`
Allow for non-/ deployments. Fixes #61 2015-10-30 23:36:47 +01:00			`path = Config.sitePath + "/static/images/favicon.gif"`
Add /favicon.ico route 2015-10-04 18:58:30 +02:00			`}`

Allow for non-/ deployments. Fixes #61 2015-10-30 23:36:47 +01:00			`filePath := strings.TrimPrefix(path, Config.sitePath+"static/")`
Removed unnecessary duplicate static caching 2015-10-14 20:58:27 +02:00			`file, err := staticBox.Open(filePath)`
			`if err != nil {`
			`notFoundHandler(c, w, r)`
			`return`
Fix static directory listing recursion 2015-09-30 21:54:30 +02:00			`}`

Add fastcgi support and static cache headers 2015-10-01 16:32:59 +02:00			`w.Header().Set("Etag", timeStartedStr)`
			`w.Header().Set("Cache-Control", "max-age=86400")`
Removed unnecessary duplicate static caching 2015-10-14 20:58:27 +02:00			`http.ServeContent(w, r, filePath, timeStarted, file)`
Fix static directory listing recursion 2015-09-30 21:54:30 +02:00			`return`
			`}`
			`}`

Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`func checkFile(filename string) error {`
use abstracted storage for flexibility I moved the storage functionality into the StorageBackend interface, which is currently only implemented by LocalfsBackend. 2016-06-07 08:37:42 +02:00			`_, err := fileBackend.Exists(filename)`
upload expiry/barename respect, random fixes 2015-09-28 06:25:57 +02:00			`if err != nil {`
Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`return NotFoundErr`
			`}`

			`expired, err := isFileExpired(filename)`
			`if err != nil {`
			`return err`
Add preliminary metadata support 2015-09-28 04:17:12 +02:00			`}`
this file might be useful to add here 2015-09-25 01:58:50 +02:00
Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`if expired {`
use abstracted storage for flexibility I moved the storage functionality into the StorageBackend interface, which is currently only implemented by LocalfsBackend. 2016-06-07 08:37:42 +02:00			`fileBackend.Delete(filename)`
Add linx-cleanup tool This doesn't completely fix #116, but it makes setting up a cron job to do cleanup much more pleasant. 2017-05-02 06:25:56 +02:00			`metaStorageBackend.Delete(filename)`
Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`return NotFoundErr`
upload expiry/barename respect, random fixes 2015-09-28 06:25:57 +02:00			`}`

Metadata holds mimetype, sha256sum, archiveFiles 2015-10-08 04:45:34 +02:00			`return nil`
this file might be useful to add here 2015-09-25 01:58:50 +02:00			`}`