Merge branch 'master' into fix-mail-sentbox

README.md

@@ -17,7 +17,7 @@
 |                                      |                            |                            |
 | -----------                          | -----------                | -----------                |
 | [Install](#install-and-run-on-linux) | [Features](#main-features) | [Screenshots](#screenshots)|
-| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/)               | [Get involved](#help-out)  | [Onionr.net](https://onionr.net/)/[.onion](http://onionr.onionkvc5ibm37bmxwr56bdxcdnb6w3wm4bdghh5qo6f6za7gn7styid.onion/)                  |
+| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/)               | [Get involved](#help-out)  | [Onionr.net](https://onionr.net/)/[.onion](http://onionrbak72t5zhbzuey2fdkpczlvhowgcpqc6uoyrd3uxztzxwz5cyd.onion/)                  |
 
 
 <hr>

docs/usage/pages.md

@@ -0,0 +1,59 @@
+Onionr sites come in two forms:
+
+* Single-page sites, identified by the hash of a single page contained within a single Onionr block.
+
+* Multi-page sites, identified by a user ID. Contains directory archives of a full site.
+
+
+# Metadata Awareness
+
+Before creating an Onionr site, one should be cautious of the metadata one could be leaking. For example, some HTML generators may insert author meta tags. Onionr does not filter out any web page data.
+
+# No JavaScript, no third-party resources
+
+Currently, in order to protect Onionr users, JavaScript is disabled within Onionr sites. JS will remain present in the HTML file, but be non functional. Additionally, third party resources outside of Onionr cannot be loaded.
+
+
+# Creating multi page sites
+
+Multi page sites are the most useful, as they can contain an arbitrary amount of static files.
+
+To create a single page site, create a directory for your site and write standard HTML file(s) within them. CSS, images and other files can be placed in the directory as well. The home page should be name index.html and in the parent level directory.
+
+Then, create a strong passphrase for the site. If the site will be updated, be sure to write it down or remember it. A strong passphrase can be generated by running:
+
+`$ scripts/passphrase-generator.py`
+
+Sample output: lovesick blubberer haemoglobin... and so on.
+
+## Generating or updating the site:
+
+`$ ./onionr.sh addsite`
+
+All files in the current working directory will be added to the site.
+
+The command will prompt for a passphrase.
+
+After the site is generated, a user ID that identifies the site will be outputted.
+
+# Creating single page sites
+
+Single page sites are incredibly straight forward.
+
+Single page sites cannot be modified or updated, but are somewhat more secure due to having lower complexity.
+
+To create a single page site, write a standard HTML file. Inline or data-uri CSS can be included, as well as data-uri images. Data-URI generators can be found online.
+
+After creating the HTML file, run this command:
+
+`$ ./onionr.sh addhtml filename.html`
+
+![single page screenshot](single-page.png)
+
+# Viewing sites
+
+To view a site, open the Onionr web interface and paste the site hash or ID into the site opener box that looks like this:
+
+![site opener box screenshot](site-opener.png)
+
+Then, press open.

scripts/README.md

@@ -0,0 +1,3 @@
+This directory contains useful scripts and utilities that don't make sense to include as official Onionr features.
+
+passphrase-generator.py: very simple utility to generate and print a strong passphrase to stdout. 256 bits of entropy by default.

scripts/passphrase-generator.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+"""Generate a 16 word passphase with 256 bits of entropy.
+
+Specify true to reduce to 128 bits"""
+
+
+import sys
+
+import niceware
+
+byte_count = 32  # 256 bits of entropy with niceware
+
+arg = False
+try:
+    arg = sys.argv[1].lower()
+    if arg == 'true':
+        byte_count = 16
+except IndexError: pass
+
+print(' '.join(niceware.generate_passphrase(byte_count)))

src/bigbrother/ministry/ofexec.py

@@ -45,9 +45,11 @@ def block_exec(event, info):
     """Prevent arbitrary code execution in eval/exec and log it."""
     # because libraries have stupid amounts of compile/exec/eval,
     # We have to use a whitelist where it can be tolerated
+    # Generally better than nothing, not a silver bullet
     whitelisted_code = [
                         'netrc.py',
                         'shlex.py',
+                        'gzip.py',
                         '<werkzeug routing>',
                         'werkzeug/test.py',
                         'multiprocessing/popen_fork.py',

src/httpapi/security/client.py

@@ -51,13 +51,13 @@ class ClientAPISecurity:
                 return
             if request.path.startswith('/site/'): return
 
-            # try:
-            #     if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
-            #         if not hmac.compare_digest(request.form['token'], client_api.clientToken):
-            #             abort(403)
-            # except KeyError:
-            #     if not hmac.compare_digest(request.form['token'], client_api.clientToken):
-            #         abort(403)
+            try:
+                if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
+                    if not hmac.compare_digest(request.form['token'], client_api.clientToken):
+                        abort(403)
+            except KeyError:
+                if not hmac.compare_digest(request.form['token'], client_api.clientToken):
+                    abort(403)
 
         @client_api_security_bp.after_app_request
         def after_req(resp):

src/onionrcommands/sitecreator.py

@@ -40,7 +40,7 @@ If you want to update your site later you must remember the passphrase.''',
 
         passphrase = getpass.getpass(
             'Please enter a site passphrase of at least ' +
-            onionrvalues.PASSWORD_LENGTH + ' characters.')
+            str(onionrvalues.PASSWORD_LENGTH) + ' characters.')
 
         confirm = getpass.getpass('Confirm passphrase:')
         if passphrase != confirm:

static-data/www/shared/main/torstats.js

@@ -1,4 +1,8 @@
-var torSource = new EventSourcePolyfill("/torcircuits")
+var torSource = new EventSourcePolyfill('/torcircuits', {
+    headers: {
+        "token": webpass
+    }
+  })
 var displays = document.getElementsByClassName('torInfo')
 
 for (x = 0; x < displays.length; x++){