phantom/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-01-25 02:32:58 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

remove http basic auth and use a random URL instead. fixes #2

Browse source
This commit is contained in:
Micah Lee 2014-05-21 21:17:14 -04:00
parent a12dd0c4a9
commit bd1feac404
1 changed files with 11 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
onionshare.py
View file

@ -13,44 +13,18 @@ from stem import SocketError
from flask import Flask, Markup, Response, request, make_response, send_from_directory
app = Flask(__name__)
auth_username = auth_password = filename = filehash = filesize = ''
# generate an unguessable string
slug = os.urandom(16).encode('hex')
def check_auth(username, password):
global auth_username, auth_password
# file information
filename = filehash = filesize = ''
if len(username) != 16 or len(password) != 16:
return False
# constant time string comparison, to prevent timing attacks
valid = True
for i in range(16):
if username[i] != auth_username[i] or password[i] != auth_password[i]:
valid = False
return valid
def authenticate():
return Response(
'Could not verify your access level for that URL.\n'
'You have to login with proper credentials', 401,
{'WWW-Authenticate': 'Basic realm="Login Required"'})
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
auth = request.authorization
if not auth or not check_auth(auth.username, auth.password):
return authenticate()
return f(*args, **kwargs)
return decorated
@app.route("/")
@requires_auth
@app.route("/{0}".format(slug))
def index():
global filename, filesize, filehash
return "<html><head><title>OnionShare</title><style>body {{ background-color: #222222; color: #ffffff; text-align: center; font-family: arial; padding: 5em; }} a {{ color: #ffee00; text-decoration: none; }} a:hover{{ text-decoration: underline; }}</style></head><body><h1><a href='/download'>{0}</a></h1><p>SHA1 checksum: <strong>{1}</strong><br/>File size: <strong>{2} bytes</strong></p></body></html>".format(os.path.basename(filename), filehash, filesize)
global filename, filesize, filehash, slug
return "<html><head><title>OnionShare</title><style>body {{ background-color: #222222; color: #ffffff; text-align: center; font-family: arial; padding: 5em; }} a {{ color: #ffee00; text-decoration: none; }} a:hover{{ text-decoration: underline; }}</style></head><body><h1><a href='/{0}/download'>{1}</a></h1><p>SHA1 checksum: <strong>{2}</strong><br/>File size: <strong>{3} bytes</strong></p></body></html>".format(slug, os.path.basename(filename), filehash, filesize)
@app.route("/download")
@requires_auth
@app.route("/{0}/download".format(slug))
def download():
global filename
dirname = os.path.dirname(filename)
@ -91,10 +65,8 @@ if __name__ == '__main__':
filehash = sha1.hexdigest()
filesize = os.path.getsize(filename)
# choose a port, username, and password
# choose a port
port = randint(1025, 65535)
auth_username = os.urandom(8).encode('hex')
auth_password = os.urandom(8).encode('hex')
# connect to the tor controlport
print 'Connecting to Tor ControlPort to set up hidden service on port {0}'.format(port)
@ -120,10 +92,8 @@ if __name__ == '__main__':
tails_open_port(port)
# instructions
print '\nGive this information to the person you\'re sending the file to:'
print 'URL: http://{0}/'.format(onion_host)
print 'Username: {0}'.format(auth_username)
print 'Password: {0}'.format(auth_password)
print '\nGive this URL to the person you\'re sending the file to:'
print 'http://{0}/{1}'.format(onion_host, slug)
print ''
print 'Press Ctrl-C to stop server\n'