gaspersic/transfer.sh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixes-20210521 (#373)

Browse Source
This commit is contained in:
Andrea Spacca
2021-05-21 15:49:48 +02:00
committed by GitHub
parent 49c6d7ee4f
commit 9df18fdc69
2 changed files with 26 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/cmd.go
View File

@ -12,7 +12,7 @@ import (
"google.golang.org/api/googleapi" "google.golang.org/api/googleapi"
) )
var Version = "1.2.2" var Version = "1.2.4"
var helpTemplate = `NAME: var helpTemplate = `NAME:
{{.Name}} - {{.Usage}} {{.Name}} - {{.Usage}}

37
server/handlers.go
View File

@ -94,6 +94,27 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Approaching Neutral Zone, all systems normal and functioning.") fmt.Fprintf(w, "Approaching Neutral Zone, all systems normal and functioning.")
} }
func canContainsXSS(contentType string) bool {
switch {
case strings.Contains(contentType, "cache-manifest"):
fallthrough
case strings.Contains(contentType, "html"):
fallthrough
case strings.Contains(contentType, "rdf"):
fallthrough
case strings.Contains(contentType, "vtt"):
fallthrough
case strings.Contains(contentType, "xml"):
fallthrough
case strings.Contains(contentType, "xsl"):
return true
case strings.Contains(contentType, "x-mixed-replace"):
return true
}
return false
}
/* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */ /* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) { func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r) vars := mux.Vars(r)
@ -263,11 +284,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
for _, fheaders := range r.MultipartForm.File { for _, fheaders := range r.MultipartForm.File {
for _, fheader := range fheaders { for _, fheader := range fheaders {
filename := sanitize(fheader.Filename) filename := sanitize(fheader.Filename)
contentType := fheader.Header.Get("Content-Type") contentType := mime.TypeByExtension(filepath.Ext(fheader.Filename))
if contentType == "" {
contentType = mime.TypeByExtension(filepath.Ext(fheader.Filename))
}
var f io.Reader var f io.Reader
var err error var err error
@ -474,11 +491,7 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
contentType := r.Header.Get("Content-Type") contentType := mime.TypeByExtension(filepath.Ext(vars["filename"]))
if contentType == "" {
contentType = mime.TypeByExtension(filepath.Ext(vars["filename"]))
}
token := Encode(INIT_SEED, s.randomTokenLength) token := Encode(INIT_SEED, s.randomTokenLength)
@ -687,7 +700,7 @@ func (s *Server) CheckDeletionToken(deletionToken, token, filename string) error
r, _, err := s.storage.Get(token, fmt.Sprintf("%s.metadata", filename)) r, _, err := s.storage.Get(token, fmt.Sprintf("%s.metadata", filename))
if s.storage.IsNotExist(err) { if s.storage.IsNotExist(err) {
return nil return errors.New("Metadata doesn't exist")
} else if err != nil { } else if err != nil {
return err return err
} }
@ -1008,7 +1021,7 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Remaining-Downloads", remainingDownloads) w.Header().Set("X-Remaining-Downloads", remainingDownloads)
w.Header().Set("X-Remaining-Days", remainingDays) w.Header().Set("X-Remaining-Days", remainingDays)
if disposition == "inline" && strings.Contains(contentType, "html") { if disposition == "inline" && canContainsXSS(contentType) {
reader = ioutil.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader)) reader = ioutil.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
} }