package http import ( "errors" "net/http" "path" "path/filepath" "strings" "github.com/spf13/afero" "golang.org/x/crypto/bcrypt" "github.com/filebrowser/filebrowser/v2/files" "github.com/filebrowser/filebrowser/v2/share" ) var withHashFile = func(fn handleFunc) handleFunc { return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { id, ifPath := ifPathWithName(r) link, err := d.store.Share.GetByHash(id) if err != nil { return errToStatus(err), err } status, err := authenticateShareRequest(r, link) if status != 0 || err != nil { return status, err } user, err := d.store.Users.Get(d.server.Root, link.UserID) if err != nil { return errToStatus(err), err } d.user = user file, err := files.NewFileInfo(files.FileOptions{ Fs: d.user.Fs, Path: link.Path, Modify: d.user.Perm.Modify, Expand: false, ReadHeader: d.server.TypeDetectionByHeader, Checker: d, Token: link.Token, }) if err != nil { return errToStatus(err), err } // share base path basePath := link.Path // file relative path filePath := "" if file.IsDir { basePath = filepath.Dir(basePath) filePath = ifPath } // set fs root to the shared file/folder d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath) file, err = files.NewFileInfo(files.FileOptions{ Fs: d.user.Fs, Path: filePath, Modify: d.user.Perm.Modify, Expand: true, Checker: d, Token: link.Token, }) if err != nil { return errToStatus(err), err } d.raw = file return fn(w, r, d) } } // ref to https://github.com/filebrowser/filebrowser/pull/727 // `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name func ifPathWithName(r *http.Request) (id, filePath string) { pathElements := strings.Split(r.URL.Path, "/") // prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` // len(pathElements) will be 1, and golang will panic `runtime error: index out of range` switch len(pathElements) { case 1: return r.URL.Path, "/" default: return pathElements[0], path.Join("/", path.Join(pathElements[1:]...)) } } var publicShareHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { file := d.raw.(*files.FileInfo) if file.IsDir { file.Listing.Sorting = files.Sorting{By: "name", Asc: false} file.Listing.ApplySort() return renderJSON(w, r, file) } return renderJSON(w, r, file) }) var publicDlHandler = withHashFile(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) { file := d.raw.(*files.FileInfo) if !file.IsDir { return rawFileHandler(w, r, file) } return rawDirHandler(w, r, d, file) }) func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) { if l.PasswordHash == "" { return 0, nil } if r.URL.Query().Get("token") == l.Token { return 0, nil } password := r.Header.Get("X-SHARE-PASSWORD") if password == "" { return http.StatusUnauthorized, nil } if err := bcrypt.CompareHashAndPassword([]byte(l.PasswordHash), []byte(password)); err != nil { if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) { return http.StatusUnauthorized, nil } return 0, err } return 0, nil } func healthHandler(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) _, _ = w.Write([]byte(`{"status":"OK"}`)) }