Mirror/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2024-06-07 23:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update security measures by File Manager

Browse Source
This commit is contained in:
Henrique Dias 2016-07-05 17:54:54 +01:00
parent acfda6b4b7
commit 32158d6ecb
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
assets/public/js/application.js
View File

@ -37,6 +37,7 @@ document.addEventListener('listing', event => {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open("POST", window.location); request.open("POST", window.location);
request.setRequestHeader('Filename', name); request.setRequestHeader('Filename', name);
request.setRequestHeader('Token', token);
request.setRequestHeader('Archetype', archetype); request.setRequestHeader('Archetype', archetype);
request.send(); request.send();
request.onreadystatechange = function() { request.onreadystatechange = function() {
@ -87,6 +88,7 @@ document.addEventListener('editor', event => {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open("PUT", window.location); request.open("PUT", window.location);
request.setRequestHeader('Kind', kind); request.setRequestHeader('Kind', kind);
request.setRequestHeader('Token', token);
request.setRequestHeader('Schedule', date); request.setRequestHeader('Schedule', date);
request.send(JSON.stringify(data)); request.send(JSON.stringify(data));
request.onreadystatechange = function() { request.onreadystatechange = function() {
@ -112,6 +114,7 @@ document.addEventListener('editor', event => {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open("PUT", window.location); request.open("PUT", window.location);
request.setRequestHeader('Kind', kind); request.setRequestHeader('Kind', kind);
request.setRequestHeader('Token', token);
request.setRequestHeader('Regenerate', "true"); request.setRequestHeader('Regenerate', "true");
request.send(JSON.stringify(data)); request.send(JSON.stringify(data));
request.onreadystatechange = function() { request.onreadystatechange = function() {

4
binary.go
View File

File diff suppressed because one or more lines are too long

5
hugo.go
View File

@ -74,6 +74,10 @@ func (h Hugo) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
} }
if r.Method == http.MethodPost && r.Header.Get("archetype") != "" { if r.Method == http.MethodPost && r.Header.Get("archetype") != "" {
if !h.FileManager.Configs[0].CheckToken(r) {
return http.StatusForbidden, nil
}
filename := r.Header.Get("Filename") filename := r.Header.Get("Filename")
archetype := r.Header.Get("archetype") archetype := r.Header.Get("archetype")
@ -94,6 +98,7 @@ func (h Hugo) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
} }
if directory.CanBeEdited(r.URL.Path) && r.Method == http.MethodPut { if directory.CanBeEdited(r.URL.Path) && r.Method == http.MethodPut {
// NOTE: File Manager already checks the security token
code, err := h.FileManager.ServeHTTP(w, r) code, err := h.FileManager.ServeHTTP(w, r)
if err != nil { if err != nil {