filebrowser/http/public.go

package http

import (
	"net/http"
	"strings"

	"github.com/filebrowser/filebrowser/v2/files"
)

var withHashFile = func(fn handleFunc) handleFunc {
	return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
		link, err := d.store.Share.GetByHash(r.URL.Path)
		if err != nil {
			link, err = d.store.Share.GetByHash(ifPathWithName(r))
			if err != nil {
				return errToStatus(err), err
			}
		}

		user, err := d.store.Users.Get(d.server.Root, link.UserID)
		if err != nil {
			return errToStatus(err), err
		}

		d.user = user

		file, err := files.NewFileInfo(files.FileOptions{
			Fs:      d.user.Fs,
			Path:    link.Path,
			Modify:  d.user.Perm.Modify,
			Expand:  false,
			Checker: d,
		})
		if err != nil {
			return errToStatus(err), err
		}

		d.raw = file
		return fn(w, r, d)
	}
}

// ref to https://github.com/filebrowser/filebrowser/pull/727
// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
func ifPathWithName(r *http.Request) string {
	pathElements := strings.Split(r.URL.Path, "/")
	// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
	// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
	if len(pathElements) < 2 {
		return r.URL.Path
	}
	id := pathElements[len(pathElements)-2]
	return id
}

var publicShareHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
	return renderJSON(w, r, d.raw)
})

var publicDlHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
	file := d.raw.(*files.FileInfo)
	if !file.IsDir {
		return rawFileHandler(w, r, file)
	}

	return rawDirHandler(w, r, d, file)
})
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`package http`

			`import (`
			`"net/http"`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`"strings"`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00
			`"github.com/filebrowser/filebrowser/v2/files"`
			`)`

			`var withHashFile = func(fn handleFunc) handleFunc {`
			`return func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
			`link, err := d.store.Share.GetByHash(r.URL.Path)`
			`if err != nil {`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`link, err = d.store.Share.GetByHash(ifPathWithName(r))`
			`if err != nil {`
			`return errToStatus(err), err`
			`}`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`}`

feat: make server options a struct (#615) Former-commit-id: a54bc7c8a0fb700d4f90f78c54d6cb028e8acea7 [formerly a0946a1d5b82ce5681684bc0f871bd892c4d6c3f] [formerly 6b23b0abbe5cde6a6348f982975d15a1161359de [formerly 0e7abaa7fb4b293e933d233750cf057c48b298bf]] Former-commit-id: cf9ea1110bcb8b5eb30ecd25db1928659ecea922 [formerly 38cebeff1f9e6b03760f7b277a3941f7bd733fb5] Former-commit-id: db44c1d5ff8fed361849b5bf1fe48e04c75d7ce7 2019-01-08 10:29:09 +00:00			`user, err := d.store.Users.Get(d.server.Root, link.UserID)`
feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`if err != nil {`
			`return errToStatus(err), err`
			`}`

			`d.user = user`

			`file, err := files.NewFileInfo(files.FileOptions{`
			`Fs: d.user.Fs,`
			`Path: link.Path,`
			`Modify: d.user.Perm.Modify,`
			`Expand: false,`
			`Checker: d,`
			`})`
			`if err != nil {`
			`return errToStatus(err), err`
			`}`

			`d.raw = file`
			`return fn(w, r, d)`
			`}`
			`}`

fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791) 2019-07-05 11:15:57 +00:00			`// ref to https://github.com/filebrowser/filebrowser/pull/727`
			// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`func ifPathWithName(r *http.Request) string {`
			`pathElements := strings.Split(r.URL.Path, "/")`
fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791) 2019-07-05 11:15:57 +00:00			// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
			// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
			`if len(pathElements) < 2 {`
			`return r.URL.Path`
			`}`
Update download names file for weak clients 2019-05-13 14:30:18 +00:00			`id := pathElements[len(pathElements)-2]`
			`return id`
			`}`

feat: v2 (#599) Read https://github.com/filebrowser/filebrowser/pull/575. Former-commit-id: 7aedcaaf72b863033e3f089d6df308d41a3fd00c [formerly bdbe4d49161b901c4adf9c245895a1be2d62e4a7] [formerly acfc1ec67c423e0b3e065a8c1f8897c5249af65b [formerly d309066def8319e9da89d00ca6463ec4aea62d34]] Former-commit-id: 0c7d925a38a68ccabdf2c4bbd8c302ee89b93509 [formerly a6173925a1382955d93b334ded93f70d6dddd694] Former-commit-id: e032e0804dd051df86f42962de2b39caec5318b7 2019-01-05 22:44:33 +00:00			`var publicShareHandler = withHashFile(func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
			`return renderJSON(w, r, d.raw)`
			`})`

			`var publicDlHandler = withHashFile(func(w http.ResponseWriter, r http.Request, d data) (int, error) {`
			`file := d.raw.(*files.FileInfo)`
			`if !file.IsDir {`
			`return rawFileHandler(w, r, file)`
			`}`

			`return rawDirHandler(w, r, d, file)`
			`})`