fix!: bug where it was possible to send text unauthenticated

docs: update on what SHOULD_AUTH actually does
style: br on a newline
2024-11-02 01:34:52 -03:00 · 2024-10-31 10:17:23 -03:00 · 2024-10-31 10:13:58 -03:00 · 2024-10-31 10:08:56 -03:00 · 2024-10-29 19:28:30 -03:00 · 2024-10-29 19:21:23 -03:00
8 changed files with 43 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -78,6 +78,8 @@ abyss is a basic and mostly single user http server written in go made for uploa
  curl -F "file=@/path/to/file" -H "X-Auth: "$(cat /path/to/.key) http://localhost:3235/
  ```
 - it is also possible to add a `-Fsecret=` to your POST to make filenames bigger and harder to guess.
 - you should probably create an `alias` or a `function` to do this automatically for you.
  <details>
  <summary>click for an example for bash/zsh:</summary>
@ -166,7 +168,7 @@ abyss is a basic and mostly single user http server written in go made for uploa
 - `UPLOAD_KEY`: this is key checked when uploading files. if the key doesn't match with server's one, then it refuses uploading.
 - `ABYSS_FILEDIR`: this points to the directory where abyss will save the uploads to. defaults to `./files`
 - `ABYSS_PORT`: this is the port the server will run on. safe to leave empty. defaults to 3235
- `SHOULD_AUTH`: if it is `yes`, then to upload text through the browser you will need authentication (same auth as `/tree`), any value other than that and upload is auth-less
+- `SHOULD_AUTH`: if it is `yes`, then to upload text you will need authentication (same auth as `/tree`), any value other than that and upload is authless
 ## todo:
--- a/abyss.go
+++ b/abyss.go
@ -100,12 +100,4 @@ func setupHandlers(mux *http.ServeMux, app *Application) {
 	mux.HandleFunc("/token", BasicAuth(app.createTokenHandler, app))
 	mux.HandleFunc("/files/", app.fileHandler)
 	if app.authUpload == "yes" {
 		mux.HandleFunc("/upload", BasicAuth(app.uploadHandler, app))
 		slog.Warn("text uploading through the browser will be restricted")
 	} else {
 		mux.HandleFunc("/upload", app.uploadHandler)
 		slog.Warn("text uploading through the browser will NOT be restricted")
 	}
 }
--- a/file_display.go
+++ b/file_display.go
@ -17,6 +17,8 @@ var extensions = map[string]string{
 	".png": "image", ".jpg": "image", ".jpeg": "image", ".webp": "image",
 	".mp3": "audio", ".aac": "audio", ".wav": "audio", ".flac": "audio", ".ogg": "audio",
 	".sh": "text", ".bash": "text", ".zsh": "text",
 	".bat": "text", ".cmd": "text", ".ps1": "text",
 	".ini": "text", ".cfg": "text", ".conf": "text",
--- a/generate_config.sh
+++ b/generate_config.sh
@ -43,7 +43,7 @@ AUTH_USERNAME=$AUTH_USERNAME
 # This is the password of the user for accessing /tree
 AUTH_PASSWORD=$AUTH_PASSWORD
-# This is whether you need a password to upload text through the browser
+# This is whether you need a password to upload text (through browser or curl)
 SHOULD_AUTH=$SHOULD_AUTH
 # This is the key needed to make uploads. Include it as X-Auth in curl.
--- a/handlers.go
+++ b/handlers.go
@ -137,7 +137,11 @@ func (app *Application) lastUploadedHandler(w http.ResponseWriter, r *http.Reque
 func (app *Application) uploadHandler(w http.ResponseWriter, r *http.Request) {
 	if contentType := r.Header.Get("Content-Type"); contentType == "application/x-www-form-urlencoded" {
-		app.formHandler(w, r)
+		if app.authUpload == "yes" {
 			BasicAuth(app.formHandler, app)(w, r)
 		} else {
 			app.formHandler(w, r)
 		}
 	} else if strings.Split(contentType, ";")[0] == "multipart/form-data" {
 		app.curlHandler(w, r)
 	} else {
@ -158,7 +162,11 @@ func (app *Application) formHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
-	filename := app.publicURL(file, ".txt")
+	full := true
 	if len(r.Form["secret"]) == 0 {
 		full = false
 	}
 	filename := app.publicURL(file, ".txt", full)
 	// reopening file because hash consumes it
 	file, err = os.Open("/tmp/file.txt")
@ -194,7 +202,11 @@ func (app *Application) curlHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
-	filename := app.publicURL(file, filepath.Ext(handler.Filename))
+	full := true
 	if len(r.Form["secret"]) == 0 {
 		full = false
 	}
 	filename := app.publicURL(file, filepath.Ext(handler.Filename), full)
 	// reopen the file for copying, as the hash process consumed the file reader
 	file, _, err = r.FormFile("file")
@ -204,16 +216,15 @@ func (app *Application) curlHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
-	err = SaveFile(app.lastUploadedFile, file)
+	if err = SaveFile(app.lastUploadedFile, file); err != nil {
 	if err != nil {
 		fmt.Fprintf(w, "Error parsing file: %s", err.Error())
 	}
 	ResponseURLHandler(w, app.url, filename)
 }
-func (app *Application) publicURL(file io.Reader, extension string) string {
+func (app *Application) publicURL(file io.Reader, extension string, full bool) string {
-	filename, _ := HashFile(file, extension)
+	filename, _ := HashFile(file, extension, full)
 	filepath := filepath.Join(app.filesDir, filename)
--- a/helpers.go
+++ b/helpers.go
@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"os"
 	"strings"
 	"github.com/golang-jwt/jwt/v5"
 )
@ -67,17 +68,19 @@ func FormatFileSize(size int64) string {
 	return fmt.Sprintf("%.2f GB", float64(size)/(1024*1024*1024))
 }
-func HashFile(file io.Reader, extension string) (string, error) {
+func HashFile(file io.Reader, extension string, full bool) (string, error) {
 	hasher := md5.New()
 	if _, err := io.Copy(hasher, file); err != nil {
 		return "", err
 	}
-	sha1Hash := hex.EncodeToString(hasher.Sum(nil))[:8]
+	sha1Hash := strings.ToUpper(hex.EncodeToString(hasher.Sum(nil)))
 	filename := fmt.Sprintf("%s%s", sha1Hash, extension)
-
+	if full {
-	return filename, nil
+		return filename, nil
 	} else {
 		return fmt.Sprintf("%s%s", sha1Hash[:5], extension), nil
 	}
 }
 func SaveFile(name string, file io.Reader) error {
--- a/static/index.html
+++ b/static/index.html
@ -20,8 +20,9 @@
        </a>
    </div>
-    <form action="/upload" method="POST">
+    <form action="/" method="POST">
-        <textarea name="content" placeholder="Enter your content here..."></textarea><br />
+        <textarea name="content" placeholder="Enter your content here..."></textarea>
        <br />
        <button type="submit">upload</button>
    </form>
--- a/templates/files.html
+++ b/templates/files.html
@ -213,12 +213,14 @@
            <source src="{{.Name}}" type="video/mp4" />
            Your browser does not support the video tag.
        </video>
-        {{else}}
+        {{else if eq .Type "audio"}}
-        <p>
+        <audio controls src="{{.Name}}"><audio />
-            Couldn't detect file from extension, visit
+            {{else}}
-            <a href="http://{{.Path}}">this link</a> to see/download your file.
+            <p>
-        </p>
+                Couldn't detect file from extension, visit
-        {{end}}
+                <a href="http://{{.Path}}">this link</a> to see/download your file.
            </p>
            {{end}}
    </div>
    <footer>file uploaded in {{.TimeUploaded}}</footer>
 </body>
Author	SHA1	Message	Date
jabuxas	6c301cff0c	fix!: bug where it was possible to send text unauthenticated	2024-11-02 01:34:52 -03:00
jabuxas	b73c06f1ab	docs: update on what SHOULD_AUTH actually does	2024-10-31 10:17:23 -03:00
jabuxas	0668e42ea8	style: br on a newline	2024-10-31 10:13:58 -03:00
jabuxas	f2e38fda23	feat: change uploaded filename to uppercase	2024-10-31 10:08:56 -03:00
jabuxas	ae81ead712	feat: add audio displaying	2024-10-29 19:28:30 -03:00
jabuxas	9262f436b6	fix: logic on naming url with secret	2024-10-29 19:21:23 -03:00
jabuxas	343af57742	docs: document -Fsecret	2024-10-29 17:52:38 -03:00
jabuxas	e216e2a1b5	feat: add longer url if "secret" field is present	2024-10-29 17:51:27 -03:00