diff options
author | Christopher Speller <crspeller@gmail.com> | 2017-07-18 15:45:23 -0700 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-07-18 15:45:23 -0700 |
commit | 97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80 (patch) | |
tree | ec2d68077dd2b12de3173871622f3ec2a2b61d35 /api4 | |
parent | 21a3219b9b1df033635631afa751742bd4c56ea0 (diff) | |
parent | a350f4dc0754e1aeabb64bd712ce05f7c59cfa60 (diff) | |
download | chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.tar.gz chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.tar.bz2 chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.zip |
Merge branch 'release-4.0'
Diffstat (limited to 'api4')
-rw-r--r-- | api4/context.go | 2 | ||||
-rw-r--r-- | api4/file.go | 93 | ||||
-rw-r--r-- | api4/oauth.go | 20 | ||||
-rw-r--r-- | api4/post.go | 6 | ||||
-rw-r--r-- | api4/team.go | 8 | ||||
-rw-r--r-- | api4/team_test.go | 19 | ||||
-rw-r--r-- | api4/user.go | 2 |
7 files changed, 101 insertions, 49 deletions
diff --git a/api4/context.go b/api4/context.go index 06eee6715..61c318266 100644 --- a/api4/context.go +++ b/api4/context.go @@ -355,7 +355,7 @@ func (c *Context) RequireInviteId() *Context { return c } - if len(c.Params.InviteId) != 26 { + if len(c.Params.InviteId) == 0 { c.SetInvalidUrlParam("invite_id") } return c diff --git a/api4/file.go b/api4/file.go index a395fff65..4b39a1812 100644 --- a/api4/file.go +++ b/api4/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/mattermost/platform/app" @@ -18,6 +19,27 @@ const ( FILE_TEAM_ID = "noteam" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + +var MEDIA_CONTENT_TYPES = [...]string{ + "image/jpeg", + "image/png", + "image/bmp", + "image/gif", + "video/avi", + "video/mpeg", + "video/mp4", + "audio/mpeg", + "audio/wav", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -82,9 +104,9 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -105,22 +127,7 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - contentTypeToCheck := []string{"image/jpeg", "image/png", "image/bmp", "image/gif", - "video/avi", "video/mpeg", "audio/mpeg3", "audio/wav"} - - contentType := http.DetectContentType(data) - foundContentType := false - for _, contentTypeFromList := range contentTypeToCheck { - if contentType == contentTypeFromList && toDownload == false { - foundContentType = true - break - } - } - if !foundContentType { - toDownload = true - } - - err = writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r) + err = writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r) if err != nil { c.Err = err return @@ -133,9 +140,9 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -158,7 +165,7 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.ThumbnailPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -205,9 +212,9 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -230,7 +237,7 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.PreviewPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -298,14 +305,38 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { } } -func writeFileResponse(filename string, contentType string, bytes []byte, toDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { +func writeFileResponse(filename string, contentType string, bytes []byte, forceDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } + } + + w.Header().Set("Content-Type", contentType) + + var toDownload bool + if forceDownload { + toDownload = true + } else { + isMediaType := false + + for _, mediaContentType := range MEDIA_CONTENT_TYPES { + if strings.HasPrefix(contentType, mediaContentType) { + isMediaType = true + break + } + } + + toDownload = !isMediaType } if toDownload { diff --git a/api4/oauth.go b/api4/oauth.go index 402651b92..05a38d206 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -392,7 +392,9 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { code := r.URL.Query().Get("code") if len(code) == 0 { - c.Err = model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + err := model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + err.Translate(c.T) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } @@ -400,15 +402,19 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete" - body, teamId, props, err := app.AuthorizeOAuthUser(service, code, state, uri) + body, teamId, props, err := app.AuthorizeOAuthUser(w, r, service, code, state, uri) if err != nil { - c.Err = err + err.Translate(c.T) + l4g.Error(err.Error()) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } user, err := app.CompleteOAuth(service, body, teamId, props) if err != nil { - c.Err = err + err.Translate(c.T) + l4g.Error(err.Error()) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } @@ -455,7 +461,7 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { + if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { c.Err = err return } else { @@ -475,7 +481,7 @@ func mobileLoginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil { + if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil { c.Err = err return } else { @@ -500,7 +506,7 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthSignupEndpoint(c.Params.Service, teamId); err != nil { + if authUrl, err := app.GetOAuthSignupEndpoint(w, r, c.Params.Service, teamId); err != nil { c.Err = err return } else { diff --git a/api4/post.go b/api4/post.go index 3d1077358..3d0c681d1 100644 --- a/api4/post.go +++ b/api4/post.go @@ -55,6 +55,8 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { return } + app.SetStatusOnline(c.Session.UserId, c.Session.Id, false) + w.WriteHeader(http.StatusCreated) w.Write([]byte(rp.ToJson())) } @@ -139,8 +141,8 @@ func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request) return } - channelId := r.URL.Query().Get("in_channel") - teamId := r.URL.Query().Get("in_team") + channelId := r.URL.Query().Get("channel_id") + teamId := r.URL.Query().Get("team_id") var posts *model.PostList var err *model.AppError diff --git a/api4/team.go b/api4/team.go index 1cbd89481..98a672d93 100644 --- a/api4/team.go +++ b/api4/team.go @@ -5,7 +5,7 @@ package api4 import ( "bytes" - "io" + "encoding/base64" "net/http" "strconv" @@ -657,12 +657,12 @@ func importTeam(c *Context, w http.ResponseWriter, r *http.Request) { } } - w.Header().Set("Content-Disposition", "attachment; filename=MattermostImportLog.txt") - w.Header().Set("Content-Type", "application/octet-stream") + data := map[string]string{} + data["results"] = base64.StdEncoding.EncodeToString([]byte(log.Bytes())) if c.Err != nil { w.WriteHeader(c.Err.StatusCode) } - io.Copy(w, bytes.NewReader(log.Bytes())) + w.Write([]byte(model.MapToJson(data))) } func inviteUsersToTeam(c *Context, w http.ResponseWriter, r *http.Request) { diff --git a/api4/team_test.go b/api4/team_test.go index b517f67fe..421428afa 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -12,6 +12,7 @@ import ( "strings" "testing" + "encoding/base64" "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" @@ -1345,7 +1346,12 @@ func TestImportTeam(t *testing.T) { fileResp, resp := th.SystemAdminClient.ImportTeam(data, binary.Size(data), "slack", "Fake_Team_Import.zip", th.BasicTeam.Id) CheckNoError(t, resp) - fileReturned := fmt.Sprintf("%s", fileResp) + fileData, err := base64.StdEncoding.DecodeString(fileResp["results"]) + if err != nil { + t.Fatal("failed to decode base64 results data") + } + + fileReturned := fmt.Sprintf("%s", fileData) if !strings.Contains(fileReturned, "darth.vader@stardeath.com") { t.Log(fileReturned) t.Fatal("failed to report the user was imported") @@ -1469,7 +1475,7 @@ func TestInviteUsersToTeam(t *testing.T) { } func TestGetTeamInviteInfo(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() defer TearDown() Client := th.Client team := th.BasicTeam @@ -1485,6 +1491,13 @@ func TestGetTeamInviteInfo(t *testing.T) { t.Fatal("should be empty") } + team.InviteId = "12345678901234567890123456789012" + team, resp = th.SystemAdminClient.UpdateTeam(team) + CheckNoError(t, resp) + + team, resp = Client.GetTeamInviteInfo(team.InviteId) + CheckNoError(t, resp) + _, resp = Client.GetTeamInviteInfo("junk") - CheckBadRequestStatus(t, resp) + CheckNotFoundStatus(t, resp) } diff --git a/api4/user.go b/api4/user.go index 04faf13c4..f13c33f0b 100644 --- a/api4/user.go +++ b/api4/user.go @@ -1056,7 +1056,7 @@ func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { var err *model.AppError if switchRequest.EmailToOAuth() { - link, err = app.SwitchEmailToOAuth(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) + link, err = app.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) } else if switchRequest.OAuthToEmail() { c.SessionRequired() if c.Err != nil { |