Age | Commit message (Collapse) | Author | Files | Lines |
|
If a user keeps the browser open until his session expires and then
tries to upload something we now add it to the database, add the ID to
the new session and when someone logs in with that session the ID is
assigned. Until then even if you guess it correctly, you won't be able
to download it.
If the user still manages to let the 2nd session expire because he can't
find his password, the upload will be lost. Shit happens.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
It won't work anyway.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
chromium rejects inline css with this.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Video files won't play without this.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
With this header we tell the browser to ignore javascript, frames and
objects which decreases the exploitability of simple html pastes if
viewed raw ("<domain>/<id>", without a tailing slash) quite a lot.
You can still upload arbitrary files containing javascript code, but the
browser will refuse to execute it.
References: https://wiki.mozilla.org/Security/CSP/Specification
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Everywhere else we already do it like that.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
mime2extension tells us if the file is text that can be highlit.
filename2extension leeds to unwanted behaviour if the filename is
for example "PKGBUILD", but the file is a binary.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
valid_id() cleans up the database if the file doesn't exists. This code
didn't.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
The interfaces shouldn't change anymore.
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Do not check the client version when downloading because this breaks
curl. Probably because we output and later set HTTP headers in
file_mod->download().
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|