From 1166c9155a58f25cd3c0327155742e0d3d10894d Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Wed, 13 Nov 2019 21:06:04 -0600 Subject: [PATCH] fixed site loader and subdirs --- onionr/httpapi/onionrsitesapi/__init__.py | 6 +++--- onionr/httpapi/security/client.py | 7 ++++--- static-data/www/shared/sites.js | 4 ++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/onionr/httpapi/onionrsitesapi/__init__.py b/onionr/httpapi/onionrsitesapi/__init__.py index 3db799fb..f369c475 100644 --- a/onionr/httpapi/onionrsitesapi/__init__.py +++ b/onionr/httpapi/onionrsitesapi/__init__.py @@ -64,11 +64,11 @@ def site(name: str)->Response: abort(404) return Response(resp) -@site_api.route('/site//', endpoint='siteFile') +@site_api.route('/site//', endpoint='siteFile') def site_file(name: str, file: str)->Response: """Accept a site 'name', if pubkey then show multi-page site, if hash show single page site""" resp: str = 'Not Found' - mime_type = 'text/html' + mime_type = mimetypes.MimeTypes().guess_type(file)[0] # If necessary convert the name to base32 from mnemonic if mnemonickeys.DELIMITER in name: @@ -92,4 +92,4 @@ def site_file(name: str, file: str)->Response: pass if resp == 'Not Found' or not resp: abort(404) - return Response(resp) + return Response(resp, mimetype=mime_type) diff --git a/onionr/httpapi/security/client.py b/onionr/httpapi/security/client.py index bf4fdd5b..fbc2e6e0 100644 --- a/onionr/httpapi/security/client.py +++ b/onionr/httpapi/security/client.py @@ -49,6 +49,7 @@ class ClientAPISecurity: if request.endpoint in whitelist_endpoints: return + if request.path.startswith('/site/'): return try: if not hmac.compare_digest(request.headers['token'], client_api.clientToken): if not hmac.compare_digest(request.form['token'], client_api.clientToken): @@ -61,8 +62,8 @@ class ClientAPISecurity: def after_req(resp): # Security headers resp = httpheaders.set_default_onionr_http_headers(resp) - if request.endpoint == 'siteapi.site': - resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src data: 'unsafe-inline'; img-src data:" + if request.endpoint in ('siteapi.site', 'siteapi.siteFile'): + resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src 'self' data: 'unsafe-inline'; img-src 'self' data:; media-src 'self' data:" else: resp.headers['Content-Security-Policy'] = "default-src 'none'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'" - return resp \ No newline at end of file + return resp diff --git a/static-data/www/shared/sites.js b/static-data/www/shared/sites.js index 6aedcf87..1ea9be0a 100755 --- a/static-data/www/shared/sites.js +++ b/static-data/www/shared/sites.js @@ -9,12 +9,12 @@ function checkHex(str) { document.getElementById('openSite').onclick = function(){ var hash = document.getElementById('siteViewer').value if (hash.length == 0){ return } - if (checkHex(hash) && hash.length >= 50){ + if (checkHex(hash) && hash.length >= 50 || hash.length == 52 || hash.length == 56){ window.location.href = '/site/' + hash } else{ PNotify.notice({ - text: 'Invalid site hash' + text: 'Invalid site hash/ID' }) } } \ No newline at end of file