From: Sergey Matveev Date: Fri, 6 Dec 2019 13:24:13 +0000 (+0300) Subject: Allow upload only of internal packages X-Git-Tag: v2.1.0~12 X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=commitdiff_plain;h=8c1fd82f1cf767c7616e84ebe63b68d7cf033ba2 Allow upload only of internal packages --- diff --git a/gocheese.go b/gocheese.go index 25a1b56..8a4a6e5 100644 --- a/gocheese.go +++ b/gocheese.go @@ -328,6 +328,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) { } func serveUpload(w http.ResponseWriter, r *http.Request) { + // Authentication username, password, ok := r.BasicAuth() if !ok { log.Println(r.RemoteAddr, "unauthenticated", username) @@ -340,6 +341,8 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, "unauthenticated", http.StatusUnauthorized) return } + + // Form parsing var err error if err = r.ParseMultipartForm(1 << 20); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) @@ -347,7 +350,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { } pkgNames, exists := r.MultipartForm.Value["name"] if !exists || len(pkgNames) != 1 { - http.Error(w, "name is expected in request", http.StatusBadRequest) + http.Error(w, "single name is expected in request", http.StatusBadRequest) return } dir := normalizationRe.ReplaceAllString(pkgNames[0], "-") @@ -361,6 +364,14 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { } } gpgSigsExpected := make(map[string]struct{}) + + // Checking is it internal package + if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil { + log.Println(r.RemoteAddr, "non-internal package", dir) + http.Error(w, "unknown internal package", http.StatusUnauthorized) + return + } + for _, file := range r.MultipartForm.File["content"] { filename := file.Filename gpgSigsExpected[filename+GPGSigExt] = struct{}{} @@ -368,28 +379,19 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, "already exists", filename) - http.Error(w, "Already exists", http.StatusBadRequest) + http.Error(w, "already exists", http.StatusBadRequest) return } if !mkdirForPkg(w, r, dir) { return } - internalPath := filepath.Join(dirPath, InternalFlag) - var dst *os.File - if _, err = os.Stat(internalPath); os.IsNotExist(err) { - if dst, err = os.Create(internalPath); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - dst.Close() - } src, err := file.Open() defer src.Close() if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - dst, err = TempFile(dirPath) + dst, err := TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return @@ -440,7 +442,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, "already exists", filename) - http.Error(w, "Already exists", http.StatusBadRequest) + http.Error(w, "already exists", http.StatusBadRequest) return } src, err := file.Open() diff --git a/gocheese.texi b/gocheese.texi index 6cf12bc..26ab178 100644 --- a/gocheese.texi +++ b/gocheese.texi @@ -89,6 +89,10 @@ password: foo If @command{twine} sends SHA256 checksum in the request, then uploaded file is checked against it. +Pay attention that you have to manually create corresponding private +package directory! You are not allowed to upload anything explicitly +flagged as private. + @node Passwords @unnumbered Password authentication