Merge branch 'develop' into 1470_tempfiles

2025-05-02 06:26:10 -04:00 · 2021-12-01 20:37:45 -08:00 · 2021-12-01 20:37:45 -08:00 · 5322d4f037
commit 5322d4f037
parent 2ff5f53c69 01aa8a36f3
127 changed files with 4456 additions and 1626 deletions
--- a/cli/onionshare_cli/init.py
+++ b/cli/onionshare_cli/init.py
@ -150,7 +150,13 @@ def main(cwd=None):
        action="store_true",
        dest="disable_csp",
        default=False,
-        help="Publish website: Disable Content Security Policy header (allows your website to use third-party resources)",
+        help="Publish website: Disable the default Content Security Policy header (allows your website to use third-party resources)",
+    )
+    parser.add_argument(
+        "--custom_csp",
+        metavar="custom_csp",
+        default=None,
+        help="Publish website: Set a custom Content Security Policy header",
    )
    # Other
    parser.add_argument(
@ -189,6 +195,7 @@ def main(cwd=None):
    disable_text = args.disable_text
    disable_files = args.disable_files
    disable_csp = bool(args.disable_csp)
+    custom_csp = args.custom_csp
    verbose = bool(args.verbose)

    # Verbose mode?
@ -234,7 +241,15 @@ def main(cwd=None):
            mode_settings.set("receive", "disable_text", disable_text)
            mode_settings.set("receive", "disable_files", disable_files)
        if mode == "website":
-            mode_settings.set("website", "disable_csp", disable_csp)
+            if disable_csp and custom_csp:
+                print("You cannot disable the CSP and set a custom one. Either set --disable-csp or --custom-csp but not both.")
+                sys.exit()
+            if disable_csp:
+                mode_settings.set("website", "disable_csp", True)
+                mode_settings.set("website", "custom_csp", None)
+            if custom_csp:
+                mode_settings.set("website", "custom_csp", custom_csp)
+                mode_settings.set("website", "disable_csp", False)
    else:
        # See what the persistent mode was
        mode = mode_settings.get("persistent", "mode")
--- a/cli/onionshare_cli/mode_settings.py
+++ b/cli/onionshare_cli/mode_settings.py
@ -55,7 +55,11 @@ class ModeSettings:
                "disable_text": False,
                "disable_files": False,
            },
-            "website": {"disable_csp": False, "filenames": []},
+            "website": {
+                "disable_csp": False,
+                "custom_csp": None,
+                "filenames": []
+            },
            "chat": {"room": "default"},
        }
        self._settings = {}
--- a/cli/onionshare_cli/resources/static/js/send.js
+++ b/cli/onionshare_cli/resources/static/js/send.js
@ -11,7 +11,7 @@ function unhumanize(text) {
  }
 }
 function sortTable(n) {
-  var table, rows, switching, i, x, y, shouldSwitch, dir, switchcount = 0;
+  var table, rows, switching, i, x, y, valX, valY, shouldSwitch, dir, switchcount = 0;
  table = document.getElementById("file-list");
  switching = true;
  // Set the sorting direction to ascending:
@ -21,7 +21,7 @@ function sortTable(n) {
  while (switching) {
    // Start by saying: no switching is done:
    switching = false;
-    rows = table.getElementsByTagName("TR");
+    rows = table.getElementsByClassName("row");
    /* Loop through all table rows (except the
      first, which contains table headers): */
    for (i = 1; i < (rows.length - 1); i++) {
@ -29,18 +29,22 @@ function sortTable(n) {
      shouldSwitch = false;
      /* Get the two elements you want to compare,
        one from current row and one from the next: */
-      x = rows[i].getElementsByTagName("TD")[n];
-      y = rows[i + 1].getElementsByTagName("TD")[n];
+      x = rows[i].getElementsByClassName("cell-data")[n];
+      y = rows[i + 1].getElementsByClassName("cell-data")[n];
+
+      valX = x.classList.contains("size") ? unhumanize(x.innerHTML.toLowerCase()) : x.innerHTML;
+      valY = y.classList.contains("size") ? unhumanize(y.innerHTML.toLowerCase()) : y.innerHTML;
+
      /* Check if the two rows should switch place,
      based on the direction, asc or desc: */
      if (dir == "asc") {
-          if (unhumanize(x.innerHTML.toLowerCase()) > unhumanize(y.innerHTML.toLowerCase())) {
-            // If so, mark as a switch and break the loop:
-            shouldSwitch= true;
-            break;
-          }
+        if (valX > valY) {
+          // If so, mark as a switch and break the loop:
+          shouldSwitch= true;
+          break;
+        }
      } else if (dir == "desc") {
-        if (unhumanize(x.innerHTML.toLowerCase()) < unhumanize(y.innerHTML.toLowerCase())) {
+        if (valX < valY) {
          // If so, mark as a switch and break the loop:
          shouldSwitch= true;
          break;
--- a/cli/onionshare_cli/resources/templates/send.html
+++ b/cli/onionshare_cli/resources/templates/send.html
@ -32,7 +32,7 @@
  {% endif %}

  <div class="file-list" id="file-list">
-    <div class="d-flex">
+    <div class="d-flex row">
      <div id="filename-header" class="heading">Filename</div>
      <div id="size-header" class="heading">Size</div>
    </div>
@ -41,26 +41,26 @@
      <div>
        <img width="30" height="30" title="" alt="" src="{{ static_url_path }}/img/web_folder.png" />
        <a href="{{ info.link }}">
-          <span>{{ info.basename }}</span>
+          <span class="cell-data">{{ info.basename }}</span>
        </a>
      </div>
-      <div>&mdash;</div>
+      <div class="cell-data">&mdash;</div>
    </div>
    {% endfor %}

    {% for info in files %}
-    <div class="d-flex">
+    <div class="d-flex row">
      <div>
        <img width="30" height="30" title="" alt="" src="{{ static_url_path }}/img/web_file.png" />
        {% if download_individual_files %}
        <a href="{{ info.link }}">
-          <span>{{ info.basename }}</span>
+          <span class="cell-data">{{ info.basename }}</span>
        </a>
        {% else %}
-        <span>{{ info.basename }}</span>
+        <span class="cell-data">{{ info.basename }}</span>
        {% endif %}
      </div>
-      <div>{{ info.size_human }}</div>
+      <div class="cell-data size">{{ info.size_human }}</div>
    </div>
    {% endfor %}
  </div>
--- a/cli/onionshare_cli/web/web.py
+++ b/cli/onionshare_cli/web/web.py
@ -199,15 +199,20 @@ class Web:
            """
            for header, value in self.security_headers:
                r.headers.set(header, value)
+
            # Set a CSP header unless in website mode and the user has disabled it
-            if (
+            default_csp = "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;"
+            if self.mode != "website" or (
                not self.settings.get("website", "disable_csp")
-                or self.mode != "website"
+                and not self.settings.get("website", "custom_csp")
            ):
-                r.headers.set(
-                    "Content-Security-Policy",
-                    "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
-                )
+                r.headers.set("Content-Security-Policy", default_csp)
+            else:
+                if self.settings.get("website", "custom_csp"):
+                    r.headers.set(
+                        "Content-Security-Policy",
+                        self.settings.get("website", "custom_csp"),
+                    )
            return r

        @self.app.errorhandler(404)