contented/upload.go

package contented

import (
	"context"
	"crypto/sha512"
	"encoding/hex"
	"encoding/json"
	"io"
	"log"
	"mime"
	"mime/multipart"
	"net/http"
	"path"
	"strings"
	"time"
)

func (this *Server) handleUpload(w http.ResponseWriter, r *http.Request) {

	if !this.opts.EnableUpload {
		http.Error(w, "Server is read-only", 403)
		return
	}

	remoteIP := this.remoteIP(r)

	err := r.ParseMultipartForm(0) // buffer upload in temporary files on disk, not memory
	if err != nil {
		log.Printf("%s Invalid request: %s\n", remoteIP, err.Error())
		http.Error(w, "Invalid request", 400)
		return
	}

	if r.MultipartForm == nil || r.MultipartForm.File == nil || len(r.MultipartForm.File["f"]) < 1 {
		log.Printf("%s Invalid request: no multipart content\n", remoteIP)
		http.Error(w, "Invalid request", 400)
		return
	}

	ret := make([]string, 0, len(r.MultipartForm.File["f"]))

	for _, fhs := range r.MultipartForm.File["f"] {
		f, err := fhs.Open()
		if err != nil {
			log.Printf("%s Internal error: %s\n", remoteIP, err.Error())
			http.Error(w, "Internal error", 500)
			return
		}

		path, err := this.handleUploadFile(f, fhs, remoteIP)
		if err != nil {
			log.Printf("%s Upload failed: %s\n", remoteIP, err.Error())
			http.Error(w, "Upload failed", 500)
		}

		ret = append(ret, path)
	}

	jb, err := json.Marshal(ret)
	if err != nil {
		log.Printf("%s Internal error: %s\n", remoteIP, err.Error())
		http.Error(w, "Internal error", 500)
		return
	}

	w.Header().Set(`Content-Type`, `application/json`)
	w.WriteHeader(200)
	w.Write(jb)
}

func (this *Server) handleUploadFile(src multipart.File, hdr *multipart.FileHeader, UploadIP string) (string, error) {

	// Get file length
	srcLen, err := src.Seek(0, io.SeekEnd)
	if err != nil {
		return "", err
	}

	_, err = src.Seek(0, io.SeekStart)
	if err != nil {
		return "", err
	}

	// Get file hash
	hasher := sha512.New512_256()
	_, err = io.CopyN(hasher, src, int64(srcLen))
	if err != nil {
		return "", err
	}

	_, err = src.Seek(0, io.SeekStart)
	if err != nil {
		return "", err
	}

	fileHash := hex.EncodeToString(hasher.Sum(nil))

	// Save file to disk/s3
	err = this.SaveFile(context.Background(), fileHash, srcLen, src)
	if err != nil {
		return "", err
	}

	// Determine mime type
	ctype := hdr.Header.Get("Content-Type")
	if ctype == "" {
		ctype = mime.TypeByExtension(path.Ext(hdr.Filename))
	}
	if ctype == "" {
		ctype = `application/octet-stream`
	}

	// Blacklisted mime-types
	ctype = strings.ToLower(ctype)
	if strings.HasPrefix(ctype, `text/html`) ||
		strings.HasPrefix(ctype, `application/javascript`) {
		ctype = `application/octet-stream`
	}

	// Persist metadata to DB
	m := Metadata{
		FileHash:   fileHash,
		Filename:   hdr.Filename,
		UploadTime: time.Now(),
		UploadIP:   UploadIP,
		FileSize:   srcLen,
		MimeType:   ctype,
	}

	fileRef, err := this.AddMetadata(m)
	if err != nil {
		return "", err
	}

	// Done
	return fileRef, nil
}
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`package contented`

			`import (`
s3 backend support 2023-05-19 07:13:55 +00:00			`"context"`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`"crypto/sha512"`
			`"encoding/hex"`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`"encoding/json"`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`"io"`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`"log"`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`"mime"`
			`"mime/multipart"`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`"net/http"`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`"path"`
			`"strings"`
			`"time"`
			`)`

server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`func (this Server) handleUpload(w http.ResponseWriter, r http.Request) {`

server: add readonly mode to block uploads 2023-05-17 07:08:24 +00:00			`if !this.opts.EnableUpload {`
			`http.Error(w, "Server is read-only", 403)`
			`return`
			`}`

display xff IPs in log output 2017-10-15 06:11:13 +00:00			`remoteIP := this.remoteIP(r)`

upload: buffer MIME parsing on disk, not in memory 2020-07-25 00:25:44 +00:00			`err := r.ParseMultipartForm(0) // buffer upload in temporary files on disk, not memory`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`if err != nil {`
display xff IPs in log output 2017-10-15 06:11:13 +00:00			`log.Printf("%s Invalid request: %s\n", remoteIP, err.Error())`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`http.Error(w, "Invalid request", 400)`
			`return`
			`}`

			`if r.MultipartForm == nil \|\| r.MultipartForm.File == nil \|\| len(r.MultipartForm.File["f"]) < 1 {`
display xff IPs in log output 2017-10-15 06:11:13 +00:00			`log.Printf("%s Invalid request: no multipart content\n", remoteIP)`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`http.Error(w, "Invalid request", 400)`
			`return`
			`}`

			`ret := make([]string, 0, len(r.MultipartForm.File["f"]))`

			`for _, fhs := range r.MultipartForm.File["f"] {`
			`f, err := fhs.Open()`
			`if err != nil {`
display xff IPs in log output 2017-10-15 06:11:13 +00:00			`log.Printf("%s Internal error: %s\n", remoteIP, err.Error())`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`http.Error(w, "Internal error", 500)`
			`return`
			`}`

display xff IPs in log output 2017-10-15 06:11:13 +00:00			`path, err := this.handleUploadFile(f, fhs, remoteIP)`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`if err != nil {`
display xff IPs in log output 2017-10-15 06:11:13 +00:00			`log.Printf("%s Upload failed: %s\n", remoteIP, err.Error())`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`http.Error(w, "Upload failed", 500)`
			`}`

			`ret = append(ret, path)`
			`}`

			`jb, err := json.Marshal(ret)`
			`if err != nil {`
display xff IPs in log output 2017-10-15 06:11:13 +00:00			`log.Printf("%s Internal error: %s\n", remoteIP, err.Error())`
server: handle multiple uploads 2017-10-08 01:10:15 +00:00			`http.Error(w, "Internal error", 500)`
			`return`
			`}`

			w.Header().Set(`Content-Type`, `application/json`)
			`w.WriteHeader(200)`
			`w.Write(jb)`
			`}`

			`func (this Server) handleUploadFile(src multipart.File, hdr multipart.FileHeader, UploadIP string) (string, error) {`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00
			`// Get file length`
			`srcLen, err := src.Seek(0, io.SeekEnd)`
			`if err != nil {`
			`return "", err`
			`}`

			`_, err = src.Seek(0, io.SeekStart)`
			`if err != nil {`
			`return "", err`
			`}`

			`// Get file hash`
			`hasher := sha512.New512_256()`
			`_, err = io.CopyN(hasher, src, int64(srcLen))`
			`if err != nil {`
			`return "", err`
			`}`

			`_, err = src.Seek(0, io.SeekStart)`
			`if err != nil {`
			`return "", err`
			`}`

short URLs 2017-10-08 02:53:00 +00:00			`fileHash := hex.EncodeToString(hasher.Sum(nil))`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00
s3 backend support 2023-05-19 07:13:55 +00:00			`// Save file to disk/s3`
			`err = this.SaveFile(context.Background(), fileHash, srcLen, src)`
			`if err != nil {`
			`return "", err`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`}`

			`// Determine mime type`
			`ctype := hdr.Header.Get("Content-Type")`
			`if ctype == "" {`
			`ctype = mime.TypeByExtension(path.Ext(hdr.Filename))`
			`}`
			`if ctype == "" {`
			ctype = `application/octet-stream`
			`}`

			`// Blacklisted mime-types`
			`ctype = strings.ToLower(ctype)`
			if strings.HasPrefix(ctype, `text/html`) \|\|
			strings.HasPrefix(ctype, `application/javascript`) {
			ctype = `application/octet-stream`
			`}`

			`// Persist metadata to DB`
			`m := Metadata{`
short URLs 2017-10-08 02:53:00 +00:00			`FileHash: fileHash,`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`Filename: hdr.Filename,`
			`UploadTime: time.Now(),`
			`UploadIP: UploadIP,`
			`FileSize: srcLen,`
			`MimeType: ctype,`
			`}`
short URLs 2017-10-08 02:53:00 +00:00
			`fileRef, err := this.AddMetadata(m)`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`if err != nil {`
			`return "", err`
			`}`

			`// Done`
short URLs 2017-10-08 02:53:00 +00:00			`return fileRef, nil`
separate metadata/upload into separate files, handle mime types safely, preserve names on download (only) 2017-10-06 07:19:02 +00:00			`}`