all repos — flounder @ f8d68c8141b6f949e42d900e1def34d1d8198e10

A small site builder for the Gemini protocol

Fix serious bug with login
alex wennerberg alex@alexwennerberg.com
Sat, 27 Feb 2021 08:47:59 -0800
commit

f8d68c8141b6f949e42d900e1def34d1d8198e10

parent

3c74fa01c07854b8337b39f4b7f32af5c27ec3d7

3 files changed, 19 insertions(+), 30 deletions(-)

jump to
M http.gohttp.go 
@@ -361,13 +361,14 @@ r.ParseForm()
 		name := strings.ToLower(r.Form.Get("username"))
 		password := r.Form.Get("password")
 		username, isAdmin, err := checkLogin(name, password)
-		if err != nil {
+		if err == nil {
 			log.Println("logged in")
 			session, _ := SessionStore.Get(r, "cookie-session")
 			session.Values["auth_user"] = username
 			session.Values["admin"] = isAdmin
 			session.Save(r, w)
 			http.Redirect(w, r, "/my_site", http.StatusSeeOther)
+			return
 		} else {
 			data := struct {
 				Error  string
M limit.golimit.go 
@@ -22,7 +22,7 @@ defer mu.Unlock()
 
 	limiter, exists := visitors[ip]
 	if !exists {
-		limiter = rate.NewLimiter(.5, 1)
+		limiter = rate.NewLimiter(.5, 2)
 		visitors[ip] = limiter
 	}
M sftp.gosftp.go 
@@ -16,7 +16,6 @@ "os"
 	"path"
 	"path/filepath"
 	"runtime/debug"
-	"strings"
 	"time"
 
 	"github.com/pkg/sftp"

@@ -39,24 +38,18 @@ }
 
 func (con *Connection) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 	// check user perms -- cant write others files
-	fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath))
 	userDir := getUserDirectory(con.User) // NOTE -- not cross platform
-	if strings.HasPrefix(fullpath, userDir) {
-		f, err := os.OpenFile(fullpath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
-		if err != nil {
-			return nil, err
-		}
-		return f, nil
-	} else {
-		return nil, fmt.Errorf("Invalid permissions")
+	fullpath := path.Join(userDir, filepath.Clean(request.Filepath))
+	f, err := os.OpenFile(fullpath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
+	if err != nil {
+		return nil, err
 	}
+	return f, nil
 }
 
 func (conn *Connection) Filelist(request *sftp.Request) (sftp.ListerAt, error) {
-	fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath))
-	if strings.Contains(request.Filepath, ".hidden") {
-		return nil, fmt.Errorf("Invalid permissions") // TODO fix better
-	}
+	userDir := getUserDirectory(conn.User) // NOTE -- not cross platform
+	fullpath := path.Join(userDir, filepath.Clean(request.Filepath))
 	switch request.Method {
 	case "List":
 		f, err := os.Open(fullpath)

@@ -80,22 +73,17 @@ }
 
 func (conn *Connection) Filecmd(request *sftp.Request) error {
 	// remove, rename, setstat? find out
-	fullpath := path.Join(c.FilesDirectory, filepath.Clean(request.Filepath))
 	userDir := getUserDirectory(conn.User) // NOTE -- not cross platform
-	writePerms := strings.HasPrefix(fullpath, userDir)
+	fullpath := path.Join(userDir, filepath.Clean(request.Filepath))
 	var err error
-	if writePerms {
-		switch request.Method {
-		case "Remove":
-			err = os.Remove(fullpath)
-		case "Mkdir":
-			err = os.Mkdir(fullpath, 0755)
-		}
-		if err != nil {
-			return err
-		}
-	} else {
-		return fmt.Errorf("Unauthorized")
+	switch request.Method {
+	case "Remove":
+		err = os.Remove(fullpath)
+	case "Mkdir":
+		err = os.Mkdir(fullpath, 0755)
+	}
+	if err != nil {
+		return err
 	}
 	// Rename, Mkdir
 	return nil