Commit Graph

86 Commits

Author SHA1 Message Date
ZizzyDizzyMC 0156fdb15b Update upload.go 2021-02-21 21:14:31 -05:00
ZizzyDizzyMC 17441020c2 Update upload.go 2021-02-21 21:01:07 -05:00
ZizzyDizzyMC 7635abf2dc Update upload.go 2021-02-21 20:56:38 -05:00
ZizzyDizzyMC 357f1b1883 Update upload.go 2021-02-21 20:56:12 -05:00
ZizzyDizzyMC b61c08ac13 Update upload.go 2021-02-21 20:54:31 -05:00
ZizzyDizzyMC ddb89bdc66 Update upload.go 2021-02-21 20:52:18 -05:00
ZizzyDizzyMC 5c3ace8829 Update upload.go 2021-02-21 20:51:32 -05:00
ZizzyDizzyMC c4f40d2747 Update upload.go 2021-02-21 20:49:22 -05:00
ZizzyDizzyMC 486e4ed836 Update upload.go 2021-02-21 20:45:13 -05:00
ZizzyDizzyMC fb1ec8a64c Update upload.go 2021-02-21 20:43:38 -05:00
ZizzyDizzyMC 49161feb7a Update upload.go 2021-02-21 20:40:53 -05:00
ZizzyDizzyMC b8f4b55f05 Content-Length rejection if specified larger than allowed size. 2021-02-21 20:40:10 -05:00
ZizzyDizzyMC 2624427b6c Update upload.go 2021-02-09 23:07:18 -05:00
ZizzyDizzyMC cb69d98032 Update upload.go 2021-02-09 22:59:23 -05:00
ZizzyDizzyMC 654a1f0a84 Update upload.go 2021-02-09 22:53:27 -05:00
ZizzyDizzyMC d6ebc29483 Update upload.go 2021-02-09 22:52:18 -05:00
ZizzyDizzyMC 5effb947e3 Update upload.go 2021-02-09 22:47:08 -05:00
ZizzyDizzyMC f87914a2a2 Update upload.go 2021-02-09 22:44:04 -05:00
ZizzyDizzyMC de6b3bc23f Improved Security Logging 2021-02-09 22:36:14 -05:00
mutantmonkey 456274c1b9
Split and move auth into a separate package (#224)
* Split and move auth into a separate package

This change will make it easier to implement additional authentication
methods, such as OpenID Connect. For now, only the existing "apikeys"
authentication method is supported.

* Use absolute site prefix to prevent redirect loop
2020-08-14 00:42:45 -07:00
Infinoid 5eb6f32ff0
Switch to a more comprehensive mimetype detection library (#231) 2020-08-02 22:16:47 -07:00
Andrei Marcu 7543c82473 Remote upload: Add direct_url param for redirect 2020-03-12 14:18:12 -07:00
Andrei Marcu a4240680c8 Merge branch 'accesskey' of git://github.com/stek29/linx-server into stek29-accesskey 2020-03-06 15:29:41 -08:00
Paweł Płazieński 597bec430c
Allow Basic authentication in browser (#195) 2020-03-06 15:21:49 -08:00
Viktor Oreshkin b63274ad01 allow limiting access by passwords (fix #194) 2020-02-17 18:02:47 +03:00
mutantmonkey 8f3108148b Add option to force random filenames (fixes #86) (#159) 2019-01-26 02:04:32 -08:00
mutantmonkey 5d9a93b1e2 Add S3 backend (#156) 2019-01-24 23:33:11 -08:00
Andrei Marcu e506304b84 Return direct URL in json responses 2019-01-14 15:28:32 -08:00
mutantmonkey b7fadd9676 Add linx-cleanup tool
This doesn't completely fix #116, but it makes setting up a cron job to
do cleanup much more pleasant.
2017-05-01 21:27:28 -07:00
andreimarcu 37f9a0cbbc Change unknown extension from .ext to .file 2017-03-25 08:44:18 -07:00
mutantmonkey e6ac89d6dc Switch to https://github.com/h2non/filetype
This library is much better at detecting MIME types properly than the
existing one. Fixes #117.
2017-03-25 01:08:56 -07:00
mutantmonkey 647aa2c0f6 Fix max expiry when provided expiry is 0
Previously, we did not properly handle the case where the provided
expiry was zero and the max expiry was configured to be nonzero; add an
additional check to cover this case.

Fixes #111.
2016-11-02 19:31:32 -07:00
mutantmonkey fef43d856e Add option for maximum expiration time (fixes #99) 2016-09-18 22:05:26 -07:00
andreimarcu 81a1513809 Add newline for PUT response 2016-07-22 18:15:44 -07:00
andreimarcu 1e1f28658d Remove spaces in mime mapping and ensure no spaces in filenames 2016-07-22 18:08:59 -07:00
mutantmonkey fcd18eceec use abstracted storage for flexibility
I moved the storage functionality into the StorageBackend interface,
which is currently only implemented by LocalfsBackend.
2016-06-08 20:18:31 -07:00
mutantmonkey 47670af185 Infer site URL from host and headers
We can use the Host property of the request and the X-Forwarded-Proto to
infer the site URL. To reduce complexity, the path is not inferred, and
it is assumed that linx-server is running at /. If this is not the case,
the site URL must be manually configured; this is no different than it
was before.
2016-06-04 18:34:22 -07:00
mutantmonkey b0d2f2a142 support .tar.gz-style extensions
Some extensions actually consist of multiple parts, like .tar.gz, so we
should handle this properly instead of merging part of the extension
with the bare name. Right now only tar is allowed, but others can be
added easily.

Fixes #74.
2016-02-12 21:27:39 -08:00
andreimarcu 4856ab0750 Allow for non-/ deployments. Fixes #61 2015-10-30 18:36:47 -04:00
andreimarcu 9b1df43ef2 Trim "-" in filenames 2015-10-28 14:31:51 -04:00
andreimarcu c8fc62398a Enable randomize in remote uploads 2015-10-18 11:07:39 -04:00
andreimarcu 9847beeff5 Cleanup 2015-10-14 22:47:36 -04:00
andreimarcu 3c659601e2 Make it an option for post uploads 2015-10-14 20:40:25 -04:00
andreimarcu 68653372ff Rename auth header to Linx-Api-Key and remove
b64encoding requirement for uploading with keys
2015-10-14 16:18:29 -04:00
mutantmonkey a7ae455ac1 strict referrer check improvements
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00
mutantmonkey dd4ac3a7ed add support remote auth keys
These are taken as a parameter to the remote upload page. Note that all
keys will be logged since this is a GET request.
2015-10-11 19:31:13 -07:00
mutantmonkey 52ec9f8e2d use 303 redirects instead of 301s
HTTP status code 301 is for a permanent redirect, which these are not.
Although 302 would work here in most browsers, it would not follow the
HTTP spec, so instead we use 303 which has a clearly and consistently
defined behavior in response to a POST or PUT request.
2015-10-10 20:22:10 -07:00
mutantmonkey 874c23087d add crossdomain.xml to file blacklist 2015-10-09 00:06:23 -07:00
Andrei Marcu d9723b8350 Merge pull request #49 from mutantmonkey/referrer_check
add strict referrer check for POST uploads
2015-10-08 23:35:19 -04:00
mutantmonkey 6ff181facb add strict referrer check for POST uploads
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
2015-10-08 20:27:04 -07:00