Added authCookie in server file upload

This commit is contained in:
Ylian Saint-Hilaire 2019-09-30 14:08:51 -07:00
parent fbbf46e0e5
commit 2f7f0a95e5
4 changed files with 44 additions and 10 deletions

View File

@ -1,6 +1,6 @@
{
"name": "meshcentral",
"version": "0.4.1-l",
"version": "0.4.1-m",
"keywords": [
"Remote Management",
"Intel AMT",

File diff suppressed because one or more lines are too long

View File

@ -944,7 +944,7 @@
</div>
</div>
<iframe name="fileUploadFrame" style="display:none"></iframe>
<form style="display:none" method=post action=uploadfile.ashx enctype=multipart/form-data target=fileUploadFrame><input id=p5fileDragName name="name"><input id=p5fileDragSize name="size"><input id=p5fileDragType name="type"><input id=p5fileDragData name="data"><input id=p5fileDragLink name="link"><input type=submit id=p5loginSubmit2 style="display:none" /></form>
<form style="display:none" method=post action=uploadfile.ashx enctype=multipart/form-data target=fileUploadFrame><input id=p5fileDragName name="name"><input id=p5fileDragAuthCookie name="auth"><input id=p5fileDragSize name="size"><input id=p5fileDragType name="type"><input id=p5fileDragData name="data"><input id=p5fileDragLink name="link"><input type=submit id=p5loginSubmit2 style="display:none" /></form>
<form style="display:none" method=post action=uploadnodefile.ashx enctype=multipart/form-data target=fileUploadFrame><input id=p13fileDragName name="name"><input id=p13fileDragSize name="size"><input id=p13fileDragType name="type"><input id=p13fileDragData name="data"><input id=p13fileDragLink name="link"><input type=submit id=p13loginSubmit2 style="display:none" /></form>
<audio id="chimes"><source src="sounds/chimes.mp3" type="audio/mp3"></audio>
</div>
@ -7548,7 +7548,7 @@
function p5renamefileEx(b, t) { t.newname = Q('p5renameinput').value; meshserver.send(t); }
function p5fileNameCheck(e) { var x = isFilenameValid(Q('p5renameinput').value); QE('idx_dlgOkButton', x); if ((x == true) && (e && e.keyCode == 13)) { dialogclose(1); } }
var isFilenameValid = (function(){ var x1=/^[^\\/:\*\?"<>\|]+$/, x2=/^\./, x3=/^(nul|prn|con|lpt[0-9]|com[0-9])(\.|$)/i; return function isFilenameValid(fname){ return x1.test(fname)&&!x2.test(fname)&&!x3.test(fname)&&(fname[0] != '.'); } })();
function p5uploadFile() { setDialogMode(2, "Upload File", 3, p5uploadFileEx, '<form method=post enctype=multipart/form-data action=uploadfile.ashx target=fileUploadFrame><input type=text name=link style=display:none id=p5uploadpath value=\"' + encodeURIComponent(filetreelinkpath) + '\" /><input type=file name=files id=p5uploadinput style=width:100% multiple=multiple onchange="updateUploadDialogOk(\'p5uploadinput\')" /><input type=submit id=p5loginSubmit style=display:none /></form>'); updateUploadDialogOk('p5uploadinput'); }
function p5uploadFile() { setDialogMode(2, "Upload File", 3, p5uploadFileEx, '<form method=post enctype=multipart/form-data action=uploadfile.ashx target=fileUploadFrame><input type=text name=link style=display:none id=p5uploadpath value=\"' + encodeURIComponent(filetreelinkpath) + '\" /><input type=file name=files id=p5uploadinput style=width:100% multiple=multiple onchange="updateUploadDialogOk(\'p5uploadinput\')" /><input type=hidden name=authCookie value=' + authCookie + ' /><input type=submit id=p5loginSubmit style=display:none /></form>'); updateUploadDialogOk('p5uploadinput'); }
function p5uploadFileEx() { Q('p5loginSubmit').click(); }
function updateUploadDialogOk(x) { QE('idx_dlgOkButton', Q(x).value != ''); }
/*
@ -7583,10 +7583,32 @@
for (var i in e.dataTransfer.files) { if ((e.dataTransfer.files[i].size != null) && (e.dataTransfer.files[i].size != 0)) { files.push(e.dataTransfer.files[i]); } }
if (files.length == 0) return;
// Check if these files are duplicates of existing files.
var filetreex = filetree, allfiles = [], overWriteCount = 0;
for (var i in filetreelocation) {
if ((filetreex.f != null) && (filetreex.f[filetreelocation[i]] != null)) { filetreex = filetreex.f[filetreelocation[i]]; }
}
if (filetreex.f != null) {
for (var i in filetreex.f) { allfiles.push(i); }
for (var i = 0; i < e.dataTransfer.files.length; i++) {
if (allfiles.indexOf(e.dataTransfer.files[i].name) >= 0) { overWriteCount++; } // TODO: If the server is Windows, we need to lowercase both names.
}
}
if (overWriteCount == 0) {
// If no overwrite, go ahead with upload
p5PerformUpload(1, files);
} else {
// Otherwise, prompt for confirmation
setDialogMode(2, "Upload File", 3, p5PerformUpload, 'Upload will overwrite ' + overWriteCount + ' file' + addLetterS(overWriteCount) + '. Continue?', files);
}
}
function p5PerformUpload(b, files) {
// For Chrome & Firefox
var error = 0;
p5uploadFile(); // Display the the dialog box
try { Q('p5uploadinput').files = e.dataTransfer.files; } catch (ex) { error = 1; } // Set the files in the dialog box
try { Q('p5uploadinput').files = files; } catch (ex) { error = 1; } // Set the files in the dialog box
if (error == 0) { p5uploadFileEx(); } // Press the submit button
setDialogMode(0); // Close the dialog box
@ -7609,6 +7631,7 @@
Q('p5fileDragType').value = types.join('*');
Q('p5fileDragData').value = datas.join('*'); // This will not work for large files, there is a limit on the data size in a field.
Q('p5fileDragLink').value = encodeURIComponent(filetreelinkpath);
Q('p5fileDragAuthCookie').value = authCookie;
Q('p5loginSubmit2').click();
}
}

View File

@ -1999,14 +1999,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
function handleUploadFile(req, res) {
const domain = checkUserIpAddress(req, res);
if (domain == null) { res.sendStatus(404); return; }
if ((!req.session) || (req.session == null) || (!req.session.userid) || (domain.userQuota == -1)) { res.sendStatus(401); return; }
const user = obj.users[req.session.userid];
if ((user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights
if (domain.userQuota == -1) { res.sendStatus(401); return; }
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
const multiparty = require('multiparty');
const form = new multiparty.Form();
form.parse(req, function (err, fields, files) {
if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ res.sendStatus(404); return; }
// If an authentication cookie is embedded in the form, use that.
if ((fields != null) && (fields.auth != null) && (fields.auth.length == 1) && (typeof fields.auth[0] == 'string')) {
var loginCookie = obj.parent.decodeCookie(fields.auth[0], obj.parent.loginCookieEncryptionKey, 60); // 60 minute timeout
if ((loginCookie != null) && (loginCookie.ip != null) && (loginCookie.ip != cleanRemoteAddr(req.ip))) { loginCookie = null; } // Check cookie IP binding.
if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
}
if (authUserid == null) { res.sendStatus(401); return; }
// Get the user
const user = obj.users[authUserid];
if ((user == null) || (user.siteadmin & 8) == 0) { res.sendStatus(401); return; } // Check if we have file rights
if ((fields == null) || (fields.link == null) || (fields.link.length != 1)) { /*console.log('UploadFile, Invalid Fields:', fields, files);*/ console.log('err4'); res.sendStatus(404); return; }
var xfile = obj.getServerFilePath(user, domain, decodeURIComponent(fields.link[0]));
if (xfile == null) { res.sendStatus(404); return; }
// Get total bytes in the path