2018-12-23 21:04:54 +01:00
|
|
|
# Pleroma: A lightweight social networking server
|
2021-01-13 07:49:20 +01:00
|
|
|
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
|
2018-12-23 21:04:54 +01:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
2020-06-24 08:03:48 +02:00
|
|
|
defmodule Pleroma.Web.Plugs.UploadedMedia do
|
2018-11-23 17:40:45 +01:00
|
|
|
@moduledoc """
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
import Plug.Conn
|
2019-07-10 11:25:58 +02:00
|
|
|
import Pleroma.Web.Gettext
|
2018-11-23 17:40:45 +01:00
|
|
|
require Logger
|
|
|
|
|
|
2020-06-14 20:02:57 +02:00
|
|
|
alias Pleroma.Web.MediaProxy
|
|
|
|
|
|
2018-11-23 17:40:45 +01:00
|
|
|
@behaviour Plug
|
|
|
|
|
# no slashes
|
|
|
|
|
@path "media"
|
|
|
|
|
|
2020-03-13 18:27:50 +01:00
|
|
|
@default_cache_control_header "public, max-age=1209600"
|
2020-03-13 18:02:58 +01:00
|
|
|
|
2018-11-23 17:40:45 +01:00
|
|
|
def init(_opts) do
|
|
|
|
|
static_plug_opts =
|
2020-03-13 20:12:33 +01:00
|
|
|
[
|
|
|
|
|
headers: %{"cache-control" => @default_cache_control_header},
|
|
|
|
|
cache_control_for_etags: @default_cache_control_header
|
|
|
|
|
]
|
2018-11-23 17:40:45 +01:00
|
|
|
|> Keyword.put(:from, "__unconfigured_media_plug")
|
|
|
|
|
|> Keyword.put(:at, "/__unconfigured_media_plug")
|
|
|
|
|
|> Plug.Static.init()
|
|
|
|
|
|
2024-04-01 21:33:45 +02:00
|
|
|
allowed_mime_types = Pleroma.Config.get([Pleroma.Upload, :allowed_mime_types])
|
|
|
|
|
|
|
|
|
|
%{static_plug_opts: static_plug_opts, allowed_mime_types: allowed_mime_types}
|
2018-11-23 17:40:45 +01:00
|
|
|
end
|
|
|
|
|
|
2019-02-06 20:19:39 +01:00
|
|
|
def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do
|
2019-03-12 07:10:19 +01:00
|
|
|
conn =
|
|
|
|
|
case fetch_query_params(conn) do
|
|
|
|
|
%{query_params: %{"name" => name}} = conn ->
|
2022-11-10 12:54:12 +01:00
|
|
|
name = escape_header_value(name)
|
2019-03-12 07:21:13 +01:00
|
|
|
|
2020-06-14 20:02:57 +02:00
|
|
|
put_resp_header(conn, "content-disposition", "filename=\"#{name}\"")
|
2019-03-12 07:10:19 +01:00
|
|
|
|
|
|
|
|
conn ->
|
|
|
|
|
conn
|
|
|
|
|
end
|
2023-05-26 20:30:45 +02:00
|
|
|
|> merge_resp_headers([{"content-security-policy", "script-src none"}])
|
2019-03-12 07:10:19 +01:00
|
|
|
|
2019-06-14 17:45:05 +02:00
|
|
|
config = Pleroma.Config.get(Pleroma.Upload)
|
2018-11-23 17:40:45 +01:00
|
|
|
|
|
|
|
|
with uploader <- Keyword.fetch!(config, :uploader),
|
2020-06-14 20:02:57 +02:00
|
|
|
{:ok, get_method} <- uploader.get_file(file),
|
2020-06-17 20:13:55 +02:00
|
|
|
false <- media_is_banned(conn, get_method) do
|
2022-07-04 18:30:38 +02:00
|
|
|
get_media(conn, get_method, opts)
|
2018-11-23 17:40:45 +01:00
|
|
|
else
|
|
|
|
|
_ ->
|
|
|
|
|
conn
|
2019-07-10 11:25:58 +02:00
|
|
|
|> send_resp(:internal_server_error, dgettext("errors", "Failed"))
|
2018-11-23 17:40:45 +01:00
|
|
|
|> halt()
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def call(conn, _opts), do: conn
|
|
|
|
|
|
2020-06-17 20:13:55 +02:00
|
|
|
defp media_is_banned(%{request_path: path} = _conn, {:static_dir, _}) do
|
2021-01-09 00:05:55 +01:00
|
|
|
MediaProxy.in_banned_urls(Pleroma.Upload.base_url() <> path)
|
2020-06-14 20:02:57 +02:00
|
|
|
end
|
|
|
|
|
|
2020-06-17 20:13:55 +02:00
|
|
|
defp media_is_banned(_, {:url, url}), do: MediaProxy.in_banned_urls(url)
|
2020-06-14 20:02:57 +02:00
|
|
|
|
2020-06-17 20:13:55 +02:00
|
|
|
defp media_is_banned(_, _), do: false
|
2020-06-14 20:02:57 +02:00
|
|
|
|
2024-04-01 21:33:45 +02:00
|
|
|
defp get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
|
|
|
|
|
[maintype | _] = String.split(mime, "/", parts: 2)
|
|
|
|
|
if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
defp set_content_type(conn, opts, filepath) do
|
|
|
|
|
real_mime = MIME.from_path(filepath)
|
|
|
|
|
clean_mime = get_safe_mime_type(opts, real_mime)
|
|
|
|
|
put_resp_header(conn, "content-type", clean_mime)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2022-07-04 18:30:38 +02:00
|
|
|
defp get_media(conn, {:static_dir, directory}, opts) do
|
2018-11-23 17:40:45 +01:00
|
|
|
static_opts =
|
|
|
|
|
Map.get(opts, :static_plug_opts)
|
|
|
|
|
|> Map.put(:at, [@path])
|
|
|
|
|
|> Map.put(:from, directory)
|
2024-04-01 21:33:45 +02:00
|
|
|
|> Map.put(:set_content_type, false)
|
2018-11-23 17:40:45 +01:00
|
|
|
|
2024-04-01 21:33:45 +02:00
|
|
|
conn =
|
|
|
|
|
conn
|
|
|
|
|
|> set_content_type(opts, conn.request_path)
|
|
|
|
|
|> Pleroma.Web.Plugs.StaticNoCT.call(static_opts)
|
2018-11-23 17:40:45 +01:00
|
|
|
|
|
|
|
|
if conn.halted do
|
|
|
|
|
conn
|
|
|
|
|
else
|
|
|
|
|
conn
|
2019-07-10 12:40:34 +02:00
|
|
|
|> send_resp(:not_found, dgettext("errors", "Not found"))
|
2018-11-23 17:40:45 +01:00
|
|
|
|> halt()
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2022-07-04 18:30:38 +02:00
|
|
|
defp get_media(conn, {:url, url}, _) do
|
2018-11-23 17:40:45 +01:00
|
|
|
conn
|
|
|
|
|
|> Phoenix.Controller.redirect(external: url)
|
|
|
|
|
|> halt()
|
|
|
|
|
end
|
|
|
|
|
|
2022-07-04 18:30:38 +02:00
|
|
|
defp get_media(conn, unknown, _) do
|
2018-11-23 17:40:45 +01:00
|
|
|
Logger.error("#{__MODULE__}: Unknown get startegy: #{inspect(unknown)}")
|
|
|
|
|
|
|
|
|
|
conn
|
2019-07-10 12:40:34 +02:00
|
|
|
|> send_resp(:internal_server_error, dgettext("errors", "Internal Error"))
|
2018-11-23 17:40:45 +01:00
|
|
|
|> halt()
|
|
|
|
|
end
|
2022-11-10 12:54:12 +01:00
|
|
|
|
|
|
|
|
defp escape_header_value(value) do
|
|
|
|
|
value
|
|
|
|
|
|> String.replace("\"", "\\\"")
|
|
|
|
|
|> String.replace("\\r", "")
|
|
|
|
|
|> String.replace("\\n", "")
|
|
|
|
|
end
|
2018-11-23 17:40:45 +01:00
|
|
|
end
|
