From 1270c3fbd503a24b42bd815734dc76887504164f Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 30 Sep 2019 14:08:51 -0700 Subject: [PATCH] Added authCookie in server file upload --- package.json | 2 +- views/default-min.handlebars | 2 +- views/default.handlebars | 29 ++++++++++++++++++++++++++--- webserver.js | 21 ++++++++++++++++----- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 11904732..0fa8ad62 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.4.1-l", + "version": "0.4.1-m", "keywords": [ "Remote Management", "Intel AMT", diff --git a/views/default-min.handlebars b/views/default-min.handlebars index 27dde843..84ee0735 100644 --- a/views/default-min.handlebars +++ b/views/default-min.handlebars @@ -1 +1 @@ - {{{title}}}
{{{title}}}
{{{title2}}}

{{{logoutControl}}}

 

\ No newline at end of file + {{{title}}}
{{{title}}}
{{{title2}}}

{{{logoutControl}}}

 

\ No newline at end of file diff --git a/views/default.handlebars b/views/default.handlebars index eabab023..cad8df32 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -944,7 +944,7 @@ -
+
@@ -7548,7 +7548,7 @@ function p5renamefileEx(b, t) { t.newname = Q('p5renameinput').value; meshserver.send(t); } function p5fileNameCheck(e) { var x = isFilenameValid(Q('p5renameinput').value); QE('idx_dlgOkButton', x); if ((x == true) && (e && e.keyCode == 13)) { dialogclose(1); } } var isFilenameValid = (function(){ var x1=/^[^\\/:\*\?"<>\|]+$/, x2=/^\./, x3=/^(nul|prn|con|lpt[0-9]|com[0-9])(\.|$)/i; return function isFilenameValid(fname){ return x1.test(fname)&&!x2.test(fname)&&!x3.test(fname)&&(fname[0] != '.'); } })(); - function p5uploadFile() { setDialogMode(2, "Upload File", 3, p5uploadFileEx, '
'); updateUploadDialogOk('p5uploadinput'); } + function p5uploadFile() { setDialogMode(2, "Upload File", 3, p5uploadFileEx, '
'); updateUploadDialogOk('p5uploadinput'); } function p5uploadFileEx() { Q('p5loginSubmit').click(); } function updateUploadDialogOk(x) { QE('idx_dlgOkButton', Q(x).value != ''); } /* @@ -7583,10 +7583,32 @@ for (var i in e.dataTransfer.files) { if ((e.dataTransfer.files[i].size != null) && (e.dataTransfer.files[i].size != 0)) { files.push(e.dataTransfer.files[i]); } } if (files.length == 0) return; + // Check if these files are duplicates of existing files. + var filetreex = filetree, allfiles = [], overWriteCount = 0; + for (var i in filetreelocation) { + if ((filetreex.f != null) && (filetreex.f[filetreelocation[i]] != null)) { filetreex = filetreex.f[filetreelocation[i]]; } + } + if (filetreex.f != null) { + for (var i in filetreex.f) { allfiles.push(i); } + for (var i = 0; i < e.dataTransfer.files.length; i++) { + if (allfiles.indexOf(e.dataTransfer.files[i].name) >= 0) { overWriteCount++; } // TODO: If the server is Windows, we need to lowercase both names. + } + } + + if (overWriteCount == 0) { + // If no overwrite, go ahead with upload + p5PerformUpload(1, files); + } else { + // Otherwise, prompt for confirmation + setDialogMode(2, "Upload File", 3, p5PerformUpload, 'Upload will overwrite ' + overWriteCount + ' file' + addLetterS(overWriteCount) + '. Continue?', files); + } + } + + function p5PerformUpload(b, files) { // For Chrome & Firefox var error = 0; p5uploadFile(); // Display the the dialog box - try { Q('p5uploadinput').files = e.dataTransfer.files; } catch (ex) { error = 1; } // Set the files in the dialog box + try { Q('p5uploadinput').files = files; } catch (ex) { error = 1; } // Set the files in the dialog box if (error == 0) { p5uploadFileEx(); } // Press the submit button setDialogMode(0); // Close the dialog box @@ -7609,6 +7631,7 @@ Q('p5fileDragType').value = types.join('*'); Q('p5fileDragData').value = datas.join('*'); // This will not work for large files, there is a limit on the data size in a field. Q('p5fileDragLink').value = encodeURIComponent(filetreelinkpath); + Q('p5fileDragAuthCookie').value = authCookie; Q('p5loginSubmit2').click(); } } diff --git a/webserver.js b/webserver.js index d89a7f02..a3db3708 100644 --- a/webserver.js +++ b/webserver.js @@ -1999,14 +1999,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { function handleUploadFile(req, res) { const domain = checkUserIpAddress(req, res); if (domain == null) { res.sendStatus(404); return; } - if ((!req.session) || (req.session == null) || (!req.session.userid) || (domain.userQuota == -1)) { res.sendStatus(401); return; } - const user = obj.users[req.session.userid]; - if ((user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights - + if (domain.userQuota == -1) { res.sendStatus(401); return; } + var authUserid = null; + if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; } const multiparty = require('multiparty'); const form = new multiparty.Form(); form.parse(req, function (err, fields, files) { - if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ res.sendStatus(404); return; } + // If an authentication cookie is embedded in the form, use that. + if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) { + var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout + if ((loginCookie != null) && (loginCookie.ip != null) && (loginCookie.ip != cleanRemoteAddr(req.ip))) { loginCookie = null; } // Check cookie IP binding. + if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication + } + if (authUserid == null) { res.sendStatus(401); return; } + + // Get the user + const user = obj.users[authUserid]; + if ((user == null) || (user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights + + if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ console.log('err4'); res.sendStatus(404); return; } var xfile = obj.getServerFilePath(user, domain, decodeURIComponent(fields.link[0])); if (xfile == null) { res.sendStatus(404); return; } // Get total bytes in the path