def post(self, lang):
"""
Upload a custom language file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
self.finish()
return
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
try:
dumped_file = yield threads.deferToThread(dump_static_file,
uploaded_file, path)
except OSError as excpd:
log.err("OSError while create a new custom lang file [%s]: %s" %
(path, excpd))
raise errors.InternalServerError(excpd.strerror)
except Exception as excpd:
log.err("Unexpected exception: %s" % excpd)
raise errors.InternalServerError(excpd)
log.debug("Admin uploaded new lang file: %s" % dumped_file['filename'])
self.set_status(201) # Created
self.finish()
def post(self, lang):
"""
Upload a custom language file
"""
start_time = time.time()
uploaded_file = self.get_uploaded_file()
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSetting.static_path_l10n, path)
try:
dumped_file = yield threads.deferToThread(dump_static_file, uploaded_file, path)
except OSError as excpd:
log.err("OSError while create a new custom lang file [%s]: %s" % (path, excpd))
raise errors.InternalServerError(excpd.strerror)
except Exception as excpd:
log.err("Unexpected exception: %s" % excpd)
raise errors.InternalServerError(excpd)
dumped_file["elapsed_time"] = time.time() - start_time
log.debug("Admin uploaded new lang file: %s" % dumped_file["filename"])
self.set_status(201) # Created
self.finish(dumped_file)
def post(self):
"""
Request: Unknown
Response: Unknown
Errors: ModelNotFound
"""
itip_id = yield get_itip_id_by_wbtip_id(self.current_user.user_id)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
# First: dump the file in the filesystem
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(write_upload_encrypted_to_disk, uploaded_file, dst)
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = False
# Second: register the file in the database
yield register_ifile_on_db(uploaded_file, itip_id)
def post(self, token_id):
"""
Parameter: internaltip_id
Request: Unknown
Response: Unknown
Errors: TokenFailure
"""
token = TokenList.get(token_id)
log.debug("file upload with token associated: %s" % token)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
try:
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(write_upload_encrypted_to_disk, uploaded_file, dst)
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = True
token.associate_file(uploaded_file)
except Exception as excep:
log.err("Unable to save file in filesystem: %s" % excep)
raise errors.InternalServerError("Unable to accept files")
self.set_status(201) # Created
def post(self, lang):
"""
Upload a custom language file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
self.finish()
return
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
try:
dumped_file = yield threads.deferToThread(dump_static_file, uploaded_file, path)
except OSError as excpd:
log.err("OSError while create a new custom lang file [%s]: %s" % (path, excpd))
raise errors.InternalServerError(excpd.strerror)
except Exception as excpd:
log.err("Unexpected exception: %s" % excpd)
raise errors.InternalServerError(excpd)
log.debug("Admin uploaded new lang file: %s" % dumped_file['filename'])
self.set_status(201) # Created
self.finish(dumped_file)
def post(self, token_id):
"""
Parameter: internaltip_id
Request: Unknown
Response: Unknown
Errors: TokenFailure
"""
token = TokenList.get(token_id)
log.debug("file upload with token associated: %s" % token)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(write_upload_encrypted_to_disk, uploaded_file, dst)
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = True
token.associate_file(uploaded_file)
def get(self, path):
if not path:
path = 'index.html'
abspath = os.path.abspath(os.path.join(self.root, path))
directory_traversal_check(self.root, abspath)
return self.write_file(abspath)
def get(self, path):
if path == '':
path = 'index.html'
abspath = os.path.abspath(os.path.join(self.root, path))
directory_traversal_check(self.root, abspath)
self.write_file(abspath)
def get(self):
self.set_header("Content-Type", 'text/css')
original_css = os.path.join(GLSettings.glclient_path, self.original_css_filename)
custom_css = os.path.join(GLSettings.static_path, 'custom_stylesheet.css')
directory_traversal_check(GLSettings.glclient_path, original_css)
directory_traversal_check(GLSettings.static_path, custom_css)
self.write_file(original_css)
self.write_file(custom_css)
def get(self):
self.set_header("Content-Type", 'text/css')
original_css = os.path.join(GLSettings.client_path, self.original_css_filename)
custom_css = os.path.join(GLSettings.static_path, 'custom_stylesheet.css')
directory_traversal_check(GLSettings.client_path, original_css)
directory_traversal_check(GLSettings.static_path, custom_css)
self.write_file(original_css)
self.write_file(custom_css)
def delete(self, filename):
"""
Parameter: filename
Errors: StaticFileNotFound
"""
path = os.path.join(GLSettings.static_path, filename)
directory_traversal_check(GLSettings.static_path, path)
if not os.path.exists(path):
raise errors.StaticFileNotFound
os.remove(path)
def delete(self, filename):
"""
Parameter: filename
Errors: StaticFileNotFound
"""
path = os.path.join(Settings.static_path, filename)
directory_traversal_check(Settings.static_path, path)
if not os.path.exists(path):
raise errors.StaticFileNotFound
os.remove(path)
def get_l10n(store, lang):
path = langfile_path(lang)
directory_traversal_check(Settings.client_path, path)
texts = read_json_file(path)
custom_texts = store.find(models.CustomTexts, models.CustomTexts.lang == lang).one()
custom_texts = custom_texts.texts if custom_texts is not None else {}
texts.update(custom_texts)
return texts
def delete(self, lang):
"""
Parameter: filename
Errors: LangFileNotFound
"""
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
if not os.path.exists(path):
raise errors.LangFileNotFound
os.remove(path)
def get(self, lang):
self.set_header('Content-Type', 'application/json')
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
self.root = GLSettings.static_path_l10n
if not os.path.exists(path):
path = self.langfile_path(lang)
directory_traversal_check(GLSettings.glclient_path, path)
self.root = os.path.abspath(os.path.join(GLSettings.glclient_path, 'l10n'))
BaseStaticFileHandler.get(self, path)
def get_l10n(store, lang):
path = langfile_path(lang)
directory_traversal_check(GLSettings.client_path, path)
with open(path, 'rb') as f:
texts = json.loads(f.read())
custom_texts = store.find(models.CustomTexts, models.CustomTexts.lang == unicode(lang)).one()
custom_texts = custom_texts.texts if custom_texts is not None else {}
texts.update(custom_texts)
return texts
def get(self, lang):
self.set_header('Content-Type', 'application/json')
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
self.root = GLSettings.static_path_l10n
if not os.path.exists(path):
path = self.langfile_path(lang)
directory_traversal_check(GLSettings.glclient_path, path)
self.root = os.path.abspath(
os.path.join(GLSettings.glclient_path, 'l10n'))
BaseStaticFileHandler.get(self, path)
def delete(self, lang):
"""
Parameter: filename
Errors: LangFileNotFound
"""
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSettings.static_path_l10n, path)
if not os.path.exists(path):
raise errors.LangFileNotFound
os.remove(path)
self.set_status(200)
self.finish()
def get(self, lang):
self.set_header("Content-Type", "application/json")
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSetting.static_path_l10n, path)
if os.path.exists(path):
StaticFileHandler.get(self, path, True)
else:
path = self.langfile_path(lang)
directory_traversal_check(GLSetting.glclient_path, path)
# to reuse use the StaticFile handler we need to change the root path
self.root = os.path.abspath(os.path.join(GLSetting.glclient_path, "l10n"))
StaticFileHandler.get(self, path, True)
def get(self, path):
if path == '':
path = 'index.html'
abspath = os.path.abspath(os.path.join(self.root, path))
directory_traversal_check(self.root, abspath)
if not os.path.exists(abspath) or not os.path.isfile(abspath):
raise HTTPError(404)
mime_type, encoding = mimetypes.guess_type(abspath)
if mime_type:
self.set_header("Content-Type", mime_type)
self.write_file(abspath)
def get(self, path):
if path == '':
path = 'index.html'
abspath = os.path.abspath(os.path.join(self.root, path))
directory_traversal_check(self.root, abspath)
if not os.path.exists(abspath) or not os.path.isfile(abspath):
raise HTTPError(404)
mime_type, encoding = mimetypes.guess_type(abspath)
if mime_type:
self.set_header("Content-Type", mime_type)
yield self.write_file(abspath)
def get(self, lang):
self.set_header('Content-Type', 'application/json')
path = self.custom_langfile_path(lang)
directory_traversal_check(GLSetting.static_path_l10n, path)
if os.path.exists(path):
StaticFileHandler.get(self, path, True)
else:
path = self.langfile_path(lang)
directory_traversal_check(GLSetting.glclient_path, path)
# to reuse use the StaticFile handler we need to change the root path
self.root = os.path.abspath(os.path.join(GLSetting.glclient_path, 'l10n'))
StaticFileHandler.get(self, path, True)
def delete(self, filename):
"""
Parameter: filename
Errors: StaticFileNotFound
"""
path = os.path.join(GLSetting.static_path, filename)
directory_traversal_check(GLSetting.static_path, path)
if not os.path.exists(path):
raise errors.StaticFileNotFound
# XXX if a reserved filename is requested, need to be handled in
# a safe way: eg, if is a receiver, restore the default image.
os.remove(path)
self.set_status(200)
self.finish()
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
if filename == 'upload':
filename = uploaded_file['name']
path = os.path.join(Settings.static_path, filename)
directory_traversal_check(Settings.static_path, path)
d = threads.deferToThread(write_upload_plaintext_to_disk, uploaded_file, path)
d.addBoth(lambda ignore: uploaded_file['body'].close)
return d
def delete(self, filename):
"""
Parameter: filename
Errors: StaticFileNotFound
"""
path = os.path.join(GLSetting.static_path, filename)
directory_traversal_check(GLSetting.static_path, path)
if not os.path.exists(path):
raise errors.StaticFileNotFound
# XXX if a reserved filename is requested, need to be handled in
# a safe way: eg, if is a receiver, restore the default image.
os.remove(path)
self.set_status(200)
self.finish()
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
return
if filename == 'upload':
filename = uploaded_file['name']
path = os.path.join(GLSettings.static_path, filename)
directory_traversal_check(GLSettings.static_path, path)
try:
yield threads.deferToThread(write_upload_plaintext_to_disk, uploaded_file, path)
finally:
uploaded_file['body'].close()
self.set_status(201)
def post(self):
"""
Request: Unknown
Response: Unknown
Errors: TipIdNotFound
"""
itip_id = yield get_itip_id_by_wbtip_id(self.current_user.user_id)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
try:
# First: dump the file in the filesystem
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(
write_upload_encrypted_to_disk, uploaded_file, dst)
except Exception as excep:
log.err("Unable to save a file in filesystem: %s" % excep)
raise errors.InternalServerError("Unable to accept new files")
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = False
try:
# Second: register the file in the database
yield register_ifile_on_db(uploaded_file, itip_id)
except Exception as excep:
log.err("Unable to register (append) file in DB: %s" % excep)
raise errors.InternalServerError("Unable to accept new files")
self.set_status(201) # Created
def post(self, tip_id, rfile_id):
rfile = yield download_file(self.current_user.user_id, tip_id,
rfile_id)
# keys: 'file_path' 'size' : 'content_type' 'file_name'
self.set_status(200)
self.set_header('X-Download-Options', 'noopen')
self.set_header('Content-Type', 'application/octet-stream')
self.set_header('Content-Length', rfile['size'])
self.set_header('Content-Disposition',
'attachment; filename=\"%s\"' % rfile['name'])
filelocation = os.path.join(GLSetting.submission_path, rfile['path'])
directory_traversal_check(GLSetting.submission_path, filelocation)
self.write_file(filelocation)
self.finish()
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
return
if filename == 'upload':
filename = uploaded_file['name']
path = os.path.join(GLSettings.static_path, filename)
directory_traversal_check(GLSettings.static_path, path)
try:
yield threads.deferToThread(write_upload_plaintext_to_disk,
uploaded_file, path)
finally:
uploaded_file['body'].close()
self.set_status(201)
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
return
if filename == 'upload':
filename = uploaded_file['filename']
path = os.path.join(GLSettings.static_path, filename)
directory_traversal_check(GLSettings.static_path, path)
try:
dumped_file = yield threads.deferToThread(dump_static_file, uploaded_file, path)
finally:
uploaded_file['body'].close()
log.debug('Admin uploaded new static file: %s' % dumped_file['filename'])
self.set_status(201)
def post(self):
"""
Request: Unknown
Response: Unknown
Errors: TipIdNotFound
"""
itip_id = yield get_itip_id_by_wbtip_id(self.current_user.user_id)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
try:
# First: dump the file in the filesystem
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(write_upload_encrypted_to_disk, uploaded_file, dst)
except Exception as excep:
log.err("Unable to save a file in filesystem: %s" % excep)
raise errors.InternalServerError("Unable to accept new files")
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = False
try:
# Second: register the file in the database
yield register_ifile_on_db(uploaded_file, itip_id)
except Exception as excep:
log.err("Unable to register (append) file in DB: %s" % excep)
raise errors.InternalServerError("Unable to accept new files")
self.set_status(201) # Created
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
return
if filename == 'upload':
filename = uploaded_file['filename']
path = os.path.join(GLSettings.static_path, filename)
directory_traversal_check(GLSettings.static_path, path)
try:
dumped_file = yield threads.deferToThread(dump_static_file, uploaded_file, path)
except Exception as excpd:
log.err('Error while creating static file %s: %s' % (path, excpd))
raise errors.InternalServerError(excpd.message)
log.debug('Admin uploaded new static file: %s' % dumped_file['filename'])
self.set_status(201)
def post(self, token_id):
"""
Parameter: internaltip_id
Request: Unknown
Response: Unknown
Errors: TokenFailure
"""
token = TokenList.get(token_id)
log.debug("file upload with token associated: %s" % token)
uploaded_file = self.get_file_upload()
if uploaded_file is None:
return
uploaded_file['body'].avoid_delete()
uploaded_file['body'].close()
try:
dst = os.path.join(GLSettings.submission_path,
os.path.basename(uploaded_file['path']))
directory_traversal_check(GLSettings.submission_path, dst)
uploaded_file = yield threads.deferToThread(
write_upload_encrypted_to_disk, uploaded_file, dst)
uploaded_file['date'] = datetime_now()
uploaded_file['submission'] = True
token.associate_file(uploaded_file)
except Exception as excep:
log.err("Unable to save file in filesystem: %s" % excep)
raise errors.InternalServerError("Unable to accept files")
self.set_status(201) # Created
def test_directory_traversal_check_allowed(self):
valid_access = os.path.join(GLSettings.static_path, "valid.txt")
directory_traversal_check(GLSettings.static_path, valid_access)
def test_directory_traversal_check_allowed(self):
valid_access = os.path.join(GLSettings.static_path, "valid.txt")
directory_traversal_check(GLSettings.static_path, valid_access)
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
self.finish()
return
# This handler allow to upload files inside globaleaks static directory
#
# There 4 possibilities allowed are:
#
# 1) the destination is == GLSettings.reserved_names.logo
# 2) the destination is == GLSettings.reserved_names.cc
# 3) the "destination+".png" does not match receiver_img_regexp
# 4) the provided filename is a receiver uuid
if filename == GLSettings.reserved_names.logo:
try:
path = os.path.join(GLSettings.static_path,
"%s.png" % GLSettings.reserved_names.logo)
log.debug("Received request to update Node logo with %s" %
uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving Node logo: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == GLSettings.reserved_names.css:
try:
path = os.path.join(GLSettings.static_path,
"%s.css" % GLSettings.reserved_names.css)
log.debug("Received request to update custom CSS with %s" %
uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving custom CSS: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == GLSettings.reserved_names.html:
try:
path = os.path.join(GLSettings.static_path,
"%s.html" % GLSettings.reserved_names.html)
log.debug(
"Received request to update custom Homepage with %s" %
uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving custom Homepage: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == 'customization' and \
not re.match(receiver_img_regexp, uploaded_file['filename'] + ".png"):
path = os.path.join(GLSettings.static_path,
uploaded_file['filename'])
log.debug("Received request to save %s in path %s" %
(uploaded_file['filename'], path))
else:
try:
path = yield receiver_pic_path(filename)
log.debug(
"Received request to update Receiver portrait with %s" %
filename)
except errors.ReceiverIdNotFound as excpd:
log.err("Invalid Receiver ID specified: %s" % filename)
raise excpd
except Exception as excpd:
log.err(
"Exception raised while saving Receive portrait with %s: %s"
% (filename, excpd))
raise errors.InternalServerError(excpd.__repr__())
directory_traversal_check(GLSettings.static_path, path)
try:
# the dump of the file is done here in the latest stage to
# avoid writing non tracked files on the file system in case of exceptions
dumped_file = yield threads.deferToThread(dump_static_file,
uploaded_file, path)
except OSError as excpd:
log.err("OSError while create a new static file [%s]: %s" %
(path, excpd))
raise errors.InternalServerError(excpd.strerror)
except Exception as excpd:
log.err("Unexpected exception: %s" % excpd.message)
raise errors.InternalServerError(excpd.message)
log.debug("Admin uploaded new static file: %s" %
dumped_file['filename'])
self.set_status(201) # Created
self.finish()
def post(self, filename):
"""
Upload a new file
"""
uploaded_file = self.get_file_upload()
if uploaded_file is None:
self.set_status(201)
self.finish()
return
# This handler allow to upload files inside globaleaks static directory
#
# There 4 possibilities allowed are:
#
# 1) the destination is == GLSetting.reserved_names.logo
# 2) the destination is == GLSetting.reserved_names.cc
# 3) the "destination+".png" does not match receiver_img_regexp
# 4) the provided filename is a receiver uuid
if filename == GLSetting.reserved_names.logo:
try:
path = os.path.join(GLSetting.static_path, "%s.png" % GLSetting.reserved_names.logo)
log.debug("Received request to update Node logo with %s" % uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving Node logo: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == GLSetting.reserved_names.css:
try:
path = os.path.join(GLSetting.static_path, "%s.css" % GLSetting.reserved_names.css)
log.debug("Received request to update custom CSS with %s" % uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving custom CSS: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == GLSetting.reserved_names.html:
try:
path = os.path.join(GLSetting.static_path, "%s.html" % GLSetting.reserved_names.html)
log.debug("Received request to update custom Homepage with %s" % uploaded_file['filename'])
except Exception as excpd:
log.err("Exception raise saving custom Homepage: %s" % excpd)
raise errors.InternalServerError(excpd.__repr__())
elif filename == 'customization' and \
not re.match(receiver_img_regexp, uploaded_file['filename'] + ".png"):
path = os.path.join(GLSetting.static_path, uploaded_file['filename'])
log.debug("Received request to save %s in path %s" %
(uploaded_file['filename'], path))
else:
try:
path = yield receiver_pic_path(filename)
log.debug("Received request to update Receiver portrait with %s" % filename)
except errors.ReceiverIdNotFound as excpd:
log.err("Invalid Receiver ID specified: %s" % filename)
raise excpd
except Exception as excpd:
log.err("Exception raised while saving Receive portrait with %s: %s" %
(filename, excpd))
raise errors.InternalServerError(excpd.__repr__())
directory_traversal_check(GLSetting.static_path, path)
try:
# the dump of the file is done here in the latest stage to
# avoid writing non tracked files on the file system in case of exceptions
dumped_file = yield threads.deferToThread(dump_static_file, uploaded_file, path)
except OSError as excpd:
log.err("OSError while create a new static file [%s]: %s" % (path, excpd))
raise errors.InternalServerError(excpd.strerror)
except Exception as excpd:
log.err("Unexpected exception: %s" % excpd.message)
raise errors.InternalServerError(excpd.message)
log.debug("Admin uploaded new static file: %s" % dumped_file['filename'])
self.set_status(201) # Created
self.finish()