From 2a4c51389c23ab1da47d52be9f2e76cd90f2df01 Mon Sep 17 00:00:00 2001 From: kondou Date: Sun, 3 Aug 2014 11:31:28 +0200 Subject: [PATCH] Use a route instead of s.php and convert tokens asap --- apps/files_sharing/public.php | 4 ++++ config/config.sample.php | 12 ++++++++++ core/ajax/share.php | 2 -- core/js/js.js | 1 + core/js/share.js | 4 +--- core/js/tests/specs/shareSpec.js | 6 ++--- core/routes.php | 5 ++++ core/share/controller.php | 23 ++++++++++++++++++ lib/private/share/constants.php | 2 -- lib/private/share/share.php | 21 +++++++++++++++- public.php | 2 -- s.php | 41 -------------------------------- 12 files changed, 69 insertions(+), 54 deletions(-) create mode 100644 core/share/controller.php delete mode 100644 s.php diff --git a/apps/files_sharing/public.php b/apps/files_sharing/public.php index 63938201eb2..bf90c0b5dfc 100644 --- a/apps/files_sharing/public.php +++ b/apps/files_sharing/public.php @@ -13,8 +13,12 @@ if ($appConfig->getValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { exit(); } +// Legacy sharing links via public.php have the token in $GET['t'] if (isset($_GET['t'])) { $token = $_GET['t']; +} + +if (isset($token)) { $linkItem = OCP\Share::getShareByToken($token, false); if (is_array($linkItem) && isset($linkItem['uid_owner'])) { // seems to be a valid share diff --git a/config/config.sample.php b/config/config.sample.php index 71105a8b10d..1e876e688ff 100755 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -201,6 +201,18 @@ $CONFIG = array( /* Whether ownCloud should log the last successfull cron exec */ "cron_log" => true, +/* + * Length of sharing tokens and the resulting links. + * This value defines how many possible sharing links there are, choosing a low value like 1 will make it easy to guess + * sharing links and will also limit the maximum number of shares. Behaviour after all tokens are used is undefined and + * may result in breakage. + * 1: Length of 4. Maximum of 65536 tokens. Links may look like this: example.com/s/1ekf + * 2: Length of 8. Maximum of 2^32 tokens. Links may look like this: example.com/s/1z141z3 + * 3: (Default) Length of 16. Maximum of 2^64 tokens. Links may look like this: example.com/s/3w5e11264sgsf + * 4: (Old default, but base36) Length of 32. Maximum of 2^128 tokens. Links may look like this: example.com/s/f5lxx1zz5pnorynqglhzmsp33 + */ +"sharing_token_length" => 3, + /* * Configure the size in bytes log rotation should happen, 0 or false disables the rotation. * This rotates the current owncloud logfile to a new name, this way the total log usage diff --git a/core/ajax/share.php b/core/ajax/share.php index 536f0e2ebd8..c6da79a8a42 100644 --- a/core/ajax/share.php +++ b/core/ajax/share.php @@ -46,8 +46,6 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo (!empty($_POST['expirationDate']) ? new \DateTime($_POST['expirationDate']) : null) ); - $token = base_convert($token, 16, 36); - if (is_string($token)) { OC_JSON::success(array('data' => array('token' => $token))); } else { diff --git a/core/js/js.js b/core/js/js.js index 9a60b0aad69..bf33e3f2e48 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -246,6 +246,7 @@ var OC={ url = '/' + url; } + // TODO save somewhere whether the webserver is able to skip the index.php to have shorter links (e.g. for sharing) return OC.webroot + '/index.php' + _build(url, params); }, diff --git a/core/js/share.js b/core/js/share.js index d00b5f1ccf9..67ddd9c4870 100644 --- a/core/js/share.js +++ b/core/js/share.js @@ -663,8 +663,6 @@ OC.Share={ // TODO: use oc webroot ? var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service=files&'+type+'='+encodeURIComponent(file); } else { - // convert the token to base36 - //token = parseInt(token, 16).toString(36); //TODO add path param when showing a link to file in a subfolder of a public link share var service=''; if(linkSharetype === 'folder' || linkSharetype === 'file'){ @@ -677,7 +675,7 @@ OC.Share={ if (service !== 'files') { var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service='+service+'&t='+token; } else { - var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 's.php')+'?t='+token; + var link = parent.location.protocol+'//'+location.host+OC.generateUrl('/s/')+token; } } $('#linkText').val(link); diff --git a/core/js/tests/specs/shareSpec.js b/core/js/tests/specs/shareSpec.js index 06c4b98df2a..e712ea58bc2 100644 --- a/core/js/tests/specs/shareSpec.js +++ b/core/js/tests/specs/shareSpec.js @@ -151,7 +151,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... var link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=tehtoken'; + OC.generateUrl('/s/') + 'tehtoken'; expect($('#dropdown #linkText').val()).toEqual(link); }); it('does not show populated link share when a link share exists for a different file', function() { @@ -243,7 +243,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... var link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=tehtoken'; + OC.generateUrl('/s/') + 'tehtoken'; expect($('#dropdown #linkText').val()).toEqual(link); // nested one @@ -258,7 +258,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=anothertoken'; + OC.generateUrl('/s/') + 'anothertoken'; expect($('#dropdown #linkText').val()).toEqual(link); }); describe('expiration date', function() { diff --git a/core/routes.php b/core/routes.php index 28a3680dd91..fac67f23175 100644 --- a/core/routes.php +++ b/core/routes.php @@ -100,6 +100,11 @@ $this->create('core_avatar_post_cropped', '/avatar/cropped') ->post() ->action('OC\Core\Avatar\Controller', 'postCroppedAvatar'); +// Sharing routes +$this->create('core_share_show_share', '/s/{token}') + ->get() + ->action('OC\Core\Share\Controller', 'showShare'); + // used for heartbeat $this->create('heartbeat', '/heartbeat')->action(function(){ // do nothing diff --git a/core/share/controller.php b/core/share/controller.php new file mode 100644 index 00000000000..c1741af0d98 --- /dev/null +++ b/core/share/controller.php @@ -0,0 +1,23 @@ + + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +namespace OC\Core\Share; + +class Controller { + public static function showShare($args) { + \OC_Util::checkAppEnabled('files_sharing'); + + $token = $args['token']; + + \OC_App::loadApp('files_sharing'); + \OC_User::setIncognitoMode(true); + + require_once \OC_App::getAppPath('files_sharing') .'/public.php'; + } +} +?> diff --git a/lib/private/share/constants.php b/lib/private/share/constants.php index cf935bd4c0e..1ba4929899a 100644 --- a/lib/private/share/constants.php +++ b/lib/private/share/constants.php @@ -34,8 +34,6 @@ class Constants { const FORMAT_STATUSES = -2; const FORMAT_SOURCES = -3; // ToDo Check if it is still in use otherwise remove it - const TOKEN_LENGTH = 16; // old length is 32, thus 32 in db_structure.xml - protected static $shareTypeUserAndGroups = -1; protected static $shareTypeGroupUserUnique = 2; protected static $backends = array(); diff --git a/lib/private/share/share.php b/lib/private/share/share.php index e2e9b94125e..dfe0f65340b 100644 --- a/lib/private/share/share.php +++ b/lib/private/share/share.php @@ -640,7 +640,26 @@ class Share extends \OC\Share\Constants { if (isset($oldToken)) { $token = $oldToken; } else { - $token = \OC_Util::generateRandomBytes(self::TOKEN_LENGTH); + // Determine how long the token should be + switch (\OC_Config::getValue("sharing_token_length", 3)) { + case 1: + $tokenLength = 4; + break; + case 2: + $tokenLength = 8; + break; + // Default is 3, so skip the 3 block + case 4: + $tokenLength = 32; + break; + // Anything other than 1-4 should be default 3 + default: + $tokenLength = 16; + break; + } + $token = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate($tokenLength, + \OCP\Security\ISecureRandom::CHAR_LOWER.\OCP\Security\ISecureRandom::CHAR_DIGITS + ); } $result = self::put($itemType, $itemSource, $shareType, $shareWith, $uidOwner, $permissions, null, $token, $itemSourceName, $expirationDate); diff --git a/public.php b/public.php index b4578d991c8..0e04db66da7 100644 --- a/public.php +++ b/public.php @@ -36,8 +36,6 @@ try { \OC::$REQUESTEDAPP = $app; OC_App::loadApps(array('authentication')); OC_App::loadApps(array('filesystem', 'logging')); - print_r($_GET); - print_r($parts); OC_Util::checkAppEnabled($app); OC_App::loadApp($app); diff --git a/s.php b/s.php deleted file mode 100644 index 9223fd784ad..00000000000 --- a/s.php +++ /dev/null @@ -1,41 +0,0 @@ -getMessage(), \OCP\Util::FATAL); - OC_Template::printExceptionErrorPage($ex); -} -- 2.39.5