diff options
| author | cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> | 2017-12-12 12:47:24 -0800 |
|---|---|---|
| committer | cel <cel@f/6sQ6d2CMxRUhLpspgGIulDxDCwYD7DzFzPNr7u5AU=.ed25519> | 2017-12-12 13:06:46 -0800 |
| commit | a34dfa54a947eb69c31b3196a8be8a8705a9f4b3 (patch) | |
| tree | f497fa9909e6d5b6c1332b3fe41ac2e907ccd775 | |
| parent | 7c57c1321fc73354ed03fe8fae1263bf5acfe329 (diff) | |
| download | patchfoo-a34dfa54a947eb69c31b3196a8be8a8705a9f4b3.tar.gz patchfoo-a34dfa54a947eb69c31b3196a8be8a8705a9f4b3.zip | |
Serve querystring-style secret blobs
e.g. %+WP4++A4PSy5riB4SfVhEQknfFueFhZOYBPiIUbW8PE=.sha256
| -rw-r--r-- | lib/serve.js | 48 |
1 files changed, 28 insertions, 20 deletions
diff --git a/lib/serve.js b/lib/serve.js index c858a1b..56b981b 100644 --- a/lib/serve.js +++ b/lib/serve.js @@ -1098,24 +1098,28 @@ Serve.prototype.highlight = function (dirs) { Serve.prototype.blob = function (id, path) { var self = this - var etag = id + (path || '') + var unbox = typeof this.query.unbox === 'string' && this.query.unbox.replace(/\s/g, '+') + var etag = id + (path || '') + (unbox || '') if (self.req.headers['if-none-match'] === etag) return self.respond(304) var key if (path) { - path = decodeURIComponent(path) + try { path = decodeURIComponent(path) } catch(e) {} if (path[0] === '#') { - try { - key = new Buffer(path.substr(1), 'base64') - } catch(err) { - return self.respond(400, err.message) - } - if (key.length !== 32) { - return self.respond(400, 'Bad blob key') - } + unbox = path.substr(1) } else { return self.respond(400, 'Bad blob request') } } + if (unbox) { + try { + key = new Buffer(unbox, 'base64') + } catch(err) { + return self.respond(400, err.message) + } + if (key.length !== 32) { + return self.respond(400, 'Bad blob key') + } + } self.app.wantSizeBlob(id, function (err, size) { if (err) { if (/^invalid/.test(err.message)) return self.respond(400, err.message) @@ -1148,23 +1152,27 @@ Serve.prototype.image = function (path) { var id, key var m = urlIdRegex.exec(path) if (m && m[2] === '&') id = m[1], path = m[3] - var etag = 'image-' + id + (path || '') + var unbox = typeof this.query.unbox === 'string' && this.query.unbox.replace(/\s/g, '+') + var etag = 'image-' + id + (path || '') + (unbox || '') if (self.req.headers['if-none-match'] === etag) return self.respond(304) if (path) { - path = decodeURIComponent(path) + try { path = decodeURIComponent(path) } catch(e) {} if (path[0] === '#') { - try { - key = new Buffer(path.substr(1), 'base64') - } catch(err) { - return self.respond(400, err.message) - } - if (key.length !== 32) { - return self.respond(400, 'Bad blob key') - } + unbox = path.substr(1) } else { return self.respond(400, 'Bad blob request') } } + if (unbox) { + try { + key = new Buffer(unbox, 'base64') + } catch(err) { + return self.respond(400, err.message) + } + if (key.length !== 32) { + return self.respond(400, 'Bad blob key') + } + } self.app.wantSizeBlob(id, function (err, size) { if (err) { if (/^invalid/.test(err.message)) return self.respond(400, err.message) |