diff options
author | kondou <kondou@ts.unde.re> | 2014-08-03 11:31:28 +0200 |
---|---|---|
committer | kondou <kondou@ts.unde.re> | 2014-09-04 15:23:55 +0200 |
commit | 2a4c51389c23ab1da47d52be9f2e76cd90f2df01 (patch) | |
tree | b50145fa66fe889045a0dbac963dd4b9865bf827 | |
parent | 0f2ad9862e98e00fdc250bf8405bf6404d40b1ed (diff) | |
download | nextcloud-server-2a4c51389c23ab1da47d52be9f2e76cd90f2df01.tar.gz nextcloud-server-2a4c51389c23ab1da47d52be9f2e76cd90f2df01.zip |
Use a route instead of s.php and convert tokens asap
-rw-r--r-- | apps/files_sharing/public.php | 4 | ||||
-rwxr-xr-x | config/config.sample.php | 12 | ||||
-rw-r--r-- | core/ajax/share.php | 2 | ||||
-rw-r--r-- | core/js/js.js | 1 | ||||
-rw-r--r-- | core/js/share.js | 4 | ||||
-rw-r--r-- | core/js/tests/specs/shareSpec.js | 6 | ||||
-rw-r--r-- | core/routes.php | 5 | ||||
-rw-r--r-- | core/share/controller.php | 23 | ||||
-rw-r--r-- | lib/private/share/constants.php | 2 | ||||
-rw-r--r-- | lib/private/share/share.php | 21 | ||||
-rw-r--r-- | public.php | 2 | ||||
-rw-r--r-- | s.php | 41 |
12 files changed, 69 insertions, 54 deletions
diff --git a/apps/files_sharing/public.php b/apps/files_sharing/public.php index 63938201eb2..bf90c0b5dfc 100644 --- a/apps/files_sharing/public.php +++ b/apps/files_sharing/public.php @@ -13,8 +13,12 @@ if ($appConfig->getValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { exit(); } +// Legacy sharing links via public.php have the token in $GET['t'] if (isset($_GET['t'])) { $token = $_GET['t']; +} + +if (isset($token)) { $linkItem = OCP\Share::getShareByToken($token, false); if (is_array($linkItem) && isset($linkItem['uid_owner'])) { // seems to be a valid share diff --git a/config/config.sample.php b/config/config.sample.php index 71105a8b10d..1e876e688ff 100755 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -202,6 +202,18 @@ $CONFIG = array( "cron_log" => true, /* + * Length of sharing tokens and the resulting links. + * This value defines how many possible sharing links there are, choosing a low value like 1 will make it easy to guess + * sharing links and will also limit the maximum number of shares. Behaviour after all tokens are used is undefined and + * may result in breakage. + * 1: Length of 4. Maximum of 65536 tokens. Links may look like this: example.com/s/1ekf + * 2: Length of 8. Maximum of 2^32 tokens. Links may look like this: example.com/s/1z141z3 + * 3: (Default) Length of 16. Maximum of 2^64 tokens. Links may look like this: example.com/s/3w5e11264sgsf + * 4: (Old default, but base36) Length of 32. Maximum of 2^128 tokens. Links may look like this: example.com/s/f5lxx1zz5pnorynqglhzmsp33 + */ +"sharing_token_length" => 3, + +/* * Configure the size in bytes log rotation should happen, 0 or false disables the rotation. * This rotates the current owncloud logfile to a new name, this way the total log usage * will stay limited and older entries are available for a while longer. The diff --git a/core/ajax/share.php b/core/ajax/share.php index 536f0e2ebd8..c6da79a8a42 100644 --- a/core/ajax/share.php +++ b/core/ajax/share.php @@ -46,8 +46,6 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo (!empty($_POST['expirationDate']) ? new \DateTime($_POST['expirationDate']) : null) ); - $token = base_convert($token, 16, 36); - if (is_string($token)) { OC_JSON::success(array('data' => array('token' => $token))); } else { diff --git a/core/js/js.js b/core/js/js.js index 9a60b0aad69..bf33e3f2e48 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -246,6 +246,7 @@ var OC={ url = '/' + url; } + // TODO save somewhere whether the webserver is able to skip the index.php to have shorter links (e.g. for sharing) return OC.webroot + '/index.php' + _build(url, params); }, diff --git a/core/js/share.js b/core/js/share.js index d00b5f1ccf9..67ddd9c4870 100644 --- a/core/js/share.js +++ b/core/js/share.js @@ -663,8 +663,6 @@ OC.Share={ // TODO: use oc webroot ? var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service=files&'+type+'='+encodeURIComponent(file); } else { - // convert the token to base36 - //token = parseInt(token, 16).toString(36); //TODO add path param when showing a link to file in a subfolder of a public link share var service=''; if(linkSharetype === 'folder' || linkSharetype === 'file'){ @@ -677,7 +675,7 @@ OC.Share={ if (service !== 'files') { var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service='+service+'&t='+token; } else { - var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 's.php')+'?t='+token; + var link = parent.location.protocol+'//'+location.host+OC.generateUrl('/s/')+token; } } $('#linkText').val(link); diff --git a/core/js/tests/specs/shareSpec.js b/core/js/tests/specs/shareSpec.js index 06c4b98df2a..e712ea58bc2 100644 --- a/core/js/tests/specs/shareSpec.js +++ b/core/js/tests/specs/shareSpec.js @@ -151,7 +151,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... var link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=tehtoken'; + OC.generateUrl('/s/') + 'tehtoken'; expect($('#dropdown #linkText').val()).toEqual(link); }); it('does not show populated link share when a link share exists for a different file', function() { @@ -243,7 +243,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... var link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=tehtoken'; + OC.generateUrl('/s/') + 'tehtoken'; expect($('#dropdown #linkText').val()).toEqual(link); // nested one @@ -258,7 +258,7 @@ describe('OC.Share tests', function() { expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true); // this is how the OC.Share class does it... link = parent.location.protocol + '//' + location.host + - OC.linkTo('', 'public.php')+'?service=files&t=anothertoken'; + OC.generateUrl('/s/') + 'anothertoken'; expect($('#dropdown #linkText').val()).toEqual(link); }); describe('expiration date', function() { diff --git a/core/routes.php b/core/routes.php index 28a3680dd91..fac67f23175 100644 --- a/core/routes.php +++ b/core/routes.php @@ -100,6 +100,11 @@ $this->create('core_avatar_post_cropped', '/avatar/cropped') ->post() ->action('OC\Core\Avatar\Controller', 'postCroppedAvatar'); +// Sharing routes +$this->create('core_share_show_share', '/s/{token}') + ->get() + ->action('OC\Core\Share\Controller', 'showShare'); + // used for heartbeat $this->create('heartbeat', '/heartbeat')->action(function(){ // do nothing diff --git a/core/share/controller.php b/core/share/controller.php new file mode 100644 index 00000000000..c1741af0d98 --- /dev/null +++ b/core/share/controller.php @@ -0,0 +1,23 @@ +<?php +/** + * Copyright (c) 2014 Christopher Schäpers <christopher@schaepers.it> + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +namespace OC\Core\Share; + +class Controller { + public static function showShare($args) { + \OC_Util::checkAppEnabled('files_sharing'); + + $token = $args['token']; + + \OC_App::loadApp('files_sharing'); + \OC_User::setIncognitoMode(true); + + require_once \OC_App::getAppPath('files_sharing') .'/public.php'; + } +} +?> diff --git a/lib/private/share/constants.php b/lib/private/share/constants.php index cf935bd4c0e..1ba4929899a 100644 --- a/lib/private/share/constants.php +++ b/lib/private/share/constants.php @@ -34,8 +34,6 @@ class Constants { const FORMAT_STATUSES = -2; const FORMAT_SOURCES = -3; // ToDo Check if it is still in use otherwise remove it - const TOKEN_LENGTH = 16; // old length is 32, thus 32 in db_structure.xml - protected static $shareTypeUserAndGroups = -1; protected static $shareTypeGroupUserUnique = 2; protected static $backends = array(); diff --git a/lib/private/share/share.php b/lib/private/share/share.php index e2e9b94125e..dfe0f65340b 100644 --- a/lib/private/share/share.php +++ b/lib/private/share/share.php @@ -640,7 +640,26 @@ class Share extends \OC\Share\Constants { if (isset($oldToken)) { $token = $oldToken; } else { - $token = \OC_Util::generateRandomBytes(self::TOKEN_LENGTH); + // Determine how long the token should be + switch (\OC_Config::getValue("sharing_token_length", 3)) { + case 1: + $tokenLength = 4; + break; + case 2: + $tokenLength = 8; + break; + // Default is 3, so skip the 3 block + case 4: + $tokenLength = 32; + break; + // Anything other than 1-4 should be default 3 + default: + $tokenLength = 16; + break; + } + $token = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate($tokenLength, + \OCP\Security\ISecureRandom::CHAR_LOWER.\OCP\Security\ISecureRandom::CHAR_DIGITS + ); } $result = self::put($itemType, $itemSource, $shareType, $shareWith, $uidOwner, $permissions, null, $token, $itemSourceName, $expirationDate); diff --git a/public.php b/public.php index b4578d991c8..0e04db66da7 100644 --- a/public.php +++ b/public.php @@ -36,8 +36,6 @@ try { \OC::$REQUESTEDAPP = $app; OC_App::loadApps(array('authentication')); OC_App::loadApps(array('filesystem', 'logging')); - print_r($_GET); - print_r($parts); OC_Util::checkAppEnabled($app); OC_App::loadApp($app); diff --git a/s.php b/s.php deleted file mode 100644 index 9223fd784ad..00000000000 --- a/s.php +++ /dev/null @@ -1,41 +0,0 @@ -<?php - -try { - - require_once 'lib/base.php'; - OC::checkMaintenanceMode(); - OC::checkSingleUserMode(); - $file = OCP\CONFIG::getAppValue('core', 'public_files'); - if(is_null($file)) { - header('HTTP/1.0 404 Not Found'); - exit; - } - - // convert the token to hex, if it's base36 - if (strlen((string)$_GET['t']) != 16 && strlen((string)$_GET['t']) != 32) { - $_GET['t'] = base_convert($_GET['t'], 36, 16); - - // the token should have leading zeroes and needs to be padded - if (strlen((string)$_GET['t']) != 16) { - $padding = ''; - for ($i = 0; $i < (16 - strlen((string)$_GET['t'])); $i++) { - $padding .= '0'; - } - $_GET['t'] = $padding . $_GET['t']; - } - } - - print($_GET['t']); - - OC_Util::checkAppEnabled('files_sharing'); - OC_App::loadApp('files_sharing'); - OC_User::setIncognitoMode(true); - - require_once OC_App::getAppPath('files_sharing') .'/public.php'; - -} catch (Exception $ex) { - //show the user a detailed error page - OC_Response::setStatus(OC_Response::STATUS_INTERNAL_SERVER_ERROR); - \OCP\Util::writeLog('remote', $ex->getMessage(), \OCP\Util::FATAL); - OC_Template::printExceptionErrorPage($ex); -} |