andreimarcu
294e8d8be2
Better text detection
2015-10-28 15:21:54 -04:00
andreimarcu
9b1df43ef2
Trim "-" in filenames
2015-10-28 14:31:51 -04:00
andreimarcu
0b37309237
Allow configuration from ini-style file
2015-10-25 14:04:38 -04:00
andreimarcu
c53c909165
Remove unnecessary margin on pastebins
2015-10-21 21:41:27 -04:00
andreimarcu
be08b7f0fd
Remove "sandbox" from files CSP to have pdfs work in chrome
2015-10-21 18:20:14 -04:00
andreimarcu
ba9fcd3a7b
Document allowing hotlinking
2015-10-18 11:08:47 -04:00
andreimarcu
c8fc62398a
Enable randomize in remote uploads
2015-10-18 11:07:39 -04:00
andreimarcu
20456b0b3c
Updarte README.md
2015-10-15 20:16:02 -04:00
andreimarcu
39ae89107c
Update README.md
2015-10-15 19:51:52 -04:00
andreimarcu
7df3b1328e
Update README.md
2015-10-15 19:33:38 -04:00
andreimarcu
50a54bbcfc
Add linx-client in API documentation
2015-10-15 17:26:35 -04:00
andreimarcu
0d365409d0
Allow /upload/ for PUT requests without filename
2015-10-15 16:02:46 -04:00
andreimarcu
120909ce46
Template file was missing
2015-10-15 12:26:43 -04:00
andreimarcu
c77f8285d4
Fix/implement .story
2015-10-15 12:24:23 -04:00
andreimarcu
9847beeff5
Cleanup
2015-10-14 22:47:36 -04:00
andreimarcu
3c659601e2
Make it an option for post uploads
2015-10-14 20:40:25 -04:00
andreimarcu
9b724725b3
Blank referrers are allowed
2015-10-14 20:35:43 -04:00
andreimarcu
256ca43d69
Update API documentation with API keys
2015-10-14 16:47:13 -04:00
andreimarcu
b1e82f8d7f
Update build.sh to build linx-genkey
2015-10-14 16:31:52 -04:00
andreimarcu
68653372ff
Rename auth header to Linx-Api-Key and remove
...
b64encoding requirement for uploading with keys
2015-10-14 16:18:29 -04:00
andreimarcu
6987edc0d8
Remove non-API navigation links when using auth
2015-10-14 15:20:41 -04:00
andreimarcu
be15ba076d
Removed unnecessary duplicate static caching
2015-10-14 14:58:27 -04:00
Andrei Marcu
e1b2896c64
Merge pull request #60 from mutantmonkey/proper_referrer_check
...
do a proper same-origin check
2015-10-13 23:04:39 -04:00
mutantmonkey
d138755806
do a proper same-origin check
...
String prefix matching is hacky and provides insufficient checking if it
does not end with a /.
2015-10-13 19:55:32 -07:00
Andrei Marcu
ff1d9f56a1
Merge pull request #59 from mutantmonkey/csp_referrer_fix
...
fix CSP referrer policy
2015-10-12 10:01:50 -04:00
mutantmonkey
a3723d3665
short-circuit on origin header
...
If the Origin header is present, we can check it and skip the other
checks.
2015-10-12 01:23:06 -07:00
mutantmonkey
0a1aa869e4
nicer 400 error page
2015-10-12 01:03:02 -07:00
mutantmonkey
a7ae455ac1
strict referrer check improvements
...
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00
mutantmonkey
61147554a9
update CSP flags in readme
2015-10-12 00:02:22 -07:00
mutantmonkey
cd83f9f0eb
fix CSP referrer policy
...
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.
A fix was also needed for referrer checks in two places.
2015-10-11 23:49:15 -07:00
Andrei Marcu
4fee922543
Merge pull request #58 from mutantmonkey/referrer_fixup2
...
trim trailing / for origin checking
2015-10-11 23:07:45 -04:00
mutantmonkey
39d874374d
trim trailing / for origin checking
2015-10-11 20:06:14 -07:00
Andrei Marcu
60239467fd
Merge pull request #56 from mutantmonkey/auth
...
Add support for auth keys (and remote auth keys)
2015-10-11 22:44:30 -04:00
mutantmonkey
613ab24721
show usage for -authfile and -remoteauthfile
2015-10-11 19:38:04 -07:00
mutantmonkey
2cd432b5d3
update readme
2015-10-11 19:33:48 -07:00
mutantmonkey
dd4ac3a7ed
add support remote auth keys
...
These are taken as a parameter to the remote upload page. Note that all
keys will be logged since this is a GET request.
2015-10-11 19:31:13 -07:00
mutantmonkey
3dc4753b7a
move reading auth keys into readAuthKeys
2015-10-11 19:30:01 -07:00
andreimarcu
104f648c0f
Remove artifact
2015-10-11 21:42:00 -04:00
andreimarcu
ae02f537f7
Add linx-genkey
2015-10-11 21:39:42 -04:00
mutantmonkey
adbc1604dc
add some more auth tests
...
It's going to be difficult to get 100% code coverage, but we can at
least ensure that checkAuth works properly.
2015-10-11 18:37:36 -07:00
mutantmonkey
cc4e2ca0d9
read authfile once only
...
Read the authfile upon initial server start and store the auth keys in
the auth struct, rather than reading the file for each page load.
2015-10-11 18:36:27 -07:00
mutantmonkey
3c9e260926
improve auth tests and rename auth struct
2015-10-11 17:43:31 -07:00
mutantmonkey
aa7dad3a03
add support for auth keys
...
Add a middleware that requires authorization for all POST, PUT, and
DELETE requests. This is done using the Authorization header and the
provided auth key is then checked against a file containing scrypted
auth keys. These keys are salted the constant string `linx-server`.
2015-10-11 17:34:53 -07:00
andreimarcu
2b0135697b
Add option for using Real-IP
2015-10-11 20:32:28 -04:00
andreimarcu
9ac016c3b5
Document overwriting a file
2015-10-11 20:28:46 -04:00
Andrei Marcu
6c9d517c80
Merge pull request #55 from mutantmonkey/redirect_fix
...
use 303 redirects instead of 301s
2015-10-10 23:25:57 -04:00
mutantmonkey
52ec9f8e2d
use 303 redirects instead of 301s
...
HTTP status code 301 is for a permanent redirect, which these are not.
Although 302 would work here in most browsers, it would not follow the
HTTP spec, so instead we use 303 which has a clearly and consistently
defined behavior in response to a POST or PUT request.
2015-10-10 20:22:10 -07:00
andreimarcu
354278d488
Real-IP middleware for fastcgi + nginx doc update
2015-10-10 11:22:24 -04:00
andreimarcu
ef13181a23
Adjust the csp_test to use the new mux
2015-10-10 11:17:38 -04:00
Andrei Marcu
d42b2d28ac
Merge pull request #53 from mutantmonkey/fixbind
...
Replace -b and -bind with a single -bind
2015-10-10 11:14:54 -04:00