From a34dfa54a947eb69c31b3196a8be8a8705a9f4b3 Mon Sep 17 00:00:00 2001 From: cel Date: Tue, 12 Dec 2017 12:47:24 -0800 Subject: Serve querystring-style secret blobs e.g. %+WP4++A4PSy5riB4SfVhEQknfFueFhZOYBPiIUbW8PE=.sha256 --- lib/serve.js | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-) (limited to 'lib/serve.js') diff --git a/lib/serve.js b/lib/serve.js index c858a1b..56b981b 100644 --- a/lib/serve.js +++ b/lib/serve.js @@ -1098,24 +1098,28 @@ Serve.prototype.highlight = function (dirs) { Serve.prototype.blob = function (id, path) { var self = this - var etag = id + (path || '') + var unbox = typeof this.query.unbox === 'string' && this.query.unbox.replace(/\s/g, '+') + var etag = id + (path || '') + (unbox || '') if (self.req.headers['if-none-match'] === etag) return self.respond(304) var key if (path) { - path = decodeURIComponent(path) + try { path = decodeURIComponent(path) } catch(e) {} if (path[0] === '#') { - try { - key = new Buffer(path.substr(1), 'base64') - } catch(err) { - return self.respond(400, err.message) - } - if (key.length !== 32) { - return self.respond(400, 'Bad blob key') - } + unbox = path.substr(1) } else { return self.respond(400, 'Bad blob request') } } + if (unbox) { + try { + key = new Buffer(unbox, 'base64') + } catch(err) { + return self.respond(400, err.message) + } + if (key.length !== 32) { + return self.respond(400, 'Bad blob key') + } + } self.app.wantSizeBlob(id, function (err, size) { if (err) { if (/^invalid/.test(err.message)) return self.respond(400, err.message) @@ -1148,23 +1152,27 @@ Serve.prototype.image = function (path) { var id, key var m = urlIdRegex.exec(path) if (m && m[2] === '&') id = m[1], path = m[3] - var etag = 'image-' + id + (path || '') + var unbox = typeof this.query.unbox === 'string' && this.query.unbox.replace(/\s/g, '+') + var etag = 'image-' + id + (path || '') + (unbox || '') if (self.req.headers['if-none-match'] === etag) return self.respond(304) if (path) { - path = decodeURIComponent(path) + try { path = decodeURIComponent(path) } catch(e) {} if (path[0] === '#') { - try { - key = new Buffer(path.substr(1), 'base64') - } catch(err) { - return self.respond(400, err.message) - } - if (key.length !== 32) { - return self.respond(400, 'Bad blob key') - } + unbox = path.substr(1) } else { return self.respond(400, 'Bad blob request') } } + if (unbox) { + try { + key = new Buffer(unbox, 'base64') + } catch(err) { + return self.respond(400, err.message) + } + if (key.length !== 32) { + return self.respond(400, 'Bad blob key') + } + } self.app.wantSizeBlob(id, function (err, size) { if (err) { if (/^invalid/.test(err.message)) return self.respond(400, err.message) -- cgit v1.2.3