Use a route instead of s.php and convert tokens asap

11 years ago · 2a4c51389c
parent 0f2ad9862e
commit 2a4c51389c
12 changed files with 69 additions and 54 deletions
--- a/apps/files_sharing/public.php
+++ b/apps/files_sharing/public.php
@ -13,8 +13,12 @@ if ($appConfig->getValue('core', 'shareapi_allow_links', 'yes') !== 'yes') {
 	exit();
 }

+// Legacy sharing links via public.php have the token in $GET['t']
 if (isset($_GET['t'])) {
 	$token = $_GET['t'];
+}
+
+if (isset($token)) {
 	$linkItem = OCP\Share::getShareByToken($token, false);
 	if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
 		// seems to be a valid share
--- a/config/config.sample.php
+++ b/config/config.sample.php
@ -201,6 +201,18 @@ $CONFIG = array(
 /* Whether ownCloud should log the last successfull cron exec */
 "cron_log" => true,

+/*
+ * Length of sharing tokens and the resulting links.
+ * This value defines how many possible sharing links there are, choosing a low value like 1 will make it easy to guess
+ * sharing links and will also limit the maximum number of shares. Behaviour after all tokens are used is undefined and
+ * may result in breakage.
+ * 1: Length of 4. Maximum of 65536 tokens. Links may look like this: example.com/s/1ekf
+ * 2: Length of 8. Maximum of 2^32 tokens. Links may look like this: example.com/s/1z141z3
+ * 3: (Default) Length of 16. Maximum of 2^64 tokens. Links may look like this: example.com/s/3w5e11264sgsf
+ * 4: (Old default, but base36) Length of 32. Maximum of 2^128 tokens. Links may look like this: example.com/s/f5lxx1zz5pnorynqglhzmsp33
+ */
+"sharing_token_length" => 3,
+
 /*
 * Configure the size in bytes log rotation should happen, 0 or false disables the rotation.
 * This rotates the current owncloud logfile to a new name, this way the total log usage
--- a/core/ajax/share.php
+++ b/core/ajax/share.php
@ -46,8 +46,6 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 						(!empty($_POST['expirationDate']) ? new \DateTime($_POST['expirationDate']) : null)
 					);

-					$token = base_convert($token, 16, 36);
-
 					if (is_string($token)) {
 						OC_JSON::success(array('data' => array('token' => $token)));
 					} else {
--- a/core/js/js.js
+++ b/core/js/js.js
@ -246,6 +246,7 @@ var OC={
 			url = '/' + url;

 		}
+		// TODO save somewhere whether the webserver is able to skip the index.php to have shorter links (e.g. for sharing)
 		return OC.webroot + '/index.php' + _build(url, params);
 	},

--- a/core/js/share.js
+++ b/core/js/share.js
@ -663,8 +663,6 @@ OC.Share={
 			// TODO: use oc webroot ?
 			var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service=files&'+type+'='+encodeURIComponent(file);
 		} else {
-			// convert the token to base36
-			//token = parseInt(token, 16).toString(36);
 			//TODO add path param when showing a link to file in a subfolder of a public link share
 			var service='';
 			if(linkSharetype === 'folder' || linkSharetype === 'file'){
@ -677,7 +675,7 @@ OC.Share={
 			if (service !== 'files') {
 				var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 'public.php')+'?service='+service+'&t='+token;
 			} else {
-				var link = parent.location.protocol+'//'+location.host+OC.linkTo('', 's.php')+'?t='+token;
+				var link = parent.location.protocol+'//'+location.host+OC.generateUrl('/s/')+token;
 			}
 		}
 		$('#linkText').val(link);
--- a/core/js/tests/specs/shareSpec.js
+++ b/core/js/tests/specs/shareSpec.js
@ -151,7 +151,7 @@ describe('OC.Share tests', function() {
 				expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true);
 				// this is how the OC.Share class does it...
 				var link = parent.location.protocol + '//' + location.host +
-					OC.linkTo('', 'public.php')+'?service=files&t=tehtoken';
+					OC.generateUrl('/s/') + 'tehtoken';
 				expect($('#dropdown #linkText').val()).toEqual(link);
 			});
 			it('does not show populated link share when a link share exists for a different file', function() {
@ -243,7 +243,7 @@ describe('OC.Share tests', function() {
 				expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true);
 				// this is how the OC.Share class does it...
 				var link = parent.location.protocol + '//' + location.host +
-					OC.linkTo('', 'public.php')+'?service=files&t=tehtoken';
+					OC.generateUrl('/s/') + 'tehtoken';
 				expect($('#dropdown #linkText').val()).toEqual(link);

 				// nested one
@ -258,7 +258,7 @@ describe('OC.Share tests', function() {
 				expect($('#dropdown #linkCheckbox').prop('checked')).toEqual(true);
 				// this is how the OC.Share class does it...
 				link = parent.location.protocol + '//' + location.host +
-					OC.linkTo('', 'public.php')+'?service=files&t=anothertoken';
+					OC.generateUrl('/s/') + 'anothertoken';
 				expect($('#dropdown #linkText').val()).toEqual(link);
 			});
 			describe('expiration date', function() {
--- a/core/routes.php
+++ b/core/routes.php
@ -100,6 +100,11 @@ $this->create('core_avatar_post_cropped', '/avatar/cropped')
 	->post()
 	->action('OC\Core\Avatar\Controller', 'postCroppedAvatar');

+// Sharing routes
+$this->create('core_share_show_share', '/s/{token}')
+	->get()
+	->action('OC\Core\Share\Controller', 'showShare');
+
 // used for heartbeat
 $this->create('heartbeat', '/heartbeat')->action(function(){
 	// do nothing
--- a/core/share/controller.php
+++ b/core/share/controller.php
@ -0,0 +1,23 @@
+<?php
+/**
+ * Copyright (c) 2014 Christopher Schäpers <christopher@schaepers.it>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+namespace OC\Core\Share;
+
+class Controller {
+	public static function showShare($args) {
+		\OC_Util::checkAppEnabled('files_sharing');
+
+		$token = $args['token'];
+
+		\OC_App::loadApp('files_sharing');
+		\OC_User::setIncognitoMode(true);
+
+		require_once \OC_App::getAppPath('files_sharing') .'/public.php';
+	}
+}
+?>
--- a/lib/private/share/constants.php
+++ b/lib/private/share/constants.php
@ -34,8 +34,6 @@ class Constants {
 	const FORMAT_STATUSES = -2;
 	const FORMAT_SOURCES = -3;  // ToDo Check if it is still in use otherwise remove it

-	const TOKEN_LENGTH = 16; // old length is 32, thus 32 in db_structure.xml
-
 	protected static $shareTypeUserAndGroups = -1;
 	protected static $shareTypeGroupUserUnique = 2;
 	protected static $backends = array();
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@ -640,7 +640,26 @@ class Share extends \OC\Share\Constants {
 				if (isset($oldToken)) {
 					$token = $oldToken;
 				} else {
-					$token = \OC_Util::generateRandomBytes(self::TOKEN_LENGTH);
+					// Determine how long the token should be
+					switch (\OC_Config::getValue("sharing_token_length", 3)) {
+						case 1:
+							$tokenLength = 4;
+							break;
+						case 2:
+							$tokenLength = 8;
+							break;
+						// Default is 3, so skip the 3 block
+						case 4:
+							$tokenLength = 32;
+							break;
+						// Anything other than 1-4 should be default 3
+						default:
+							$tokenLength = 16;
+							break;
+					}
+					$token = \OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate($tokenLength,
+						\OCP\Security\ISecureRandom::CHAR_LOWER.\OCP\Security\ISecureRandom::CHAR_DIGITS
+					);
 				}
 				$result = self::put($itemType, $itemSource, $shareType, $shareWith, $uidOwner, $permissions,
 					null, $token, $itemSourceName, $expirationDate);
--- a/public.php
+++ b/public.php
@ -36,8 +36,6 @@ try {
 	\OC::$REQUESTEDAPP = $app;
 	OC_App::loadApps(array('authentication'));
 	OC_App::loadApps(array('filesystem', 'logging'));
-	print_r($_GET);
-	print_r($parts);

 	OC_Util::checkAppEnabled($app);
 	OC_App::loadApp($app);
--- a/s.php
+++ b/s.php
@ -1,41 +0,0 @@
-<?php
-
-try {
-
-	require_once 'lib/base.php';
-	OC::checkMaintenanceMode();
-	OC::checkSingleUserMode();
-	$file = OCP\CONFIG::getAppValue('core', 'public_files');
-	if(is_null($file)) {
-		header('HTTP/1.0 404 Not Found');
-		exit;
-	}
-
-	// convert the token to hex, if it's base36
-	if (strlen((string)$_GET['t']) != 16 && strlen((string)$_GET['t']) != 32) {
-		$_GET['t'] = base_convert($_GET['t'], 36, 16);
-
-		// the token should have leading zeroes and needs to be padded
-		if (strlen((string)$_GET['t']) != 16) {
-			$padding = '';
-			for ($i = 0; $i < (16 - strlen((string)$_GET['t'])); $i++) {
-				$padding .= '0';
-			}
-			$_GET['t'] = $padding . $_GET['t'];
-		}
-	}
-
-	print($_GET['t']);
-
-	OC_Util::checkAppEnabled('files_sharing');
-	OC_App::loadApp('files_sharing');
-	OC_User::setIncognitoMode(true);
-
-	require_once OC_App::getAppPath('files_sharing') .'/public.php';
-
-} catch (Exception $ex) {
-	//show the user a detailed error page
-	OC_Response::setStatus(OC_Response::STATUS_INTERNAL_SERVER_ERROR);
-	\OCP\Util::writeLog('remote', $ex->getMessage(), \OCP\Util::FATAL);
-	OC_Template::printExceptionErrorPage($ex);
-}