flounder

A simple gemini site builder
Log | Files | Refs | README | LICENSE

commit f8d68c8141b6f949e42d900e1def34d1d8198e10
parent 3c74fa01c07854b8337b39f4b7f32af5c27ec3d7
Author: alex wennerberg <alex@alexwennerberg.com>
Date:   Sat, 27 Feb 2021 08:47:59 -0800

Fix serious bug with login

Diffstat:
Mhttp.go | 3++-
Mlimit.go | 2+-
Msftp.go | 44++++++++++++++++----------------------------
3 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/http.go b/http.go @@ -361,13 +361,14 @@ func loginHandler(w http.ResponseWriter, r *http.Request) { name := strings.ToLower(r.Form.Get("username")) password := r.Form.Get("password") username, isAdmin, err := checkLogin(name, password) - if err != nil { + if err == nil { log.Println("logged in") session, _ := SessionStore.Get(r, "cookie-session") session.Values["auth_user"] = username session.Values["admin"] = isAdmin session.Save(r, w) http.Redirect(w, r, "/my_site", http.StatusSeeOther) + return } else { data := struct { Error string diff --git a/limit.go b/limit.go @@ -22,7 +22,7 @@ func getVisitor(ip string) *rate.Limiter { limiter, exists := visitors[ip] if !exists { - limiter = rate.NewLimiter(.5, 1) + limiter = rate.NewLimiter(.5, 2) visitors[ip] = limiter } diff --git a/sftp.go b/sftp.go @@ -16,7 +16,6 @@ import ( "path" "path/filepath" "runtime/debug" - "strings" "time" "github.com/pkg/sftp" @@ -39,24 +38,18 @@ func (con *Connection) Fileread(request *sftp.Request) (io.ReaderAt, error) { func (con *Connection) Filewrite(request *sftp.Request) (io.WriterAt, error) { // check user perms -- cant write others files - fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath)) userDir := getUserDirectory(con.User) // NOTE -- not cross platform - if strings.HasPrefix(fullpath, userDir) { - f, err := os.OpenFile(fullpath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666) - if err != nil { - return nil, err - } - return f, nil - } else { - return nil, fmt.Errorf("Invalid permissions") + fullpath := path.Join(userDir, filepath.Clean(request.Filepath)) + f, err := os.OpenFile(fullpath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666) + if err != nil { + return nil, err } + return f, nil } func (conn *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error) { - fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath)) - if strings.Contains(request.Filepath, ".hidden") { - return nil, fmt.Errorf("Invalid permissions") // TODO fix better - } + userDir := getUserDirectory(conn.User) // NOTE -- not cross platform + fullpath := path.Join(userDir, filepath.Clean(request.Filepath)) switch request.Method { case "List": f, err := os.Open(fullpath) @@ -80,22 +73,17 @@ func (conn *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error) { func (conn *Connection) Filecmd(request *sftp.Request) error { // remove, rename, setstat? find out - fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath)) userDir := getUserDirectory(conn.User) // NOTE -- not cross platform - writePerms := strings.HasPrefix(fullpath, userDir) + fullpath := path.Join(userDir, filepath.Clean(request.Filepath)) var err error - if writePerms { - switch request.Method { - case "Remove": - err = os.Remove(fullpath) - case "Mkdir": - err = os.Mkdir(fullpath, 0755) - } - if err != nil { - return err - } - } else { - return fmt.Errorf("Unauthorized") + switch request.Method { + case "Remove": + err = os.Remove(fullpath) + case "Mkdir": + err = os.Mkdir(fullpath, 0755) + } + if err != nil { + return err } // Rename, Mkdir return nil