remove http basic auth and use a random URL instead. fixes #2

2025-01-26 11:13:00 -03:00 · 2014-05-21 21:17:14 -04:00 · 2014-05-21 21:17:14 -04:00 · bd1feac404
commit bd1feac404
parent a12dd0c4a9
1 changed files with 11 additions and 41 deletions
--- a/onionshare.py
+++ b/onionshare.py
@ -13,44 +13,18 @@ from stem import SocketError
 from flask import Flask, Markup, Response, request, make_response, send_from_directory
 app = Flask(__name__)
-auth_username = auth_password = filename = filehash = filesize = ''
+# generate an unguessable string
 slug = os.urandom(16).encode('hex')
-def check_auth(username, password):
+# file information
-    global auth_username, auth_password
+filename = filehash = filesize = ''
-    if len(username) != 16 or len(password) != 16:
+@app.route("/{0}".format(slug))
        return False
    # constant time string comparison, to prevent timing attacks
    valid = True
    for i in range(16):
        if username[i] != auth_username[i] or password[i] != auth_password[i]:
            valid = False
    return valid
 def authenticate():
    return Response(
        'Could not verify your access level for that URL.\n'
        'You have to login with proper credentials', 401,
        {'WWW-Authenticate': 'Basic realm="Login Required"'})
 def requires_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        auth = request.authorization
        if not auth or not check_auth(auth.username, auth.password):
            return authenticate()
        return f(*args, **kwargs)
    return decorated
@app.route("/")
@requires_auth
 def index():
-    global filename, filesize, filehash
+    global filename, filesize, filehash, slug
-    return "<html><head><title>OnionShare</title><style>body {{ background-color: #222222; color: #ffffff; text-align: center; font-family: arial; padding: 5em; }} a {{ color: #ffee00; text-decoration: none; }} a:hover{{ text-decoration: underline; }}</style></head><body><h1><a href='/download'>{0}</a></h1><p>SHA1 checksum: <strong>{1}</strong><br/>File size: <strong>{2} bytes</strong></p></body></html>".format(os.path.basename(filename), filehash, filesize)
+    return "<html><head><title>OnionShare</title><style>body {{ background-color: #222222; color: #ffffff; text-align: center; font-family: arial; padding: 5em; }} a {{ color: #ffee00; text-decoration: none; }} a:hover{{ text-decoration: underline; }}</style></head><body><h1><a href='/{0}/download'>{1}</a></h1><p>SHA1 checksum: <strong>{2}</strong><br/>File size: <strong>{3} bytes</strong></p></body></html>".format(slug, os.path.basename(filename), filehash, filesize)
-@app.route("/download")
+@app.route("/{0}/download".format(slug))
@requires_auth
 def download():
    global filename
    dirname = os.path.dirname(filename)
@ -91,10 +65,8 @@ if __name__ == '__main__':
    filehash = sha1.hexdigest()
    filesize = os.path.getsize(filename)
-    # choose a port, username, and password
+    # choose a port
    port = randint(1025, 65535)
    auth_username = os.urandom(8).encode('hex')
    auth_password = os.urandom(8).encode('hex')
    # connect to the tor controlport
    print 'Connecting to Tor ControlPort to set up hidden service on port {0}'.format(port)
@ -120,10 +92,8 @@ if __name__ == '__main__':
    tails_open_port(port)
    # instructions
-    print '\nGive this information to the person you\'re sending the file to:'
+    print '\nGive this URL to the person you\'re sending the file to:'
-    print 'URL: http://{0}/'.format(onion_host)
+    print 'http://{0}/{1}'.format(onion_host, slug)
    print 'Username: {0}'.format(auth_username)
    print 'Password: {0}'.format(auth_password)
    print ''
    print 'Press Ctrl-C to stop server\n'