diff options
author | Antoni Sawicki <tenox@google.com> | 2022-08-30 02:09:23 -0700 |
---|---|---|
committer | Antoni Sawicki <tenox@google.com> | 2022-08-30 02:09:23 -0700 |
commit | 0b1d22b92410e5c8d81af0543c71fc1b24ff86cb (patch) | |
tree | f7eba5b2a257066885ddbb6484819bceca75f013 | |
parent | d62e7206bc090409386bd684fef6f3043bbc55a8 (diff) | |
download | wfm-0b1d22b92410e5c8d81af0543c71fc1b24ff86cb.tar.gz |
use pathescape/joinpath instead of equeryescape
-rw-r--r-- | TODO.md | 1 | ||||
-rw-r--r-- | dir.go | 14 | ||||
-rw-r--r-- | fileio.go | 20 | ||||
-rw-r--r-- | handlers.go | 17 |
4 files changed, 33 insertions, 19 deletions
@@ -10,6 +10,7 @@ https://github.com/crazcalm/go/commit/8b0b644cd02c59fe2461908304c44d64e8be431e * use direct url path instead of ?dir=xxx&file=yyyy use /prefix/dir/file * perhaps default action should check if target is file or dir and run disp or list files? +* use url.Parse to get correct url/path ## Security * seperate prefix for admin/rw users eg /admin with readonly on / @@ -3,6 +3,7 @@ package main import ( "html" "io/ioutil" + "log" "net/http" "net/url" "os" @@ -25,7 +26,7 @@ func (r *wfmRequest) listFiles(hi string) { header(r.w, r.uDir, r.eSort, "") toolbars(r.w, r.uDir, r.userName, sl, i) - qeDir := url.QueryEscape(r.uDir) + qeDir := url.PathEscape(r.uDir) z := 0 var total uint64 @@ -56,9 +57,12 @@ func (r *wfmRequest) listFiles(hi string) { r.w.Write([]byte(`<TR BGCOLOR="#F0F0F0">`)) } z++ - qeFile := url.QueryEscape(f.Name()) + qeFile := url.PathEscape(f.Name()) heFile := html.EscapeString(f.Name()) - nUrl := *wfmPfx + qeDir + `/` + qeFile + nUrl, err := url.JoinPath(*wfmPfx, qeDir, qeFile) + if err != nil { + log.Printf("Unable to parse url: %v", err) + } if r.eSort != "" { nUrl += `?sort=` + r.eSort } @@ -104,7 +108,7 @@ func (r *wfmRequest) listFiles(hi string) { r.w.Write([]byte(`<TR BGCOLOR="#F0F0F0">`)) } z++ - qeFile := url.QueryEscape(f.Name()) + qeFile := url.PathEscape(f.Name()) heFile := html.EscapeString(f.Name()) r.w.Write([]byte(` <TD NOWRAP ALIGN="LEFT"> @@ -133,7 +137,7 @@ func (r *wfmRequest) listFiles(hi string) { func toolbars(w http.ResponseWriter, uDir, user string, sl []string, i map[string]string) { eDir := html.EscapeString(uDir) - qeDir := url.QueryEscape(uDir) + qeDir := url.PathEscape(uDir) // Topbar w.Write([]byte(` <TABLE WIDTH="100%" BGCOLOR="#FFFFFF" CELLPADDING="0" CELLSPACING="0" BORDER="0" STYLE="height:28px;"><TR> @@ -61,7 +61,7 @@ func (r *wfmRequest) downFile() { return } r.w.Header().Set("Content-Type", "application/octet-stream") - r.w.Header().Set("Content-Disposition", "attachment; filename=\""+url.QueryEscape(r.uFbn)+"\";") + r.w.Header().Set("Content-Disposition", "attachment; filename=\""+url.PathEscape(r.uFbn)+"\";") r.w.Header().Set("Content-Length", fmt.Sprint(f.Size())) r.w.Header().Set("Cache-Control", *cacheCtl) streamFile(r.w, fp) @@ -87,7 +87,7 @@ func dispInline(w http.ResponseWriter, uFilePath string) { fi.Close() w.Header().Set("Content-Type", mt.String()) - w.Header().Set("Content-Disposition", "inline; filename=\""+url.QueryEscape(filepath.Base(uFilePath))+"\";") + w.Header().Set("Content-Disposition", "inline; filename=\""+url.PathEscape(filepath.Base(uFilePath))+"\";") w.Header().Set("Content-Length", fmt.Sprint(f.Size())) w.Header().Set("Cache-Control", *cacheCtl) streamFile(w, uFilePath) @@ -140,7 +140,7 @@ func (r *wfmRequest) uploadFile(h *multipart.FileHeader, f multipart.File) { htErr(r.w, "uploading file", fmt.Errorf("expected size=%v actual size=%v", h.Size, oSize)) } log.Printf("Uploaded Dir=%v File=%v Size=%v", r.uDir, h.Filename, h.Size) - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(h.Filename)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(h.Filename)) } func (r *wfmRequest) saveText(uData string) { @@ -174,7 +174,7 @@ func (r *wfmRequest) saveText(uData string) { return } log.Printf("Saved Text Dir=%v File=%v Size=%v", r.uDir, fp, len(uData)) - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(r.uFbn)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(r.uFbn)) } func (r *wfmRequest) mkdir() { @@ -193,7 +193,7 @@ func (r *wfmRequest) mkdir() { log.Printf("mkdir error: %v", err) return } - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(r.uFbn)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(r.uFbn)) } func (r *wfmRequest) mkfile() { @@ -212,7 +212,7 @@ func (r *wfmRequest) mkfile() { return } f.Close() - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(r.uFbn)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(r.uFbn)) } func (r *wfmRequest) mkurl(eUrl string) { @@ -235,7 +235,7 @@ func (r *wfmRequest) mkurl(eUrl string) { // TODO(tenox): add upport for creating webloc, desktop and other formats fmt.Fprintf(f, "[InternetShortcut]\r\nURL=%s\r\n", eUrl) f.Close() - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(r.uFbn)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(r.uFbn)) } func (r *wfmRequest) renFile(uNewf string) { @@ -257,7 +257,7 @@ func (r *wfmRequest) renFile(uNewf string) { htErr(r.w, "rename", err) return } - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.QueryEscape(newB)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort+"&hi="+url.PathEscape(newB)) } func (r *wfmRequest) moveFiles(uFilePaths []string, uDst string) { @@ -281,7 +281,7 @@ func (r *wfmRequest) moveFiles(uFilePaths []string, uDst string) { } lF = fb } - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(uDst)+"&sort="+r.eSort+"&hi="+url.QueryEscape(lF)) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(uDst)+"&sort="+r.eSort+"&hi="+url.PathEscape(lF)) } func (r *wfmRequest) deleteFiles(uFilePaths []string) { @@ -298,5 +298,5 @@ func (r *wfmRequest) deleteFiles(uFilePaths []string) { return } } - redirect(r.w, *wfmPfx+"?dir="+url.QueryEscape(r.uDir)+"&sort="+r.eSort) + redirect(r.w, *wfmPfx+"?dir="+url.PathEscape(r.uDir)+"&sort="+r.eSort) } diff --git a/handlers.go b/handlers.go index bc191a0..7ce4e02 100644 --- a/handlers.go +++ b/handlers.go @@ -31,7 +31,7 @@ func wfmMain(w http.ResponseWriter, r *http.Request) { wfm.w = w wfm.remAddr = r.RemoteAddr - wfm.eSort = url.QueryEscape(r.FormValue("sort")) + wfm.eSort = r.FormValue("sort") if strings.HasPrefix(r.UserAgent(), "Mozilla/5") { wfm.modern = true } @@ -39,7 +39,8 @@ func wfmMain(w http.ResponseWriter, r *http.Request) { wfm.uDir = filepath.Clean(r.FormValue("dir")) // directory can come from form value or URI Path if wfm.uDir == "" || wfm.uDir == "." { - u, _ := url.QueryUnescape(r.URL.Path) + // TODO(tenox): use url.Parse() instead + u, _ := url.PathUnescape(r.URL.Path) wfm.uDir = filepath.Clean("/" + strings.TrimPrefix(u, *wfmPfx)) } if wfm.uDir == "" || wfm.uDir == "." { @@ -75,14 +76,22 @@ func wfmMain(w http.ResponseWriter, r *http.Request) { wfm.saveText(r.FormValue("text")) return case r.FormValue("up") != "": - up := *wfmPfx + url.QueryEscape(filepath.Dir(wfm.uDir)) + up, err := url.JoinPath(*wfmPfx, filepath.Dir(wfm.uDir)) + if err != nil { + htErr(w, "up path build", err) + return + } if wfm.eSort != "" { up += "?sort=" + wfm.eSort } redirect(w, up) return case r.FormValue("refresh") != "": - re := *wfmPfx + url.QueryEscape(wfm.uDir) + re, err := url.JoinPath(*wfmPfx, wfm.uDir) + if err != nil { + htErr(w, "up path build", err) + return + } if wfm.eSort != "" { re += "?sort=" + wfm.eSort } |