From 41be429b91f8b323644fe200f696df1890ac3de7 Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Wed, 22 May 2019 20:07:35 -0700 Subject: [PATCH] Make static folder URL have a high-entropy random path, to avoid filename collisions with files getting shared --- onionshare/web/receive_mode.py | 9 ++++++--- onionshare/web/share_mode.py | 9 ++++++--- onionshare/web/web.py | 14 ++++++++++---- onionshare/web/website_mode.py | 3 ++- share/templates/401.html | 6 +++--- share/templates/403.html | 6 +++--- share/templates/404.html | 6 +++--- share/templates/denied.html | 2 +- share/templates/listing.html | 10 +++++----- share/templates/receive.html | 16 ++++++++-------- share/templates/receive_noscript_xss.html | 6 +++--- share/templates/send.html | 12 ++++++------ share/templates/thankyou.html | 8 ++++---- 13 files changed, 60 insertions(+), 47 deletions(-) diff --git a/onionshare/web/receive_mode.py b/onionshare/web/receive_mode.py index 60f421fa..3f848d2f 100644 --- a/onionshare/web/receive_mode.py +++ b/onionshare/web/receive_mode.py @@ -34,7 +34,8 @@ class ReceiveModeWeb(object): @self.web.app.route("/") def index(): self.web.add_request(self.web.REQUEST_LOAD, request.path) - r = make_response(render_template('receive.html')) + r = make_response(render_template('receive.html', + static_url_path=self.web.static_url_path)) return self.web.add_security_headers(r) @self.web.app.route("/upload", methods=['POST']) @@ -105,10 +106,12 @@ class ReceiveModeWeb(object): return redirect('/') else: if ajax: - return json.dumps({"new_body": render_template('thankyou.html')}) + return json.dumps({ + "new_body": render_template('thankyou.html', static_url_path=self.web.static_url_path) + }) else: # It was the last upload and the timer ran out - r = make_response(render_template('thankyou.html')) + r = make_response(render_template('thankyou.html'), static_url_path=self.web.static_url_path) return self.web.add_security_headers(r) @self.web.app.route("/upload-ajax", methods=['POST']) diff --git a/onionshare/web/share_mode.py b/onionshare/web/share_mode.py index 22c58559..0dfa7e0a 100644 --- a/onionshare/web/share_mode.py +++ b/onionshare/web/share_mode.py @@ -55,7 +55,8 @@ class ShareModeWeb(object): # currently a download deny_download = not self.web.stay_open and self.download_in_progress if deny_download: - r = make_response(render_template('denied.html')) + r = make_response(render_template('denied.html'), + static_url_path=self.web.static_url_path) return self.web.add_security_headers(r) # If download is allowed to continue, serve download page @@ -70,7 +71,8 @@ class ShareModeWeb(object): filename=os.path.basename(self.download_filename), filesize=self.filesize, filesize_human=self.common.human_readable_filesize(self.download_filesize), - is_zipped=self.is_zipped)) + is_zipped=self.is_zipped, + static_url_path=self.web.static_url_path)) return self.web.add_security_headers(r) @self.web.app.route("/download") @@ -82,7 +84,8 @@ class ShareModeWeb(object): # currently a download deny_download = not self.web.stay_open and self.download_in_progress if deny_download: - r = make_response(render_template('denied.html')) + r = make_response(render_template('denied.html', + static_url_path=self.web.static_url_path)) return self.web.add_security_headers(r) # Each download has a unique id diff --git a/onionshare/web/web.py b/onionshare/web/web.py index eb4c34a9..1500a23c 100644 --- a/onionshare/web/web.py +++ b/onionshare/web/web.py @@ -51,8 +51,13 @@ class Web(object): self.common = common self.common.log('Web', '__init__', 'is_gui={}, mode={}'.format(is_gui, mode)) + # The static URL path has a 128-bit random number in it to avoid having name + # collisions with files that might be getting shared + self.static_url_path = '/static_{}'.format(self.common.random_string(16)) + # The flask app self.app = Flask(__name__, + static_url_path=self.static_url_path, static_folder=self.common.get_resource_path('static'), template_folder=self.common.get_resource_path('templates')) self.app.secret_key = self.common.random_string(8) @@ -163,7 +168,8 @@ class Web(object): """ Display instructions for disabling Tor Browser's NoScript XSS setting """ - r = make_response(render_template('receive_noscript_xss.html')) + r = make_response(render_template('receive_noscript_xss.html', + static_url_path=self.static_url_path)) return self.add_security_headers(r) def error401(self): @@ -181,18 +187,18 @@ class Web(object): self.force_shutdown() print("Someone has made too many wrong attempts to guess your password, so OnionShare has stopped the server. Start sharing again and send the recipient a new address to share.") - r = make_response(render_template('401.html'), 401) + r = make_response(render_template('401.html', static_url_path=self.static_url_path), 401) return self.add_security_headers(r) def error404(self): self.add_request(Web.REQUEST_OTHER, request.path) - r = make_response(render_template('404.html'), 404) + r = make_response(render_template('404.html', static_url_path=self.static_url_path), 404) return self.add_security_headers(r) def error403(self): self.add_request(Web.REQUEST_OTHER, request.path) - r = make_response(render_template('403.html'), 403) + r = make_response(render_template('403.html', static_url_path=self.static_url_path), 403) return self.add_security_headers(r) def add_security_headers(self, r): diff --git a/onionshare/web/website_mode.py b/onionshare/web/website_mode.py index 354c5aa7..d2cd6db9 100644 --- a/onionshare/web/website_mode.py +++ b/onionshare/web/website_mode.py @@ -131,7 +131,8 @@ class WebsiteModeWeb(object): r = make_response(render_template('listing.html', path=path, files=files, - dirs=dirs)) + dirs=dirs, + static_url_path=self.web.static_url_path)) return self.web.add_security_headers(r) def set_file_info(self, filenames): diff --git a/share/templates/401.html b/share/templates/401.html index 9d3989a3..dc50f534 100644 --- a/share/templates/401.html +++ b/share/templates/401.html @@ -3,14 +3,14 @@ OnionShare: 401 Unauthorized Access - - + +
-

+

401 Unauthorized Access

diff --git a/share/templates/403.html b/share/templates/403.html index f3ea4e0e..2ebab09a 100644 --- a/share/templates/403.html +++ b/share/templates/403.html @@ -3,14 +3,14 @@ OnionShare: 403 Forbidden - - + +
-

+

You are not allowed to perform that action at this time.

diff --git a/share/templates/404.html b/share/templates/404.html index 1c5d7d2d..375c125d 100644 --- a/share/templates/404.html +++ b/share/templates/404.html @@ -3,14 +3,14 @@ OnionShare: 404 Not Found - - + +
-

+

404 Not Found

diff --git a/share/templates/denied.html b/share/templates/denied.html index 94fb379b..ad4d0b21 100644 --- a/share/templates/denied.html +++ b/share/templates/denied.html @@ -3,7 +3,7 @@ OnionShare - + diff --git a/share/templates/listing.html b/share/templates/listing.html index 8883eea9..e394f842 100644 --- a/share/templates/listing.html +++ b/share/templates/listing.html @@ -2,13 +2,13 @@ OnionShare - - + +
- +

OnionShare

@@ -22,7 +22,7 @@ {% for info in dirs %} - + {{ info.basename }} @@ -34,7 +34,7 @@ {% for info in files %} - + {{ info.basename }} diff --git a/share/templates/receive.html b/share/templates/receive.html index dd36ac72..23242501 100644 --- a/share/templates/receive.html +++ b/share/templates/receive.html @@ -2,13 +2,13 @@ OnionShare - - + +
- +

OnionShare

@@ -19,14 +19,14 @@ -->

- Warning: Due to a bug in Tor Browser and Firefox, uploads + Warning: Due to a bug in Tor Browser and Firefox, uploads sometimes never finish. To upload reliably, either set your Tor Browser security slider to Standard or turn off your Tor Browser's NoScript XSS setting.

-

+

Send Files

Select the files you want to send, then click "Send Files"...

@@ -51,8 +51,8 @@ - - - + + + diff --git a/share/templates/receive_noscript_xss.html b/share/templates/receive_noscript_xss.html index bce78524..84d35ba1 100644 --- a/share/templates/receive_noscript_xss.html +++ b/share/templates/receive_noscript_xss.html @@ -2,13 +2,13 @@ OnionShare - - + +
- +

OnionShare

diff --git a/share/templates/send.html b/share/templates/send.html index 7be9e100..e0076c0f 100644 --- a/share/templates/send.html +++ b/share/templates/send.html @@ -3,8 +3,8 @@ OnionShare - - + + @@ -18,7 +18,7 @@
  • Download Files
    • - +

    OnionShare

    @@ -31,7 +31,7 @@ {% for info in file_info.dirs %} - + {{ info.basename }} {{ info.size_human }} @@ -41,7 +41,7 @@ {% for info in file_info.files %} - + {{ info.basename }} {{ info.size_human }} @@ -49,7 +49,7 @@ {% endfor %} - + diff --git a/share/templates/thankyou.html b/share/templates/thankyou.html index c4b39cde..b7e2b97c 100644 --- a/share/templates/thankyou.html +++ b/share/templates/thankyou.html @@ -3,19 +3,19 @@ OnionShare is closed - - + +
    - +

    OnionShare

    -

    +

    Thank you for using OnionShare

    You may now close this window.