From 3c7213570f6044d27125b529cbfeaf62a5d9f54d Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 2 Jun 2021 16:58:26 +0200
Subject: Allow retrieving files through arbitrary filenames.

The URL returned from POST is now /<secret HMAC>/<original basename>
The file can be retrieved through /<secret HMAC>/<anything>.

This should be more convenient, as ups->wget will now produce the
original filename rather than a long string of gibberish.
---
 fshare.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/fshare.py b/fshare.py
index d5092b3..56f554b 100755
--- a/fshare.py
+++ b/fshare.py
@@ -135,11 +135,12 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
         # normalize the path
         path = os.path.normpath(path)
 
-        # make sure the path doesn't point outside of our root
-        if path.startswith('..'):
+        # make sure the path is absolute
+        if not path.startswith('/'):
             raise PermissionError('Invalid path')
 
-        return path
+        # drop the leading '/'
+        return path[1:]
 
     def _log_request(self):
         self._logger.info('%s: %s', str(self.client_address), self.requestline)
@@ -148,8 +149,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
     def do_GET(self):
         self._log_request()
 
-        # discard any extension
-        fname = os.path.splitext(self._process_path(self.path))[0]
+        # take the first path component, discard any extension
+        fname = self._process_path(self.path).partition('/')[0]
+        fname = os.path.splitext(fname)[0]
         path = '/'.join((self.server.data_dir, fname))
         self._logger.info('serve file: %s', fname)
 
@@ -172,8 +174,7 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
     def do_POST(self):
         self._log_request()
 
-        src_fname = self._process_path(self.path)
-        ext   = os.path.splitext(src_fname)[1]
+        src_fname = os.path.basename(self._process_path(self.path))
 
         if 'Transfer-Encoding' in self.headers:
             if self.headers['Transfer-Encoding'] != 'chunked':
@@ -225,7 +226,8 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
         except KeyError:
             host = 'host.missing'
 
-        path  = urlparse.quote(dst_fname + ext)
+        # the resulting URL is the secret HMAC + original basename
+        path  = urlparse.quote(dst_fname + '/' + src_fname)
         reply = ('https://%s/%s' % (host, path)).encode('ascii')
 
         self.send_response(retcode)
-- 
cgit v1.2.3