diff options
Diffstat (limited to 'src/http')
-rw-r--r-- | src/http/http.go | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/src/http/http.go b/src/http/http.go index 85fff5d..64a2387 100644 --- a/src/http/http.go +++ b/src/http/http.go @@ -48,20 +48,38 @@ func Server() { // downloadHandler handles requests to /download?file=<filename>&hash=<salted // hash of the file> func downloadHandler(w http.ResponseWriter, r *http.Request) { + // get the URL queries (?file and ?hash) query := r.URL.Query() - file := query["file"][0] + // decode the base64 encoded file path + queryFile := query["file"][0] + decodedFilePath, err := base64.StdEncoding.DecodeString(queryFile) + if err != nil { + logrus.Warn("Could not decode the base64 encoded filepath") + return + } + file := string(decodedFilePath) + fmt.Printf("Download file name: %s\n", file) + + // get the hash provided by the user + providedhash := query["hash"][0] + + // hash the provided file by first salting it and then hashing it using the + // sha256 alg + salted := fmt.Sprintf("%s%s", file, viper.GetString("hash.salt")) + hash := fmt.Sprintf("%x", sha256.Sum256([]byte(salted))) + if hash != providedhash { + logrus.Warn("hashes don't match") + return + } root := viper.GetString("server.root") - logrus.Info(root) strippedFile := strings.Replace(file, root, "", -1) strippedFile = strings.Replace(strippedFile, "..", "", -1) - w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", strippedFile)) w.Header().Set("Content-Type", r.Header.Get("Content-Type")) actualFile := fmt.Sprintf("%s%s", root, strippedFile) - logrus.Infof("serving: %s", actualFile) http.ServeFile(w, r, actualFile) } |