Commit Graph

414 Commits

Author SHA1 Message Date
mutantmonkey fcd18eceec use abstracted storage for flexibility
I moved the storage functionality into the StorageBackend interface,
which is currently only implemented by LocalfsBackend.
2016-06-08 20:18:31 -07:00
Andrei Marcu 61eb32a79b Merge pull request #83 from mutantmonkey/csp_frame_ancestors
Use Content-Security-Policy frame-ancestors
2016-06-05 00:29:13 -07:00
Andrei Marcu 2fb58e7da1 Merge pull request #82 from mutantmonkey/infer_siteurl
Infer site URL from host and headers
2016-06-05 00:28:46 -07:00
mutantmonkey 47670af185 Infer site URL from host and headers
We can use the Host property of the request and the X-Forwarded-Proto to
infer the site URL. To reduce complexity, the path is not inferred, and
it is assumed that linx-server is running at /. If this is not the case,
the site URL must be manually configured; this is no different than it
was before.
2016-06-04 18:34:22 -07:00
mutantmonkey 2b5cc07005 Use Content-Security-Policy frame-ancestors
X-Frame-Options has been deprecated by Content Security Policy Level 2.
We will need to provide the option for older browsers for the time
being, but frame-ancestors is preferred on newer ones.
2016-06-04 15:04:32 -07:00
andreimarcu afa65349cc Fix typos in API template 2016-06-04 00:36:51 -07:00
Andrei Marcu 14ba403145 Merge pull request #81 from mutantmonkey/addheaders
Add ability to set arbitrary headers
2016-06-03 22:59:29 -07:00
mutantmonkey 39bb999db6 Add ability to set arbitrary headers
This is useful if you want to add headers for things like HTTP Strict
Transport Security or HTTP Public Key Pinning.
2016-06-03 22:49:01 -07:00
Andrei Marcu 1f3bc4bfea Merge branch 'mutantmonkey-better_extension_handling' 2016-02-15 14:44:43 -08:00
mutantmonkey b0d2f2a142 support .tar.gz-style extensions
Some extensions actually consist of multiple parts, like .tar.gz, so we
should handle this properly instead of merging part of the extension
with the bare name. Right now only tar is allowed, but others can be
added easily.

Fixes #74.
2016-02-12 21:27:39 -08:00
Andrei Marcu bc66bcc069 Merge pull request #73 from mutantmonkey/workaround_chrome_nonsense
workaround chrome nonsense with CSP
2015-12-04 22:34:36 -05:00
mutantmonkey 817ac67632 workaround chrome nonsense with CSP
Apparently the Chromium developers have decided that it was a good idea
for them to use inline styles on the image/PDF viewers in their browser.
I have no idea why they would think this, as it is not, but since this
causes breakage we allow unsafe-inline for styles on files.
2015-12-04 19:28:30 -08:00
andreimarcu 5dcfca5f74 Order matters no. 2 2015-12-04 00:19:33 -05:00
andreimarcu 7c1a4640db Order matters! 2015-12-02 14:58:48 -05:00
andreimarcu 88c00027ea Add line numbers for pastebin. Fixes #70 2015-11-12 11:17:53 -05:00
andreimarcu 10d30df81f Fix out of bounds error 2015-11-12 01:04:05 -05:00
andreimarcu 9cf55ac687 Redirect hotlink instead of 403. Fixes #69 2015-11-12 00:56:22 -05:00
andreimarcu e6d79eb5cf Temporary fix for text detection 2015-10-30 23:13:43 -04:00
andreimarcu 4856ab0750 Allow for non-/ deployments. Fixes #61 2015-10-30 18:36:47 -04:00
andreimarcu 07aaad2cd8 Match more text mimetypes 2015-10-28 15:55:56 -04:00
andreimarcu 294e8d8be2 Better text detection 2015-10-28 15:21:54 -04:00
andreimarcu 9b1df43ef2 Trim "-" in filenames 2015-10-28 14:31:51 -04:00
andreimarcu 0b37309237 Allow configuration from ini-style file 2015-10-25 14:04:38 -04:00
andreimarcu c53c909165 Remove unnecessary margin on pastebins 2015-10-21 21:41:27 -04:00
andreimarcu be08b7f0fd Remove "sandbox" from files CSP to have pdfs work in chrome 2015-10-21 18:20:14 -04:00
andreimarcu ba9fcd3a7b Document allowing hotlinking 2015-10-18 11:08:47 -04:00
andreimarcu c8fc62398a Enable randomize in remote uploads 2015-10-18 11:07:39 -04:00
andreimarcu 20456b0b3c Updarte README.md 2015-10-15 20:16:02 -04:00
andreimarcu 39ae89107c Update README.md 2015-10-15 19:51:52 -04:00
andreimarcu 7df3b1328e Update README.md 2015-10-15 19:33:38 -04:00
andreimarcu 50a54bbcfc Add linx-client in API documentation 2015-10-15 17:26:35 -04:00
andreimarcu 0d365409d0 Allow /upload/ for PUT requests without filename 2015-10-15 16:02:46 -04:00
andreimarcu 120909ce46 Template file was missing 2015-10-15 12:26:43 -04:00
andreimarcu c77f8285d4 Fix/implement .story 2015-10-15 12:24:23 -04:00
andreimarcu 9847beeff5 Cleanup 2015-10-14 22:47:36 -04:00
andreimarcu 3c659601e2 Make it an option for post uploads 2015-10-14 20:40:25 -04:00
andreimarcu 9b724725b3 Blank referrers are allowed 2015-10-14 20:35:43 -04:00
andreimarcu 256ca43d69 Update API documentation with API keys 2015-10-14 16:47:13 -04:00
andreimarcu b1e82f8d7f Update build.sh to build linx-genkey 2015-10-14 16:31:52 -04:00
andreimarcu 68653372ff Rename auth header to Linx-Api-Key and remove
b64encoding requirement for uploading with keys
2015-10-14 16:18:29 -04:00
andreimarcu 6987edc0d8 Remove non-API navigation links when using auth 2015-10-14 15:20:41 -04:00
andreimarcu be15ba076d Removed unnecessary duplicate static caching 2015-10-14 14:58:27 -04:00
Andrei Marcu e1b2896c64 Merge pull request #60 from mutantmonkey/proper_referrer_check
do a proper same-origin check
2015-10-13 23:04:39 -04:00
mutantmonkey d138755806 do a proper same-origin check
String prefix matching is hacky and provides insufficient checking if it
does not end with a /.
2015-10-13 19:55:32 -07:00
Andrei Marcu ff1d9f56a1 Merge pull request #59 from mutantmonkey/csp_referrer_fix
fix CSP referrer policy
2015-10-12 10:01:50 -04:00
mutantmonkey a3723d3665 short-circuit on origin header
If the Origin header is present, we can check it and skip the other
checks.
2015-10-12 01:23:06 -07:00
mutantmonkey 0a1aa869e4 nicer 400 error page 2015-10-12 01:03:02 -07:00
mutantmonkey a7ae455ac1 strict referrer check improvements
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00
mutantmonkey 61147554a9 update CSP flags in readme 2015-10-12 00:02:22 -07:00
mutantmonkey cd83f9f0eb fix CSP referrer policy
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
2015-10-11 23:49:15 -07:00