Mirror/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2024-06-07 23:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Henrique Dias 2016-11-01 12:30:59 +00:00
parent 53927dab00
commit a2a078d06e
5 changed files with 10 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
_embed/public/js/application.js
View File

@ -1,10 +1,7 @@
'use strict'; 'use strict';
// TODO: way to get the webdav url
var tempID = "_fm_internal_temporary_id" var tempID = "_fm_internal_temporary_id"
var selectedItems = []; var selectedItems = [];
var token = "";
/* * * * * * * * * * * * * * * * /* * * * * * * * * * * * * * * *
* * * *
@ -123,7 +120,7 @@ var deleteEvent = function(event) {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open('DELETE', toWebDavURL(link)); request.open('DELETE', toWebDavURL(link));
request.setRequestHeader('Token', token);
request.send(); request.send();
request.onreadystatechange = function() { request.onreadystatechange = function() {
if (request.readyState == 4) { if (request.readyState == 4) {
@ -158,11 +155,6 @@ var RemoveLastDirectoryPartOf = function(url) {
return (arr.join('/')); return (arr.join('/'));
} }
// Get the current token
var updateToken = function() {
token = document.getElementById("token").innerHTML;
}
/* * * * * * * * * * * * * * * * /* * * * * * * * * * * * * * * *
* * * *
* LISTING SPECIFIC FUNCTIONS * * LISTING SPECIFIC FUNCTIONS *
@ -173,7 +165,6 @@ var reloadListing = function(callback) {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open('GET', window.location); request.open('GET', window.location);
request.setRequestHeader('Minimal', 'true'); request.setRequestHeader('Minimal', 'true');
request.setRequestHeader('Token', token);
request.send(); request.send();
request.onreadystatechange = function() { request.onreadystatechange = function() {
if (request.readyState == 4) { if (request.readyState == 4) {
@ -189,8 +180,6 @@ var reloadListing = function(callback) {
link.addEventListener('click', itemClickEvent); link.addEventListener('click', itemClickEvent);
}); });
updateToken();
if (typeof callback == 'function') { if (typeof callback == 'function') {
callback(); callback();
} }
@ -229,7 +218,7 @@ var renameEvent = function(event) {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open('MOVE', toWebDavURL(link)); request.open('MOVE', toWebDavURL(link));
request.setRequestHeader('Destination', newLink); request.setRequestHeader('Destination', newLink);
request.setRequestHeader('Token', token);
request.send(); request.send();
request.onreadystatechange = function() { request.onreadystatechange = function() {
// TODO: redirect if it's moved to another folder // TODO: redirect if it's moved to another folder
@ -289,7 +278,7 @@ var handleFiles = function(files) {
for (let i = 0; i < files.length; i++) { for (let i = 0; i < files.length; i++) {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open('PUT', toWebDavURL(window.location.pathname + files[i].name)); request.open('PUT', toWebDavURL(window.location.pathname + files[i].name));
request.setRequestHeader('Token', token);
request.send(files[i]); request.send(files[i]);
request.onreadystatechange = function() { request.onreadystatechange = function() {
if (request.readyState == 4) { if (request.readyState == 4) {
@ -416,7 +405,7 @@ var newDirEvent = function(event) {
let name = document.getElementById('newdir').value; let name = document.getElementById('newdir').value;
request.open((name.endsWith("/") ? "MKCOL" : "PUT"), toWebDavURL(window.location.pathname + name)); request.open((name.endsWith("/") ? "MKCOL" : "PUT"), toWebDavURL(window.location.pathname + name));
request.setRequestHeader('Token', token);
request.send(); request.send();
request.onreadystatechange = function() { request.onreadystatechange = function() {
if (request.readyState == 4) { if (request.readyState == 4) {
@ -543,7 +532,8 @@ document.addEventListener('listing', event => {
}); });
if (user.AllowCommands) { if (user.AllowCommands) {
let hover = false, focus = false; let hover = false,
focus = false;
document.querySelector('#search input').addEventListener('focus', event => { document.querySelector('#search input').addEventListener('focus', event => {
focus = true; focus = true;
@ -840,7 +830,7 @@ document.addEventListener("editor", (event) => {
let request = new XMLHttpRequest(); let request = new XMLHttpRequest();
request.open("PUT", toWebDavURL(window.location.pathname)); request.open("PUT", toWebDavURL(window.location.pathname));
request.setRequestHeader('Kind', kind); request.setRequestHeader('Kind', kind);
request.setRequestHeader('Token', token);
request.send(JSON.stringify(data)); request.send(JSON.stringify(data));
request.onreadystatechange = function() { request.onreadystatechange = function() {
if (request.readyState == 4) { if (request.readyState == 4) {
@ -887,9 +877,6 @@ document.addEventListener("DOMContentLoaded", function(event) {
} }
}); });
// Updates the token
updateToken();
// Enables open, delete and download buttons // Enables open, delete and download buttons
document.getElementById("open").addEventListener("click", openEvent); document.getElementById("open").addEventListener("click", openEvent);

3
_embed/templates/base.tmpl
View File

@ -4,6 +4,7 @@
<head> <head>
<title>{{.Name}}</title> <title>{{.Name}}</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="token" content="{{ .Token }}">
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
<link href='https://fonts.googleapis.com/css?family=Roboto:400,500' rel='stylesheet' type='text/css'> <link href='https://fonts.googleapis.com/css?family=Roboto:400,500' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="{{ .Config.AbsoluteURL }}/_filemanagerinternal/css/styles.css"> <link rel="stylesheet" href="{{ .Config.AbsoluteURL }}/_filemanagerinternal/css/styles.css">
@ -104,8 +105,8 @@
{{ end }} {{ end }}
<main> <main>
{{ template "content" . }} {{ template "content" . }}
<span id="token">{{ .Config.Token }}</span>
</main> </main>
<footer> <footer>

42
config/secure.go
View File

@ -1,42 +0,0 @@
package config
import (
"math/rand"
"net/http"
"time"
)
const (
tokenSize = 80
letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
letterIdxBits = 6 // 6 bits to represent a letter index
letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits
)
// CheckToken checs if current token is the same as the one used in the request
func (c Config) CheckToken(r *http.Request) bool {
token := r.Header.Get("Token")
return c.Token == token
}
// GenerateToken geneerates a new token
func (c *Config) GenerateToken() {
src := rand.NewSource(time.Now().UnixNano())
b := make([]byte, tokenSize)
// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
// future reference: http://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-golang
for i, cache, remain := tokenSize-1, src.Int63(), letterIdxMax; i >= 0; {
if remain == 0 {
cache, remain = src.Int63(), letterIdxMax
}
if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
b[i] = letterBytes[idx]
i--
}
cache >>= letterIdxBits
remain--
}
c.Token = string(b)
}

23
filemanager.go
View File

@ -71,18 +71,8 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
return handlers.Command(w, r, c, user) return handlers.Command(w, r, c, user)
} }
// TODO: This anti CSCF measure is not being applied to requests
// to the WebDav URL namespace. Anyone has ideas?
// if !c.CheckToken(r) {
// return http.StatusForbidden, nil
// }
// Checks if the request URL is for the WebDav server // Checks if the request URL is for the WebDav server
if strings.HasPrefix(r.URL.Path, c.WebDavURL) { if strings.HasPrefix(r.URL.Path, c.WebDavURL) {
// if !c.CheckToken(r) {
// return http.StatusForbidden, nil
// }
// Checks for user permissions relatively to this PATH // Checks for user permissions relatively to this PATH
if !user.Allowed(strings.TrimPrefix(r.URL.Path, c.WebDavURL)) { if !user.Allowed(strings.TrimPrefix(r.URL.Path, c.WebDavURL)) {
return http.StatusForbidden, nil return http.StatusForbidden, nil
@ -123,19 +113,6 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
} }
if r.Method == http.MethodGet { if r.Method == http.MethodGet {
// Generate anti security token.
/* c.GenerateToken()
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: c.Token,
Path: "/",
HttpOnly: true,
})
co, err := r.Cookie("token")
fmt.Println(co.Value) */
// Gets the information of the directory/file // Gets the information of the directory/file
fi, code, err = file.GetInfo(r.URL, c, user) fi, code, err = file.GetInfo(r.URL, c, user)
if err != nil { if err != nil {

1
page/page.go
View File

@ -28,6 +28,7 @@ type Info struct {
User *config.User User *config.User
Config *config.Config Config *config.Config
Data interface{} Data interface{}
Token string
} }
// BreadcrumbMap returns p.Path where every element is a map // BreadcrumbMap returns p.Path where every element is a map