ProfouzorsLinx/upload.go

416 lines
11 KiB
Go
Raw Normal View History

2015-09-24 07:44:49 +02:00
package main
import (
2015-09-30 02:59:59 +02:00
"bytes"
"encoding/json"
2015-09-28 22:02:03 +02:00
"errors"
2015-09-24 07:44:49 +02:00
"fmt"
"io"
"net/http"
2015-10-02 02:58:08 +02:00
"net/url"
2015-09-24 07:44:49 +02:00
"path"
2015-10-02 02:58:08 +02:00
"path/filepath"
2015-09-24 07:44:49 +02:00
"regexp"
"strconv"
2015-09-24 07:44:49 +02:00
"strings"
"time"
2021-02-22 04:30:30 +01:00
"log"
2015-09-24 07:44:49 +02:00
"github.com/andreimarcu/linx-server/auth/apikeys"
"github.com/andreimarcu/linx-server/backends"
"github.com/andreimarcu/linx-server/expiry"
"github.com/dchest/uniuri"
"github.com/gabriel-vasile/mimetype"
2015-09-24 07:44:49 +02:00
"github.com/zenazn/goji/web"
)
2019-01-25 08:33:11 +01:00
var FileTooLargeError = errors.New("File too large.")
var fileBlacklist = map[string]bool{
2015-10-09 09:06:23 +02:00
"favicon.ico": true,
"index.htm": true,
"index.html": true,
"index.php": true,
"robots.txt": true,
"crossdomain.xml": true,
}
2015-09-28 04:17:12 +02:00
// Describes metadata directly from the user request
2015-09-24 07:44:49 +02:00
type UploadRequest struct {
src io.Reader
2019-01-25 08:33:11 +01:00
size int64
2015-09-24 07:44:49 +02:00
filename string
expiry time.Duration // Seconds until expiry, 0 = never
2019-01-25 08:33:11 +01:00
deleteKey string // Empty string if not defined
2015-09-24 07:44:49 +02:00
randomBarename bool
accessKey string // Empty string if not defined
2021-02-10 04:36:14 +01:00
srcIp string // Empty string if not defined
2015-09-24 07:44:49 +02:00
}
2015-09-28 04:17:12 +02:00
// Metadata associated with a file as it would actually be stored
2015-09-24 07:44:49 +02:00
type Upload struct {
Filename string // Final filename on disk
Metadata backends.Metadata
2015-09-24 07:44:49 +02:00
}
func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
2021-02-22 04:43:02 +01:00
if !strictReferrerCheck(r, getSiteURL(r), []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
badRequestHandler(c, w, r, RespAUTO, "")
return
}
upReq := UploadRequest{}
2015-09-28 04:17:12 +02:00
uploadHeaderProcess(r, &upReq)
2015-09-24 07:44:49 +02:00
2021-02-10 04:59:23 +01:00
contentType := r.Header.Get("Content-Type")
2015-10-01 05:37:00 +02:00
if strings.HasPrefix(contentType, "multipart/form-data") {
file, headers, err := r.FormFile("file")
if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespHTML, "Could not upload file.")
return
}
defer file.Close()
upReq.src = file
2019-01-25 08:33:11 +01:00
upReq.size = headers.Size
upReq.filename = headers.Filename
2015-09-30 06:56:51 +02:00
} else {
2019-01-25 08:33:11 +01:00
if r.PostFormValue("content") == "" {
badRequestHandler(c, w, r, RespAUTO, "Empty file")
2015-09-30 06:56:51 +02:00
return
}
2019-01-25 08:33:11 +01:00
extension := r.PostFormValue("extension")
2015-09-30 06:56:51 +02:00
if extension == "" {
extension = "txt"
}
2019-01-25 08:33:11 +01:00
content := r.PostFormValue("content")
upReq.src = strings.NewReader(content)
upReq.size = int64(len(content))
upReq.filename = r.PostFormValue("filename") + "." + extension
}
upReq.expiry = parseExpiry(r.PostFormValue("expires"))
upReq.accessKey = r.PostFormValue(accessKeyParamName)
2019-01-25 08:33:11 +01:00
if r.PostFormValue("randomize") == "true" {
upReq.randomBarename = true
}
2021-02-10 05:07:18 +01:00
upReq.srcIp = r.Header.Get("X-Forwarded-For")
2021-02-22 04:09:56 +01:00
if upReq.contentSize > 0 {
upReq.size = upReq.contentSize
}
2015-09-24 07:44:49 +02:00
upload, err := processUpload(upReq)
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
2019-01-25 08:33:11 +01:00
if err == FileTooLargeError || err == backends.FileEmptyError {
badRequestHandler(c, w, r, RespJSON, err.Error())
return
} else if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
return
}
js := generateJSONresponse(upload, r)
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
w.Write(js)
} else {
2019-01-25 08:33:11 +01:00
if err == FileTooLargeError || err == backends.FileEmptyError {
badRequestHandler(c, w, r, RespHTML, err.Error())
return
} else if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespHTML, "Could not upload file: "+err.Error())
return
}
2015-10-30 23:36:47 +01:00
http.Redirect(w, r, Config.sitePath+upload.Filename, 303)
}
2015-09-24 07:44:49 +02:00
}
func uploadPutHandler(c web.C, w http.ResponseWriter, r *http.Request) {
2021-02-22 04:43:02 +01:00
upReq := UploadRequest{}
2015-09-28 04:17:12 +02:00
uploadHeaderProcess(r, &upReq)
2021-02-22 04:43:02 +01:00
2021-02-22 03:14:31 +01:00
defer r.Body.Close()
upReq.filename = c.URLParams["name"]
upReq.src = http.MaxBytesReader(w, r.Body, Config.maxSize)
upReq.srcIp = r.Header.Get("X-Forwarded-For")
2021-02-22 04:09:56 +01:00
if upReq.contentSize > 0 {
upReq.size = upReq.contentSize
}
2015-09-24 07:44:49 +02:00
upload, err := processUpload(upReq)
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
2019-01-25 08:33:11 +01:00
if err == FileTooLargeError || err == backends.FileEmptyError {
badRequestHandler(c, w, r, RespJSON, err.Error())
return
} else if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
return
}
js := generateJSONresponse(upload, r)
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
w.Write(js)
} else {
2019-01-25 08:33:11 +01:00
if err == FileTooLargeError || err == backends.FileEmptyError {
badRequestHandler(c, w, r, RespPLAIN, err.Error())
return
} else if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespPLAIN, "Could not upload file: "+err.Error())
return
}
2016-07-23 03:15:44 +02:00
fmt.Fprintf(w, "%s\n", getSiteURL(r)+upload.Filename)
}
}
2015-10-02 02:58:08 +02:00
func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
if Config.remoteAuthFile != "" {
key := r.FormValue("key")
if key == "" && Config.basicAuth {
_, password, ok := r.BasicAuth()
if ok {
key = password
}
}
result, err := apikeys.CheckAuth(remoteAuthKeys, key)
if err != nil || !result {
if Config.basicAuth {
rs := ""
if Config.siteName != "" {
rs = fmt.Sprintf(` realm="%s"`, Config.siteName)
}
w.Header().Set("WWW-Authenticate", `Basic`+rs)
}
unauthorizedHandler(c, w, r)
return
}
}
2015-10-02 02:58:08 +02:00
if r.FormValue("url") == "" {
2015-10-30 23:36:47 +01:00
http.Redirect(w, r, Config.sitePath, 303)
2015-10-02 02:58:08 +02:00
return
}
upReq := UploadRequest{}
grabUrl, _ := url.Parse(r.FormValue("url"))
directURL := r.FormValue("direct_url") == "yes"
2015-10-02 02:58:08 +02:00
resp, err := http.Get(grabUrl.String())
if err != nil {
2015-10-04 18:47:20 +02:00
oopsHandler(c, w, r, RespAUTO, "Could not retrieve URL")
2015-10-02 02:58:08 +02:00
return
}
2021-02-22 03:14:31 +01:00
upReq.filename = filepath.Base(grabUrl.Path)
upReq.src = http.MaxBytesReader(w, resp.Body, Config.maxSize)
upReq.deleteKey = r.FormValue("deletekey")
upReq.accessKey = r.FormValue(accessKeyParamName)
upReq.randomBarename = r.FormValue("randomize") == "yes"
upReq.expiry = parseExpiry(r.FormValue("expiry"))
upReq.srcIp = r.Header.Get("X-Forwarded-For")
2015-10-02 02:58:08 +02:00
upload, err := processUpload(upReq)
if strings.EqualFold("application/json", r.Header.Get("Accept")) {
2015-10-04 18:47:20 +02:00
if err != nil {
oopsHandler(c, w, r, RespJSON, "Could not upload file: "+err.Error())
return
}
js := generateJSONresponse(upload, r)
2015-10-02 02:58:08 +02:00
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
w.Write(js)
} else {
2015-10-04 18:47:20 +02:00
if err != nil {
oopsHandler(c, w, r, RespHTML, "Could not upload file: "+err.Error())
return
}
if directURL {
http.Redirect(w, r, Config.sitePath+Config.selifPath+upload.Filename, 303)
} else {
http.Redirect(w, r, Config.sitePath+upload.Filename, 303)
}
2015-10-02 02:58:08 +02:00
}
}
func uploadHeaderProcess(r *http.Request, upReq *UploadRequest) {
if r.Header.Get("Linx-Randomize") == "yes" {
upReq.randomBarename = true
}
2019-01-25 08:33:11 +01:00
upReq.deleteKey = r.Header.Get("Linx-Delete-Key")
upReq.accessKey = r.Header.Get(accessKeyHeaderName)
// Get seconds until expiry. Non-integer responses never expire.
expStr := r.Header.Get("Linx-Expiry")
upReq.expiry = parseExpiry(expStr)
2015-09-24 07:44:49 +02:00
}
func processUpload(upReq UploadRequest) (upload Upload, err error) {
2019-01-25 08:33:11 +01:00
if upReq.size > Config.maxSize {
return upload, FileTooLargeError
}
// Determine the appropriate filename
2015-09-24 07:44:49 +02:00
barename, extension := barePlusExt(upReq.filename)
randomize := false
2015-09-24 07:44:49 +02:00
// Randomize the "barename" (filename without extension) if needed
2015-09-24 07:44:49 +02:00
if upReq.randomBarename || len(barename) == 0 {
barename = generateBarename()
randomize = true
2015-09-24 07:44:49 +02:00
}
2015-10-01 17:03:41 +02:00
var header []byte
2015-09-24 07:44:49 +02:00
if len(extension) == 0 {
2015-10-01 17:03:41 +02:00
// Pull the first 512 bytes off for use in MIME detection
header = make([]byte, 512)
n, _ := upReq.src.Read(header)
if n == 0 {
2019-01-25 08:33:11 +01:00
return upload, backends.FileEmptyError
2015-10-01 17:03:41 +02:00
}
header = header[:n]
2015-09-30 02:59:59 +02:00
// Determine the type of file from header
kind := mimetype.Detect(header)
if len(kind.Extension()) < 2 {
extension = "file"
} else {
extension = kind.Extension()[1:] // remove leading "."
2015-09-30 02:59:59 +02:00
}
2015-09-24 07:44:49 +02:00
}
upload.Filename = strings.Join([]string{barename, extension}, ".")
upload.Filename = strings.Replace(upload.Filename, " ", "", -1)
2015-09-24 07:44:49 +02:00
2019-01-25 08:33:11 +01:00
fileexists, _ := storageBackend.Exists(upload.Filename)
2015-10-08 18:49:29 +02:00
// Check if the delete key matches, in which case overwrite
if fileexists {
2019-01-25 08:33:11 +01:00
metad, merr := storageBackend.Head(upload.Filename)
2015-10-08 18:49:29 +02:00
if merr == nil {
2019-01-25 08:33:11 +01:00
if upReq.deleteKey == metad.DeleteKey {
2015-10-08 18:49:29 +02:00
fileexists = false
} else if Config.forceRandomFilename == true {
// the file exists
// the delete key doesn't match
// force random filenames is enabled
randomize = true
2015-10-08 18:49:29 +02:00
}
}
} else if Config.forceRandomFilename == true {
// the file doesn't exist
// force random filenames is enabled
randomize = true
// set fileexists to true to generate a new barename
fileexists = true
2015-10-08 18:49:29 +02:00
}
for fileexists {
if randomize {
barename = generateBarename()
} else {
counter, err := strconv.Atoi(string(barename[len(barename)-1]))
if err != nil {
barename = barename + "1"
} else {
barename = barename[:len(barename)-1] + strconv.Itoa(counter+1)
}
}
upload.Filename = strings.Join([]string{barename, extension}, ".")
2019-01-25 08:33:11 +01:00
fileexists, err = storageBackend.Exists(upload.Filename)
}
if fileBlacklist[strings.ToLower(upload.Filename)] {
return upload, errors.New("Prohibited filename")
}
2015-09-28 04:17:12 +02:00
// Get the rest of the metadata needed for storage
var fileExpiry time.Time
if upReq.expiry == 0 {
fileExpiry = expiry.NeverExpire
} else {
fileExpiry = time.Now().Add(upReq.expiry)
}
2015-09-28 04:17:12 +02:00
2019-01-25 08:33:11 +01:00
if upReq.deleteKey == "" {
upReq.deleteKey = uniuri.NewLen(30)
2015-09-24 07:44:49 +02:00
}
2021-02-10 04:44:04 +01:00
upload.Metadata, err = storageBackend.Put(upload.Filename, io.MultiReader(bytes.NewReader(header), upReq.src), fileExpiry, upReq.deleteKey, upReq.accessKey, upReq.srcIp)
if err != nil {
2019-01-25 08:33:11 +01:00
return upload, err
}
2019-01-25 08:33:11 +01:00
2015-09-24 07:44:49 +02:00
return
}
func generateBarename() string {
return uniuri.NewLenChars(8, []byte("abcdefghijklmnopqrstuvwxyz0123456789"))
2015-09-24 07:44:49 +02:00
}
func generateJSONresponse(upload Upload, r *http.Request) []byte {
js, _ := json.Marshal(map[string]string{
"url": getSiteURL(r) + upload.Filename,
2019-01-15 00:23:56 +01:00
"direct_url": getSiteURL(r) + Config.selifPath + upload.Filename,
"filename": upload.Filename,
"delete_key": upload.Metadata.DeleteKey,
"access_key": upload.Metadata.AccessKey,
"expiry": strconv.FormatInt(upload.Metadata.Expiry.Unix(), 10),
"size": strconv.FormatInt(upload.Metadata.Size, 10),
"mimetype": upload.Metadata.Mimetype,
"sha256sum": upload.Metadata.Sha256sum,
})
return js
}
var bareRe = regexp.MustCompile(`[^A-Za-z0-9\-]`)
var extRe = regexp.MustCompile(`[^A-Za-z0-9\-\.]`)
var compressedExts = map[string]bool{
".bz2": true,
".gz": true,
".xz": true,
}
var archiveExts = map[string]bool{
".tar": true,
}
2015-09-25 15:04:06 +02:00
2015-09-24 07:44:49 +02:00
func barePlusExt(filename string) (barename, extension string) {
filename = strings.TrimSpace(filename)
filename = strings.ToLower(filename)
extension = path.Ext(filename)
barename = filename[:len(filename)-len(extension)]
if compressedExts[extension] {
ext2 := path.Ext(barename)
if archiveExts[ext2] {
barename = barename[:len(barename)-len(ext2)]
extension = ext2 + extension
}
}
2015-09-24 07:44:49 +02:00
extension = extRe.ReplaceAllString(extension, "")
barename = bareRe.ReplaceAllString(barename, "")
2015-09-24 07:44:49 +02:00
extension = strings.Trim(extension, "-.")
2015-10-28 19:31:51 +01:00
barename = strings.Trim(barename, "-")
2015-09-24 07:44:49 +02:00
return
}
func parseExpiry(expStr string) time.Duration {
if expStr == "" {
return time.Duration(Config.maxExpiry) * time.Second
} else {
fileExpiry, err := strconv.ParseUint(expStr, 10, 64)
if err != nil {
return time.Duration(Config.maxExpiry) * time.Second
} else {
if Config.maxExpiry > 0 && (fileExpiry > Config.maxExpiry || fileExpiry == 0) {
fileExpiry = Config.maxExpiry
}
return time.Duration(fileExpiry) * time.Second
}
}
}