dutchcoders/transfer.sh
1
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2026-02-06 23:42:17 +00:00
Code Issues 48 Actions Packages Projects Releases Wiki Activity

Compare commits

base: dutchcoders:ISSUE-371
Branches Tags
dutchcoders:main dutchcoders:dependabot/go_modules/golang.org/x/crypto-0.45.0 dutchcoders:dependabot/go_modules/golang.org/x/net-0.38.0 dutchcoders:revert-646-main dutchcoders:dependabot/go_modules/golang.org/x/oauth2-0.27.0 dutchcoders:check-ci-20241026 dutchcoders:aspacca-patch-1 dutchcoders:seed-rand dutchcoders:fix-basic-auth dutchcoders:fix-header-map-change-after-writeheader-call dutchcoders:issue-503 dutchcoders:issue-487 dutchcoders:gpg-encryption-support dutchcoders:lint-accept-range dutchcoders:bump-min-go-version-and-include-tip dutchcoders:accept-range dutchcoders:local-google-fonts dutchcoders:parallel-range-requests dutchcoders:issue-485 dutchcoders:sb/storj-bump dutchcoders:fix-perform-clamav-prescan dutchcoders:revert-389-clamav-prescan dutchcoders:clamav-prescan dutchcoders:changes-in-front-end dutchcoders:ISSUE-440 dutchcoders:revert-422-main dutchcoders:master dutchcoders:golint dutchcoders:ISSUE-398 dutchcoders:multiple-fixes dutchcoders:ISSUE-382-take2 dutchcoders:ISSUE-382 dutchcoders:fix-workflows dutchcoders:fixes-20210521 dutchcoders:ISSUE-371 dutchcoders:ISSUE-38-WEB dutchcoders:ISSUE-313 dutchcoders:ISSUE-296 dutchcoders:fuzz dutchcoders:BINARY-RELEASES dutchcoders:ISSUE-256
dutchcoders:v1.6.1 dutchcoders:v1.6.0 dutchcoders:v1.5.0 dutchcoders:v1.4.0 dutchcoders:v1.3.1 dutchcoders:v1.3.0 dutchcoders:v1.2.6 dutchcoders:v1.2.4 dutchcoders:v1.2.3 dutchcoders:v1.2.2 dutchcoders:v1.2.1 dutchcoders:v1.2.0 dutchcoders:v1.1.7 dutchcoders:v1.1.6 dutchcoders:v1.1.5 dutchcoders:v1.1.4 dutchcoders:v1.1.3 dutchcoders:v1.1.2 dutchcoders:v1.1.1 dutchcoders:v1.1.0 dutchcoders:v1.0.0
..
compare: dutchcoders:fix-workflows
Branches Tags
dutchcoders:dependabot/go_modules/golang.org/x/crypto-0.45.0 dutchcoders:main dutchcoders:dependabot/go_modules/golang.org/x/net-0.38.0 dutchcoders:revert-646-main dutchcoders:dependabot/go_modules/golang.org/x/oauth2-0.27.0 dutchcoders:check-ci-20241026 dutchcoders:aspacca-patch-1 dutchcoders:seed-rand dutchcoders:fix-basic-auth dutchcoders:fix-header-map-change-after-writeheader-call dutchcoders:issue-503 dutchcoders:issue-487 dutchcoders:gpg-encryption-support dutchcoders:lint-accept-range dutchcoders:bump-min-go-version-and-include-tip dutchcoders:accept-range dutchcoders:local-google-fonts dutchcoders:parallel-range-requests dutchcoders:issue-485 dutchcoders:sb/storj-bump dutchcoders:fix-perform-clamav-prescan dutchcoders:revert-389-clamav-prescan dutchcoders:clamav-prescan dutchcoders:changes-in-front-end dutchcoders:ISSUE-440 dutchcoders:revert-422-main dutchcoders:master dutchcoders:golint dutchcoders:ISSUE-398 dutchcoders:multiple-fixes dutchcoders:ISSUE-382-take2 dutchcoders:ISSUE-382 dutchcoders:fix-workflows dutchcoders:fixes-20210521 dutchcoders:ISSUE-371 dutchcoders:ISSUE-38-WEB dutchcoders:ISSUE-313 dutchcoders:ISSUE-296 dutchcoders:fuzz dutchcoders:BINARY-RELEASES dutchcoders:ISSUE-256
dutchcoders:v1.6.1 dutchcoders:v1.6.0 dutchcoders:v1.5.0 dutchcoders:v1.4.0 dutchcoders:v1.3.1 dutchcoders:v1.3.0 dutchcoders:v1.2.6 dutchcoders:v1.2.4 dutchcoders:v1.2.3 dutchcoders:v1.2.2 dutchcoders:v1.2.1 dutchcoders:v1.2.0 dutchcoders:v1.1.7 dutchcoders:v1.1.6 dutchcoders:v1.1.5 dutchcoders:v1.1.4 dutchcoders:v1.1.3 dutchcoders:v1.1.2 dutchcoders:v1.1.1 dutchcoders:v1.1.0 dutchcoders:v1.0.0

8 Commits
ISSUE-371 ... fix-workfl

Author SHA1 Message Date
Andrea Spacca
ffeba97f90 Merge branch 'master' into fix-workflows 2021-05-21 17:18:50 +02:00
Andrea Spacca
62349b51df tests on PR 2021-05-21 17:17:54 +02:00
Andrea Spacca
2e2c07c3a0 tests on PR (#375) 
* tests on PR
 2021-05-21 17:16:43 +02:00
Andrea Spacca
87b090af66 tests on PR 2021-05-21 17:14:14 +02:00
Andrea Spacca
e57b0314b3 tests on PR 2021-05-21 17:06:38 +02:00
Andrea Spacca
f25b3fb99d tests on PR 2021-05-21 17:05:49 +02:00
Andrea Spacca
9df18fdc69 fixes-20210521 (#373) 2021-05-21 15:49:48 +02:00
Stefan Benten
49c6d7ee4f Merge pull request #372 from dutchcoders/ISSUE-371 
Add random-token-length config
 2021-05-21 10:37:42 +02:00
3 changed files with 29 additions and 13 deletions
Expand all files Collapse all files

3
.github/workflows/test.yml vendored
View File

@@ -1,5 +1,8 @@
name: test
on:
pull_request:
branches:
- "*"
push:
branches:
- "*"

2
cmd/cmd.go
View File

@@ -12,7 +12,7 @@ import (
"google.golang.org/api/googleapi"
)
var Version = "1.2.2"
var Version = "1.2.4"
var helpTemplate = `NAME:
{{.Name}} - {{.Usage}}

37
server/handlers.go
View File

@@ -94,6 +94,27 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Approaching Neutral Zone, all systems normal and functioning.")
}
func canContainsXSS(contentType string) bool {
switch {
case strings.Contains(contentType, "cache-manifest"):
fallthrough
case strings.Contains(contentType, "html"):
fallthrough
case strings.Contains(contentType, "rdf"):
fallthrough
case strings.Contains(contentType, "vtt"):
fallthrough
case strings.Contains(contentType, "xml"):
fallthrough
case strings.Contains(contentType, "xsl"):
return true
case strings.Contains(contentType, "x-mixed-replace"):
return true
}
return false
}
/* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
@@ -263,11 +284,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) {
for _, fheaders := range r.MultipartForm.File {
for _, fheader := range fheaders {
filename := sanitize(fheader.Filename)
contentType := fheader.Header.Get("Content-Type")
if contentType == "" {
contentType = mime.TypeByExtension(filepath.Ext(fheader.Filename))
}
contentType := mime.TypeByExtension(filepath.Ext(fheader.Filename))
var f io.Reader
var err error
@@ -474,11 +491,7 @@ func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) {
return
}
contentType := r.Header.Get("Content-Type")
if contentType == "" {
contentType = mime.TypeByExtension(filepath.Ext(vars["filename"]))
}
contentType := mime.TypeByExtension(filepath.Ext(vars["filename"]))
token := Encode(INIT_SEED, s.randomTokenLength)
@@ -687,7 +700,7 @@ func (s *Server) CheckDeletionToken(deletionToken, token, filename string) error
r, _, err := s.storage.Get(token, fmt.Sprintf("%s.metadata", filename))
if s.storage.IsNotExist(err) {
return nil
return errors.New("Metadata doesn't exist")
} else if err != nil {
return err
}
@@ -1008,7 +1021,7 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Remaining-Downloads", remainingDownloads)
w.Header().Set("X-Remaining-Days", remainingDays)
if disposition == "inline" && strings.Contains(contentType, "html") {
if disposition == "inline" && canContainsXSS(contentType) {
reader = ioutil.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
}