diff options
Diffstat (limited to 'genesungswuensche.go')
| -rw-r--r-- | genesungswuensche.go | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/genesungswuensche.go b/genesungswuensche.go index 8347d43..d0a928b 100644 --- a/genesungswuensche.go +++ b/genesungswuensche.go @@ -529,6 +529,9 @@ func escapeHTML(s string) string { // indexHandler serves the main HTML page func (s *Server) indexHandler(w http.ResponseWriter, r *http.Request) { + fmt.Println(r.Header.Get("X-Forwarded-For"), + "authorized access from") + emails, err := s.parseMaildir() if err != nil { http.Error(w, "Error reading emails", http.StatusInternalServerError) @@ -887,6 +890,11 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) { return } + if strings.ContainsAny(req.Filename, "/") { + http.Error(w, "Invalid request", http.StatusBadRequest) + return + } + sourcePath := filepath.Join(s.maildirPath, "new", req.Filename) if _, err := os.Stat(sourcePath); os.IsNotExist(err) { @@ -907,7 +915,7 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) { destPath := filepath.Join(s.maildirPath, "cur", destFilename) if err := os.Rename(sourcePath, destPath); err != nil { - log.Println("mark read error: ", err) + fmt.Println("mark read error: ", err) w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(map[string]interface{}{ "success": false, @@ -916,7 +924,10 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) { return } - log.Println("mark read success: ", sourcePath, "to", destPath) + fmt.Println(r.Header.Get("X-Forwarded-For"), + "mark read success from", + sourcePath, "to", destPath) + w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(map[string]interface{}{ "success": true, @@ -940,6 +951,11 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) { return } + if strings.ContainsAny(req.Filename, "/") { + http.Error(w, "Invalid request", http.StatusBadRequest) + return + } + sourcePath := filepath.Join(s.maildirPath, "cur", req.Filename) if _, err := os.Stat(sourcePath); os.IsNotExist(err) { @@ -968,7 +984,7 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) { } if err := os.Rename(sourcePath, destPath); err != nil { - log.Println("unread error: ", err) + fmt.Println("unread error: ", err) w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(map[string]interface{}{ "success": false, @@ -976,7 +992,9 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) { }) return } - log.Println("unread success: ", sourcePath, "to", destPath) + fmt.Println(r.Header.Get("X-Forwarded-For"), + "unread success from", + sourcePath, "to", destPath) w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(map[string]interface{}{ @@ -995,7 +1013,6 @@ func auth(handler http.HandlerFunc) http.HandlerFunc { return } - log.Println("authorized access from", r.Header.Get("X-Forwarded-For")) handler(w, r) } } |