diff options
Diffstat (limited to 'src/http')
-rw-r--r-- | src/http/http.go | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/src/http/http.go b/src/http/http.go index 64a2387..aeb3fbd 100644 --- a/src/http/http.go +++ b/src/http/http.go @@ -83,6 +83,45 @@ func downloadHandler(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, actualFile) } +func viewHandler(w http.ResponseWriter, r *http.Request) { + query := r.URL.Query() + + // get the provided filepath and decode it + queryFile := query["file"][0] + decodedFilePath, err := base64.StdEncoding.DecodeString(queryFile) + if err != nil { + logrus.Warn("Could not decode the base64 encoded filepath") + return + } + file := string(decodedFilePath) + + // get the provided hash + providedhash := query["hash"][0] + + // hash the provided file by first salting it and then hashing it using the + // sha256 alg + salted := fmt.Sprintf("%s%s", file, viper.GetString("hash.salt")) + hash := fmt.Sprintf("%x", sha256.Sum256([]byte(salted))) + if hash != providedhash { + logrus.Warn("hashes don't match") + return + } + + // mitigate path traversal + strippedFile := strings.Replace(file, "..", "", -1) + + // define the path where the file is located + root := viper.GetString("server.root") + readfile := fmt.Sprintf("%s/%s", root, strippedFile) + + // read the file writing it to the response writer + dat, err := ioutil.ReadFile(readfile) + if err != nil { + logrus.Warnf("Could not read file: %s", err) + } + fmt.Fprintf(w, "%s", string(dat)) +} + func pathHandler(w http.ResponseWriter, r *http.Request) { var content map[string]interface{} content = make(map[string]interface{}) |