Skip to content
This repository has been archived by the owner on Oct 25, 2024. It is now read-only.

Commit

Permalink
Update main.rs, undo CSRF "upgrade"
Browse files Browse the repository at this point in the history
  • Loading branch information
dw5 authored May 9, 2024
1 parent 0d4e3f9 commit a9abcf2
Showing 1 changed file with 7 additions and 64 deletions.
71 changes: 7 additions & 64 deletions src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ use multipart::server::{Multipart, SaveResult};
use path_dedot::ParseDot;
use percent_encoding::percent_decode;
use pretty_bytes::converter::convert;
use rand::distributions::Alphanumeric;
use rand::{thread_rng, Rng};
use termcolor::{Color, ColorSpec};

use color::{build_spec, Printer};
Expand Down Expand Up @@ -70,7 +68,7 @@ fn main() {
.arg(clap::Arg::with_name("upload")
.short("u")
.long("upload")
.help("Enable upload files. (multiple select) (CSRF token required)"))
.help("Enable upload files. (multiple select)"))
.arg(clap::Arg::with_name("redirect").long("redirect")
.takes_value(true)
.validator(|url_string| iron::Url::parse(url_string.as_str()).map(|_| ()))
Expand Down Expand Up @@ -222,7 +220,7 @@ fn main() {
.map(|s| PathBuf::from(s).canonicalize().unwrap())
.unwrap_or_else(|| env::current_dir().unwrap());
let index = matches.is_present("index");
let upload_arg = matches.is_present("upload");
let upload = matches.is_present("upload");
let redirect_to = matches
.value_of("redirect")
.map(iron::Url::parse)
Expand Down Expand Up @@ -281,22 +279,10 @@ fn main() {
let silent = matches.is_present("silent");
let base_url: &str = matches.value_of("base-url").unwrap();

let upload: Option<Upload> = if upload_arg {
let token: String = thread_rng()
.sample_iter(&Alphanumeric)
.take(10)
.map(char::from)
.collect();
Some(Upload { csrf_token: token })
} else {
None
};

if !silent {
printer
.println_out(
r#" Index: {}, Cache: {}, Cors: {}, Coop: {}, Coep: {}, Range: {}, Sort: {}, Threads: {}
Upload: {}, CSRF Token: {}
r#" Index: {}, Upload: {}, Cache: {}, Cors: {}, Coop: {}, Coep: {}, Range: {}, Sort: {}, Threads: {}
Auth: {}, Compression: {}
https: {}, Cert: {}, Cert-Password: {}
Root: {},
Expand All @@ -305,20 +291,14 @@ fn main() {
======== [{}] ========"#,
&vec![
enable_string(index),
enable_string(upload),
enable_string(cache),
enable_string(cors),
enable_string(coop),
enable_string(coep),
enable_string(range),
enable_string(sort),
threads.to_string(),
enable_string(upload_arg),
(if upload.is_some() {
upload.as_ref().unwrap().csrf_token.as_str()
} else {
""
})
.to_string(),
auth.unwrap_or("disabled").to_string(),
compression_string,
(if cert.is_some() {
Expand Down Expand Up @@ -425,14 +405,11 @@ fn main() {
std::process::exit(1);
};
}
struct Upload {
csrf_token: String,
}

struct MainHandler {
root: PathBuf,
index: bool,
upload: Option<Upload>,
upload: bool,
cache: bool,
range: bool,
coop: bool,
Expand Down Expand Up @@ -483,7 +460,7 @@ impl Handler for MainHandler {
));
}

if self.upload.is_some() && req.method == method::Post {
if self.upload && req.method == method::Post {
if let Err((s, msg)) = self.save_files(req, &fs_path) {
return Ok(error_resp(s, &msg, &self.base_url));
} else if self.base_url == "/" {
Expand Down Expand Up @@ -541,38 +518,6 @@ impl MainHandler {
// in a new temporary directory under the OS temporary directory.
match multipart.save().size_limit(self.upload_size_limit).temp() {
SaveResult::Full(entries) => {
// Pull out csrf field to check if token matches one generated
let csrf_field = match entries
.fields
.get("csrf")
.map(|fields| fields.first())
.unwrap_or(None)
{
Some(field) => field,
None => {
return Err((
status::BadRequest,
String::from("csrf parameter not provided"),
))
}
};

// Read token value from field
let mut token = String::new();
csrf_field
.data
.readable()
.unwrap()
.read_to_string(&mut token)
.unwrap();

// Check if they match
if self.upload.as_ref().unwrap().csrf_token != token {
return Err((
status::BadRequest,
String::from("csrf token does not match"),
));
}

// Grab all the fields named files
let files_fields = match entries.fields.get("files") {
Expand Down Expand Up @@ -828,17 +773,15 @@ impl MainHandler {
}

// Optional upload form
let upload_form = if self.upload.is_some() {
let upload_form = if self.upload {
format!(
r#"
<form style="margin-top:1em; margin-bottom:1em;" action="{base_url}{path}" method="POST" enctype="multipart/form-data">
<input type="file" name="files" accept="*" multiple />
<input type="hidden" name="csrf" value="{csrf}"/>
<input type="submit" value="Upload" />
</form>
"#,
path = encode_link_path(path_prefix),
csrf = self.upload.as_ref().unwrap().csrf_token,
base_url = base_url,
)
} else {
Expand Down

0 comments on commit a9abcf2

Please sign in to comment.