Register the 405 error handler properly. Enforce the appropriate methods for each route (GET or POST only, with OPTIONS disabled). Add tests for invalid methods. Add a friendlier 500 internal server error handler

2025-12-15 16:29:35 -05:00 · 2021-05-10 11:23:44 +10:00 · 2021-05-10 11:23:44 +10:00 · 2618e89eda
commit 2618e89eda
parent e067fc2963
11 changed files with 120 additions and 13 deletions
--- a/cli/onionshare_cli/web/chat_mode.py
+++ b/cli/onionshare_cli/web/chat_mode.py
@ -46,7 +46,7 @@ class ChatModeWeb:
        The web app routes for chatting
        """

-        @self.web.app.route("/")
+        @self.web.app.route("/", methods=["GET"], provide_automatic_options=False)
        def index():
            history_id = self.cur_history_id
            self.cur_history_id += 1
--- a/cli/onionshare_cli/web/receive_mode.py
+++ b/cli/onionshare_cli/web/receive_mode.py
@ -71,7 +71,7 @@ class ReceiveModeWeb:
        The web app routes for receiving files
        """

-        @self.web.app.route("/")
+        @self.web.app.route("/", methods=["GET"], provide_automatic_options=False)
        def index():
            history_id = self.cur_history_id
            self.cur_history_id += 1
@ -93,7 +93,7 @@ class ReceiveModeWeb:
            )
            return self.web.add_security_headers(r)

-        @self.web.app.route("/upload", methods=["POST"])
+        @self.web.app.route("/upload", methods=["POST"], provide_automatic_options=False)
        def upload(ajax=False):
            """
            Handle the upload files POST request, though at this point, the files have
@ -225,7 +225,7 @@ class ReceiveModeWeb:
                    )
                    return self.web.add_security_headers(r)

-        @self.web.app.route("/upload-ajax", methods=["POST"])
+        @self.web.app.route("/upload-ajax", methods=["POST"], provide_automatic_options=False)
        def upload_ajax_public():
            if not self.can_upload:
                return self.web.error403()
--- a/cli/onionshare_cli/web/send_base_mode.py
+++ b/cli/onionshare_cli/web/send_base_mode.py
@ -208,10 +208,6 @@ class SendBaseModeWeb:
        history_id = self.cur_history_id
        self.cur_history_id += 1

-        # Only GET requests are allowed, any other method should fail
-        if request.method != "GET":
-            return self.web.error405(history_id)
-
        self.web.add_request(
            self.web.REQUEST_INDIVIDUAL_FILE_STARTED,
            path,
--- a/cli/onionshare_cli/web/share_mode.py
+++ b/cli/onionshare_cli/web/share_mode.py
@ -134,8 +134,8 @@ class ShareModeWeb(SendBaseModeWeb):
        The web app routes for sharing files
        """

-        @self.web.app.route("/", defaults={"path": ""})
-        @self.web.app.route("/<path:path>")
+        @self.web.app.route("/", defaults={"path": ""}, methods=["GET"], provide_automatic_options=False)
+        @self.web.app.route("/<path:path>", methods=["GET"], provide_automatic_options=False)
        def index(path):
            """
            Render the template for the onionshare landing page.
@ -160,7 +160,7 @@ class ShareModeWeb(SendBaseModeWeb):

            return self.render_logic(path)

-        @self.web.app.route("/download")
+        @self.web.app.route("/download", methods=["GET"], provide_automatic_options=False)
        def download():
            """
            Download the zip file.
--- a/cli/onionshare_cli/web/web.py
+++ b/cli/onionshare_cli/web/web.py
@ -229,6 +229,20 @@ class Web:
            mode.cur_history_id += 1
            return self.error404(history_id)

+        @self.app.errorhandler(405)
+        def method_not_allowed(e):
+            mode = self.get_mode()
+            history_id = mode.cur_history_id
+            mode.cur_history_id += 1
+            return self.error405(history_id)
+
+        @self.app.errorhandler(500)
+        def method_not_allowed(e):
+            mode = self.get_mode()
+            history_id = mode.cur_history_id
+            mode.cur_history_id += 1
+            return self.error500(history_id)
+
        @self.app.route("/<password_candidate>/shutdown")
        def shutdown(password_candidate):
            """
@ -305,6 +319,19 @@ class Web:
        )
        return self.add_security_headers(r)

+    def error500(self, history_id):
+        self.add_request(
+            self.REQUEST_INDIVIDUAL_FILE_STARTED,
+            request.path,
+            {"id": history_id, "status_code": 500},
+        )
+
+        self.add_request(Web.REQUEST_OTHER, request.path)
+        r = make_response(
+            render_template("500.html", static_url_path=self.static_url_path), 405
+        )
+        return self.add_security_headers(r)
+
    def add_security_headers(self, r):
        """
        Add security headers to a request
--- a/cli/onionshare_cli/web/website_mode.py
+++ b/cli/onionshare_cli/web/website_mode.py
@ -37,8 +37,8 @@ class WebsiteModeWeb(SendBaseModeWeb):
        The web app routes for sharing a website
        """

-        @self.web.app.route("/", defaults={"path": ""})
-        @self.web.app.route("/<path:path>")
+        @self.web.app.route("/", defaults={"path": ""}, methods=["GET", "POST"], provide_automatic_options=False)
+        @self.web.app.route("/<path:path>", methods=["GET", "POST"], provide_automatic_options=False)
        def path_public(path):
            return path_logic(path)