diff options
author | Anton Khirnov <anton@khirnov.net> | 2021-06-02 16:58:26 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2021-06-02 16:58:26 +0200 |
commit | 3c7213570f6044d27125b529cbfeaf62a5d9f54d (patch) | |
tree | f36b1fbe0ccb82dbc61b9d17f4b8a5a8a1033eb2 /fshare.py | |
parent | 0474671ea11c0e78471dff1c830d8dd74d08f8cb (diff) |
Allow retrieving files through arbitrary filenames.
The URL returned from POST is now /<secret HMAC>/<original basename>
The file can be retrieved through /<secret HMAC>/<anything>.
This should be more convenient, as ups->wget will now produce the
original filename rather than a long string of gibberish.
Diffstat (limited to 'fshare.py')
-rwxr-xr-x | fshare.py | 18 |
1 files changed, 10 insertions, 8 deletions
@@ -135,11 +135,12 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): # normalize the path path = os.path.normpath(path) - # make sure the path doesn't point outside of our root - if path.startswith('..'): + # make sure the path is absolute + if not path.startswith('/'): raise PermissionError('Invalid path') - return path + # drop the leading '/' + return path[1:] def _log_request(self): self._logger.info('%s: %s', str(self.client_address), self.requestline) @@ -148,8 +149,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): def do_GET(self): self._log_request() - # discard any extension - fname = os.path.splitext(self._process_path(self.path))[0] + # take the first path component, discard any extension + fname = self._process_path(self.path).partition('/')[0] + fname = os.path.splitext(fname)[0] path = '/'.join((self.server.data_dir, fname)) self._logger.info('serve file: %s', fname) @@ -172,8 +174,7 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): def do_POST(self): self._log_request() - src_fname = self._process_path(self.path) - ext = os.path.splitext(src_fname)[1] + src_fname = os.path.basename(self._process_path(self.path)) if 'Transfer-Encoding' in self.headers: if self.headers['Transfer-Encoding'] != 'chunked': @@ -225,7 +226,8 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): except KeyError: host = 'host.missing' - path = urlparse.quote(dst_fname + ext) + # the resulting URL is the secret HMAC + original basename + path = urlparse.quote(dst_fname + '/' + src_fname) reply = ('https://%s/%s' % (host, path)).encode('ascii') self.send_response(retcode) |