Merge pull request #5 from SamWhited/file_handling

File handling tweaks
2024-11-21 16:35:04 -05:00 · 2015-07-04 23:36:27 +02:00 · 2015-07-04 23:36:27 +02:00 · 55ce3cd3f1
commit 55ce3cd3f1
parent 9cb7ff4e04 1f66775c81
1 changed files with 17 additions and 10 deletions
--- a/server.py
+++ b/server.py
@ -24,6 +24,13 @@ global files
 global files_lock
 global config

+def normalize_path(path):
+    """
+    Normalizes the URL to prevent users from grabbing arbitrary files via `../'
+    and the like.
+    """
+    return os.path.normcase(os.path.normpath(path))
+
 class MissingComponent(ComponentXMPP):
    def __init__(self, jid, secret):
        ComponentXMPP.__init__(self, jid, secret, "localhost", 5347)
@ -47,15 +54,15 @@ class MissingComponent(ComponentXMPP):
            filename = request['filename']
            folder = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(len(sender_hash)))
            sane_filename = "".join([c for c in filename if c.isalpha() or c.isdigit() or c=="."]).rstrip()
-            path = sender_hash+'/'+folder
+            path = os.path.join(sender_hash, folder)
            if sane_filename:
-                path += '/'+sane_filename
+                path = os.path.join(path, sane_filename)
            with files_lock:
                files.add(path)
            print(path)
            reply = iq.reply()
-            reply['slot']['get'] = config['get_url'] + '/' + path
-            reply['slot']['put'] = config['put_url'] + '/' + path
+            reply['slot']['get'] = os.path.join(config['get_url'], path)
+            reply['slot']['put'] = os.path.join(config['put_url'], path)
            reply.send()
        else:
           self. _sendError(iq,'cancel','not-allowed','not allowed to request upload slots')
@ -74,7 +81,7 @@ class HttpHandler(BaseHTTPRequestHandler):
        global files
        global files_lock
        global config
-        path = self.path[1:]
+        path = normalize_path(self.path[1:])
        length = int(self.headers['Content-Length'])
        maxfilesize = int(config['max_file_size'])
        if maxfilesize < length:
@ -86,7 +93,7 @@ class HttpHandler(BaseHTTPRequestHandler):
            if path in files:
                files.remove(path)
                files_lock.release()
-                filename = config['storage_path'] + path
+                filename = os.path.join(config['storage_path'], path)
                os.makedirs(os.path.dirname(filename))
                remaining = length
                f = open(filename,'wb')
@ -105,13 +112,13 @@ class HttpHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        global config
-        path = self.path[1:].replace('../','').replace('./','')
+        path = normalize_path(self.path[1:])
        slashcount = path.count('/')
        if slashcount < 1 or slashcount > 2:
            self.send_response(404,'file not found')
            self.end_headers()
        else:
-            filename = config['storage_path']+'/'+path
+            filename = os.path.join(config['storage_path'], path)
            print('requesting file: '+filename)
            try:
                with open(filename,'rb') as f:
@ -128,14 +135,14 @@ class HttpHandler(BaseHTTPRequestHandler):

    def do_HEAD(self):
        global config
-        path = self.path[1:].replace('../','').replace('./','')
+        path = normalize_path(self.path[1:])
        slashcount = path.count('/')
        if slashcount < 1 or slashcount > 2:
            self.send_response(404,'file not found')
            self.end_headers()
        else:
            try:
-                filename = config['storage_path']+'/'+path
+                filename = os.path.join(config['storage_path'], path)
                self.send_response(200,'OK')
                self.send_header("Content-Type", 'application/octet-stream')
                self.send_header("Content-Disposition", 'attachment; filename="{}"'.format(os.path.basename(filename)))