about summary refs log tree commit diff
path: root/src/http
diff options
context:
space:
mode:
Diffstat (limited to 'src/http')
-rw-r--r--src/http/http.go26
1 files changed, 22 insertions, 4 deletions
diff --git a/src/http/http.go b/src/http/http.go
index 85fff5d..64a2387 100644
--- a/src/http/http.go
+++ b/src/http/http.go
@@ -48,20 +48,38 @@ func Server() {
 // downloadHandler handles requests to /download?file=<filename>&hash=<salted
 // hash of the file>
 func downloadHandler(w http.ResponseWriter, r *http.Request) {
+	// get the URL queries (?file and ?hash)
 	query := r.URL.Query()
 
-	file := query["file"][0]
+	// decode the base64 encoded file path
+	queryFile := query["file"][0]
+	decodedFilePath, err := base64.StdEncoding.DecodeString(queryFile)
+	if err != nil {
+		logrus.Warn("Could not decode the base64 encoded filepath")
+		return
+	}
+	file := string(decodedFilePath)
+	fmt.Printf("Download file name: %s\n", file)
+
+	// get the hash provided by the user
+	providedhash := query["hash"][0]
+
+	// hash the provided file by first salting it and then hashing it using the
+	// sha256 alg
+	salted := fmt.Sprintf("%s%s", file, viper.GetString("hash.salt"))
+	hash := fmt.Sprintf("%x", sha256.Sum256([]byte(salted)))
+	if hash != providedhash {
+		logrus.Warn("hashes don't match")
+		return
+	}
 
 	root := viper.GetString("server.root")
-	logrus.Info(root)
 	strippedFile := strings.Replace(file, root, "", -1)
 	strippedFile = strings.Replace(strippedFile, "..", "", -1)
 
-	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", strippedFile))
 	w.Header().Set("Content-Type", r.Header.Get("Content-Type"))
 
 	actualFile := fmt.Sprintf("%s%s", root, strippedFile)
-	logrus.Infof("serving: %s", actualFile)
 	http.ServeFile(w, r, actualFile)
 }