diff options
Diffstat (limited to 'fshare.py')
| -rwxr-xr-x | fshare.py | 18 |
1 files changed, 10 insertions, 8 deletions
@@ -135,11 +135,12 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): # normalize the path path = os.path.normpath(path) - # make sure the path doesn't point outside of our root - if path.startswith('..'): + # make sure the path is absolute + if not path.startswith('/'): raise PermissionError('Invalid path') - return path + # drop the leading '/' + return path[1:] def _log_request(self): self._logger.info('%s: %s', str(self.client_address), self.requestline) @@ -148,8 +149,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): def do_GET(self): self._log_request() - # discard any extension - fname = os.path.splitext(self._process_path(self.path))[0] + # take the first path component, discard any extension + fname = self._process_path(self.path).partition('/')[0] + fname = os.path.splitext(fname)[0] path = '/'.join((self.server.data_dir, fname)) self._logger.info('serve file: %s', fname) @@ -172,8 +174,7 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): def do_POST(self): self._log_request() - src_fname = self._process_path(self.path) - ext = os.path.splitext(src_fname)[1] + src_fname = os.path.basename(self._process_path(self.path)) if 'Transfer-Encoding' in self.headers: if self.headers['Transfer-Encoding'] != 'chunked': @@ -225,7 +226,8 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): except KeyError: host = 'host.missing' - path = urlparse.quote(dst_fname + ext) + # the resulting URL is the secret HMAC + original basename + path = urlparse.quote(dst_fname + '/' + src_fname) reply = ('https://%s/%s' % (host, path)).encode('ascii') self.send_response(retcode) |