diff --git a/server.go b/server.go index b6e74da..4cb88e4 100644 --- a/server.go +++ b/server.go @@ -36,6 +36,7 @@ var Config struct { fastcgi bool remoteUploads bool authFile string + remoteAuthFile string } var Templates = make(map[string]*pongo2.Template) @@ -43,6 +44,7 @@ var TemplateSet *pongo2.TemplateSet var staticBox *rice.Box var timeStarted time.Time var timeStartedStr string +var remoteAuthKeys []string func setup() *web.Mux { mux := web.New() @@ -126,6 +128,10 @@ func setup() *web.Mux { if Config.remoteUploads { mux.Get("/upload", uploadRemote) mux.Get("/upload/", uploadRemote) + + if Config.remoteAuthFile != "" { + remoteAuthKeys = readAuthKeys(Config.remoteAuthFile) + } } mux.Post("/upload", uploadPostHandler) @@ -175,6 +181,8 @@ func main() { "enable remote uploads") flag.StringVar(&Config.authFile, "authfile", "", "path to a file containing newline-separated scrypted auth keys") + flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "", + "path to a file containing newline-separated scrypted auth keys for remote uploads") flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy", "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;", "value of default Content-Security-Policy header") diff --git a/upload.go b/upload.go index b24a8ce..63582d9 100644 --- a/upload.go +++ b/upload.go @@ -138,6 +138,19 @@ func uploadPutHandler(c web.C, w http.ResponseWriter, r *http.Request) { } func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) { + if Config.remoteAuthFile != "" { + result, err := checkAuth(remoteAuthKeys, []byte(r.FormValue("key"))) + if err != nil || !result { + unauthorizedHandler(c, w, r) + } + } else { + // strict referrer checking is mandatory without remote auth keys + if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) { + badRequestHandler(c, w, r) + return + } + } + if r.FormValue("url") == "" { http.Redirect(w, r, "/", 303) return