Commit Graph

179 Commits

Author SHA1 Message Date
andreimarcu 3c659601e2 Make it an option for post uploads 2015-10-14 20:40:25 -04:00
andreimarcu 9b724725b3 Blank referrers are allowed 2015-10-14 20:35:43 -04:00
andreimarcu 256ca43d69 Update API documentation with API keys 2015-10-14 16:47:13 -04:00
andreimarcu b1e82f8d7f Update build.sh to build linx-genkey 2015-10-14 16:31:52 -04:00
andreimarcu 68653372ff Rename auth header to Linx-Api-Key and remove
b64encoding requirement for uploading with keys
2015-10-14 16:18:29 -04:00
andreimarcu 6987edc0d8 Remove non-API navigation links when using auth 2015-10-14 15:20:41 -04:00
andreimarcu be15ba076d Removed unnecessary duplicate static caching 2015-10-14 14:58:27 -04:00
Andrei Marcu e1b2896c64 Merge pull request #60 from mutantmonkey/proper_referrer_check
do a proper same-origin check
2015-10-13 23:04:39 -04:00
mutantmonkey d138755806 do a proper same-origin check
String prefix matching is hacky and provides insufficient checking if it
does not end with a /.
2015-10-13 19:55:32 -07:00
Andrei Marcu ff1d9f56a1 Merge pull request #59 from mutantmonkey/csp_referrer_fix
fix CSP referrer policy
2015-10-12 10:01:50 -04:00
mutantmonkey a3723d3665 short-circuit on origin header
If the Origin header is present, we can check it and skip the other
checks.
2015-10-12 01:23:06 -07:00
mutantmonkey 0a1aa869e4 nicer 400 error page 2015-10-12 01:03:02 -07:00
mutantmonkey a7ae455ac1 strict referrer check improvements
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00
mutantmonkey 61147554a9 update CSP flags in readme 2015-10-12 00:02:22 -07:00
mutantmonkey cd83f9f0eb fix CSP referrer policy
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
2015-10-11 23:49:15 -07:00
Andrei Marcu 4fee922543 Merge pull request #58 from mutantmonkey/referrer_fixup2
trim trailing / for origin checking
2015-10-11 23:07:45 -04:00
mutantmonkey 39d874374d trim trailing / for origin checking 2015-10-11 20:06:14 -07:00
Andrei Marcu 60239467fd Merge pull request #56 from mutantmonkey/auth
Add support for auth keys (and remote auth keys)
2015-10-11 22:44:30 -04:00
mutantmonkey 613ab24721 show usage for -authfile and -remoteauthfile 2015-10-11 19:38:04 -07:00
mutantmonkey 2cd432b5d3 update readme 2015-10-11 19:33:48 -07:00
mutantmonkey dd4ac3a7ed add support remote auth keys
These are taken as a parameter to the remote upload page. Note that all
keys will be logged since this is a GET request.
2015-10-11 19:31:13 -07:00
mutantmonkey 3dc4753b7a move reading auth keys into readAuthKeys 2015-10-11 19:30:01 -07:00
andreimarcu 104f648c0f Remove artifact 2015-10-11 21:42:00 -04:00
andreimarcu ae02f537f7 Add linx-genkey 2015-10-11 21:39:42 -04:00
mutantmonkey adbc1604dc add some more auth tests
It's going to be difficult to get 100% code coverage, but we can at
least ensure that checkAuth works properly.
2015-10-11 18:37:36 -07:00
mutantmonkey cc4e2ca0d9 read authfile once only
Read the authfile upon initial server start and store the auth keys in
the auth struct, rather than reading the file for each page load.
2015-10-11 18:36:27 -07:00
mutantmonkey 3c9e260926 improve auth tests and rename auth struct 2015-10-11 17:43:31 -07:00
mutantmonkey aa7dad3a03 add support for auth keys
Add a middleware that requires authorization for all POST, PUT, and
DELETE requests. This is done using the Authorization header and the
provided auth key is then checked against a file containing scrypted
auth keys. These keys are salted the constant string `linx-server`.
2015-10-11 17:34:53 -07:00
andreimarcu 2b0135697b Add option for using Real-IP 2015-10-11 20:32:28 -04:00
andreimarcu 9ac016c3b5 Document overwriting a file 2015-10-11 20:28:46 -04:00
Andrei Marcu 6c9d517c80 Merge pull request #55 from mutantmonkey/redirect_fix
use 303 redirects instead of 301s
2015-10-10 23:25:57 -04:00
mutantmonkey 52ec9f8e2d use 303 redirects instead of 301s
HTTP status code 301 is for a permanent redirect, which these are not.
Although 302 would work here in most browsers, it would not follow the
HTTP spec, so instead we use 303 which has a clearly and consistently
defined behavior in response to a POST or PUT request.
2015-10-10 20:22:10 -07:00
andreimarcu 354278d488 Real-IP middleware for fastcgi + nginx doc update 2015-10-10 11:22:24 -04:00
andreimarcu ef13181a23 Adjust the csp_test to use the new mux 2015-10-10 11:17:38 -04:00
Andrei Marcu d42b2d28ac Merge pull request #53 from mutantmonkey/fixbind
Replace -b and -bind with a single -bind
2015-10-10 11:14:54 -04:00
mutantmonkey 5600dd1ce3 update readme for new -bind flag 2015-10-09 23:16:30 -07:00
mutantmonkey 82edabd036 change -b flag to -bind
This is for consistency with Goji's default flag and is more clear.
2015-10-09 23:06:28 -07:00
mutantmonkey a09297389b create our own mux instead of using goji default
This is a better way to do things since we were customizing middleware
and everything anyway. It's also necessary in order to avoid pulling in
the default Goji -bind flag: https://github.com/zenazn/goji/issues/47
2015-10-09 23:04:08 -07:00
Andrei Marcu 95d3a62c0c Merge pull request #52 from mutantmonkey/textarea_tab
add tab functionality to pastebin (resolves #48)
2015-10-10 01:25:18 -04:00
mutantmonkey e0d0e40368 add tab functionality to pastebin (resolves #48)
The tab key now inserts a tab instead of changing the focus.
2015-10-09 22:21:23 -07:00
Andrei Marcu 883768f512 Merge pull request #51 from mutantmonkey/blacklist_fixup
add crossdomain.xml to file blacklist
2015-10-09 18:45:03 -04:00
mutantmonkey 874c23087d add crossdomain.xml to file blacklist 2015-10-09 00:06:23 -07:00
andreimarcu eeede281a7 Case insensitive fs again 2015-10-08 23:58:57 -04:00
Andrei Marcu d9723b8350 Merge pull request #49 from mutantmonkey/referrer_check
add strict referrer check for POST uploads
2015-10-08 23:35:19 -04:00
mutantmonkey 6ff181facb add strict referrer check for POST uploads
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
2015-10-08 20:27:04 -07:00
andreimarcu 5885ef0832 Case-insensitive filesystems... 2015-10-08 21:50:10 -04:00
andreimarcu 62443e984d API documentation. Fixes #30 2015-10-08 21:48:06 -04:00
andreimarcu e9132a1193 File overwriting support. Fixes #8 2015-10-08 12:49:29 -04:00
andreimarcu 8ad079ed0a Fix readme 2015-10-08 01:40:03 -04:00
andreimarcu 639d519712 Configurable maximum upload file size. Fixes #35 2015-10-08 01:38:50 -04:00