diff options
author | Anton Khirnov <anton@khirnov.net> | 2022-06-26 12:03:19 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2022-06-26 12:03:19 +0200 |
commit | 343eeaa39f29df311b5c4cdc14f83cedbe2c21ca (patch) | |
tree | 0e7d54ebe360b5461dc396734410d58e1acd406f | |
parent | 1a7e5ef560e7347cb057b9a30864edaec2c61480 (diff) |
Drop the ability to store remote URLs.
I do not use it and it adds complexity, with potential for security
issues.
-rwxr-xr-x | fhost.py | 33 | ||||
-rw-r--r-- | requirements.txt | 2 |
2 files changed, 0 insertions, 35 deletions
@@ -23,7 +23,6 @@ from flask import Flask, abort, escape, make_response, redirect, request, send_f from flask_sqlalchemy import SQLAlchemy from flask_script import Manager from hashlib import sha256 -from humanize import naturalsize from magic import Magic from mimetypes import guess_extension import os, sys @@ -229,36 +228,6 @@ def store_file(f, addr): return sf.geturl() -def store_url(url, addr): - if is_fhost_url(url): - return segfault(508) - - h = { "Accept-Encoding" : "identity" } - r = requests.get(url, stream=True, verify=False, headers=h) - - try: - r.raise_for_status() - except requests.exceptions.HTTPError as e: - return str(e) + "\n" - - if "content-length" in r.headers: - l = int(r.headers["content-length"]) - - if l < app.config["MAX_CONTENT_LENGTH"]: - def urlfile(**kwargs): - return type('',(),kwargs)() - - f = urlfile(stream=r.raw, content_type=r.headers["content-type"], filename="") - - return store_file(f, addr) - else: - hl = naturalsize(l, binary = True) - hml = naturalsize(app.config["MAX_CONTENT_LENGTH"], binary=True) - - return "Remote file too large ({0} > {1}).\n".format(hl, hml), 413 - else: - return "Could not determine remote file size (no Content-Length in response header; shoot admin).\n", 411 - @app.route("/<path:path>") def get(path): p = os.path.splitext(path) @@ -322,8 +291,6 @@ def fhost(): if "file" in request.files: return store_file(request.files["file"], request.remote_addr) - elif "url" in request.form: - return store_url(request.form["url"], request.remote_addr) abort(400) else: diff --git a/requirements.txt b/requirements.txt index f22a8c5..b5c2720 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,9 +4,7 @@ SQLAlchemy tqdm Flask_SQLAlchemy Flask -humanize requests -flask_migrate flask_script python_magic short_url |