summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2022-06-26 12:03:19 +0200
committerAnton Khirnov <anton@khirnov.net>2022-06-26 12:03:19 +0200
commit343eeaa39f29df311b5c4cdc14f83cedbe2c21ca (patch)
tree0e7d54ebe360b5461dc396734410d58e1acd406f
parent1a7e5ef560e7347cb057b9a30864edaec2c61480 (diff)
Drop the ability to store remote URLs.
I do not use it and it adds complexity, with potential for security issues.
-rwxr-xr-xfhost.py33
-rw-r--r--requirements.txt2
2 files changed, 0 insertions, 35 deletions
diff --git a/fhost.py b/fhost.py
index f12b63f..9910773 100755
--- a/fhost.py
+++ b/fhost.py
@@ -23,7 +23,6 @@ from flask import Flask, abort, escape, make_response, redirect, request, send_f
from flask_sqlalchemy import SQLAlchemy
from flask_script import Manager
from hashlib import sha256
-from humanize import naturalsize
from magic import Magic
from mimetypes import guess_extension
import os, sys
@@ -229,36 +228,6 @@ def store_file(f, addr):
return sf.geturl()
-def store_url(url, addr):
- if is_fhost_url(url):
- return segfault(508)
-
- h = { "Accept-Encoding" : "identity" }
- r = requests.get(url, stream=True, verify=False, headers=h)
-
- try:
- r.raise_for_status()
- except requests.exceptions.HTTPError as e:
- return str(e) + "\n"
-
- if "content-length" in r.headers:
- l = int(r.headers["content-length"])
-
- if l < app.config["MAX_CONTENT_LENGTH"]:
- def urlfile(**kwargs):
- return type('',(),kwargs)()
-
- f = urlfile(stream=r.raw, content_type=r.headers["content-type"], filename="")
-
- return store_file(f, addr)
- else:
- hl = naturalsize(l, binary = True)
- hml = naturalsize(app.config["MAX_CONTENT_LENGTH"], binary=True)
-
- return "Remote file too large ({0} > {1}).\n".format(hl, hml), 413
- else:
- return "Could not determine remote file size (no Content-Length in response header; shoot admin).\n", 411
-
@app.route("/<path:path>")
def get(path):
p = os.path.splitext(path)
@@ -322,8 +291,6 @@ def fhost():
if "file" in request.files:
return store_file(request.files["file"], request.remote_addr)
- elif "url" in request.form:
- return store_url(request.form["url"], request.remote_addr)
abort(400)
else:
diff --git a/requirements.txt b/requirements.txt
index f22a8c5..b5c2720 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,9 +4,7 @@ SQLAlchemy
tqdm
Flask_SQLAlchemy
Flask
-humanize
requests
-flask_migrate
flask_script
python_magic
short_url