about summary refs log tree commit diff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/http/http.go39
1 files changed, 39 insertions, 0 deletions
diff --git a/src/http/http.go b/src/http/http.go
index 64a2387..aeb3fbd 100644
--- a/src/http/http.go
+++ b/src/http/http.go
@@ -83,6 +83,45 @@ func downloadHandler(w http.ResponseWriter, r *http.Request) {
 	http.ServeFile(w, r, actualFile)
 }
 
+func viewHandler(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+
+	// get the provided filepath and decode it
+	queryFile := query["file"][0]
+	decodedFilePath, err := base64.StdEncoding.DecodeString(queryFile)
+	if err != nil {
+		logrus.Warn("Could not decode the base64 encoded filepath")
+		return
+	}
+	file := string(decodedFilePath)
+
+	// get the provided hash
+	providedhash := query["hash"][0]
+
+	// hash the provided file by first salting it and then hashing it using the
+	// sha256 alg
+	salted := fmt.Sprintf("%s%s", file, viper.GetString("hash.salt"))
+	hash := fmt.Sprintf("%x", sha256.Sum256([]byte(salted)))
+	if hash != providedhash {
+		logrus.Warn("hashes don't match")
+		return
+	}
+
+	// mitigate path traversal
+	strippedFile := strings.Replace(file, "..", "", -1)
+
+	// define the path where the file is located
+	root := viper.GetString("server.root")
+	readfile := fmt.Sprintf("%s/%s", root, strippedFile)
+
+	// read the file writing it to the response writer
+	dat, err := ioutil.ReadFile(readfile)
+	if err != nil {
+		logrus.Warnf("Could not read file: %s", err)
+	}
+	fmt.Fprintf(w, "%s", string(dat))
+}
+
 func pathHandler(w http.ResponseWriter, r *http.Request) {
 	var content map[string]interface{}
 	content = make(map[string]interface{})