mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 16:22:45 -04:00 
			
		
		
		
	* Added optional subdirective to browse allowing to reveal symlink paths. * Update modules/caddyhttp/fileserver/browsetplcontext.go --------- Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
		
			
				
	
	
		
			259 lines
		
	
	
		
			8.4 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			259 lines
		
	
	
		
			8.4 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2015 Matthew Holt and The Caddy Authors
 | |
| //
 | |
| // Licensed under the Apache License, Version 2.0 (the "License");
 | |
| // you may not use this file except in compliance with the License.
 | |
| // You may obtain a copy of the License at
 | |
| //
 | |
| //     http://www.apache.org/licenses/LICENSE-2.0
 | |
| //
 | |
| // Unless required by applicable law or agreed to in writing, software
 | |
| // distributed under the License is distributed on an "AS IS" BASIS,
 | |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| // See the License for the specific language governing permissions and
 | |
| // limitations under the License.
 | |
| 
 | |
| package fileserver
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"context"
 | |
| 	_ "embed"
 | |
| 	"encoding/json"
 | |
| 	"errors"
 | |
| 	"fmt"
 | |
| 	"io"
 | |
| 	"io/fs"
 | |
| 	"net/http"
 | |
| 	"os"
 | |
| 	"path"
 | |
| 	"strings"
 | |
| 	"sync"
 | |
| 	"text/template"
 | |
| 
 | |
| 	"go.uber.org/zap"
 | |
| 
 | |
| 	"github.com/caddyserver/caddy/v2"
 | |
| 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 | |
| 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/templates"
 | |
| )
 | |
| 
 | |
| // BrowseTemplate is the default template document to use for
 | |
| // file listings. By default, its default value is an embedded
 | |
| // document. You can override this value at program start, or
 | |
| // if you are running Caddy via config, you can specify a
 | |
| // custom template_file in the browse configuration.
 | |
| //
 | |
| //go:embed browse.html
 | |
| var BrowseTemplate string
 | |
| 
 | |
| // Browse configures directory browsing.
 | |
| type Browse struct {
 | |
| 	// Filename of the template to use instead of the embedded browse template.
 | |
| 	TemplateFile string `json:"template_file,omitempty"`
 | |
| 	// Determines whether or not targets of symlinks should be revealed.
 | |
| 	RevealSymlinks bool `json:"reveal_symlinks,omitempty"`
 | |
| }
 | |
| 
 | |
| func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
 | |
| 	fsrv.logger.Debug("browse enabled; listing directory contents",
 | |
| 		zap.String("path", dirPath),
 | |
| 		zap.String("root", root))
 | |
| 
 | |
| 	// Navigation on the client-side gets messed up if the
 | |
| 	// URL doesn't end in a trailing slash because hrefs to
 | |
| 	// "b/c" at path "/a" end up going to "/b/c" instead
 | |
| 	// of "/a/b/c" - so we have to redirect in this case
 | |
| 	// so that the path is "/a/" and the client constructs
 | |
| 	// relative hrefs "b/c" to be "/a/b/c".
 | |
| 	//
 | |
| 	// Only redirect if the last element of the path (the filename) was not
 | |
| 	// rewritten; if the admin wanted to rewrite to the canonical path, they
 | |
| 	// would have, and we have to be very careful not to introduce unwanted
 | |
| 	// redirects and especially redirect loops! (Redirecting using the
 | |
| 	// original URI is necessary because that's the URI the browser knows,
 | |
| 	// we don't want to redirect from internally-rewritten URIs.)
 | |
| 	// See https://github.com/caddyserver/caddy/issues/4205.
 | |
| 	// We also redirect if the path is empty, because this implies the path
 | |
| 	// prefix was fully stripped away by a `handle_path` handler for example.
 | |
| 	// See https://github.com/caddyserver/caddy/issues/4466.
 | |
| 	origReq := r.Context().Value(caddyhttp.OriginalRequestCtxKey).(http.Request)
 | |
| 	if r.URL.Path == "" || path.Base(origReq.URL.Path) == path.Base(r.URL.Path) {
 | |
| 		if !strings.HasSuffix(origReq.URL.Path, "/") {
 | |
| 			fsrv.logger.Debug("redirecting to trailing slash to preserve hrefs", zap.String("request_path", r.URL.Path))
 | |
| 			return redirect(w, r, origReq.URL.Path+"/")
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	dir, err := fsrv.openFile(fileSystem, dirPath, w)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	defer dir.Close()
 | |
| 
 | |
| 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 | |
| 
 | |
| 	// TODO: not entirely sure if path.Clean() is necessary here but seems like a safe plan (i.e. /%2e%2e%2f) - someone could verify this
 | |
| 	listing, err := fsrv.loadDirectoryContents(r.Context(), fileSystem, dir.(fs.ReadDirFile), root, path.Clean(r.URL.EscapedPath()), repl)
 | |
| 	switch {
 | |
| 	case errors.Is(err, fs.ErrPermission):
 | |
| 		return caddyhttp.Error(http.StatusForbidden, err)
 | |
| 	case errors.Is(err, fs.ErrNotExist):
 | |
| 		return fsrv.notFound(w, r, next)
 | |
| 	case err != nil:
 | |
| 		return caddyhttp.Error(http.StatusInternalServerError, err)
 | |
| 	}
 | |
| 
 | |
| 	fsrv.browseApplyQueryParams(w, r, listing)
 | |
| 
 | |
| 	buf := bufPool.Get().(*bytes.Buffer)
 | |
| 	buf.Reset()
 | |
| 	defer bufPool.Put(buf)
 | |
| 
 | |
| 	acceptHeader := strings.ToLower(strings.Join(r.Header["Accept"], ","))
 | |
| 
 | |
| 	// write response as either JSON or HTML
 | |
| 	if strings.Contains(acceptHeader, "application/json") {
 | |
| 		if err := json.NewEncoder(buf).Encode(listing.Items); err != nil {
 | |
| 			return caddyhttp.Error(http.StatusInternalServerError, err)
 | |
| 		}
 | |
| 		w.Header().Set("Content-Type", "application/json; charset=utf-8")
 | |
| 	} else {
 | |
| 		var fs http.FileSystem
 | |
| 		if fsrv.Root != "" {
 | |
| 			fs = http.Dir(repl.ReplaceAll(fsrv.Root, "."))
 | |
| 		}
 | |
| 
 | |
| 		tplCtx := &templateContext{
 | |
| 			TemplateContext: templates.TemplateContext{
 | |
| 				Root:       fs,
 | |
| 				Req:        r,
 | |
| 				RespHeader: templates.WrappedHeader{Header: w.Header()},
 | |
| 			},
 | |
| 			browseTemplateContext: listing,
 | |
| 		}
 | |
| 
 | |
| 		tpl, err := fsrv.makeBrowseTemplate(tplCtx)
 | |
| 		if err != nil {
 | |
| 			return fmt.Errorf("parsing browse template: %v", err)
 | |
| 		}
 | |
| 		if err := tpl.Execute(buf, tplCtx); err != nil {
 | |
| 			return caddyhttp.Error(http.StatusInternalServerError, err)
 | |
| 		}
 | |
| 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 | |
| 	}
 | |
| 
 | |
| 	_, _ = buf.WriteTo(w)
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| func (fsrv *FileServer) loadDirectoryContents(ctx context.Context, fileSystem fs.FS, dir fs.ReadDirFile, root, urlPath string, repl *caddy.Replacer) (*browseTemplateContext, error) {
 | |
| 	files, err := dir.ReadDir(10000) // TODO: this limit should probably be configurable
 | |
| 	if err != nil && err != io.EOF {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	// user can presumably browse "up" to parent folder if path is longer than "/"
 | |
| 	canGoUp := len(urlPath) > 1
 | |
| 
 | |
| 	return fsrv.directoryListing(ctx, fileSystem, files, canGoUp, root, urlPath, repl), nil
 | |
| }
 | |
| 
 | |
| // browseApplyQueryParams applies query parameters to the listing.
 | |
| // It mutates the listing and may set cookies.
 | |
| func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Request, listing *browseTemplateContext) {
 | |
| 	layoutParam := r.URL.Query().Get("layout")
 | |
| 	sortParam := r.URL.Query().Get("sort")
 | |
| 	orderParam := r.URL.Query().Get("order")
 | |
| 	limitParam := r.URL.Query().Get("limit")
 | |
| 	offsetParam := r.URL.Query().Get("offset")
 | |
| 
 | |
| 	switch layoutParam {
 | |
| 	case "list", "grid", "":
 | |
| 		listing.Layout = layoutParam
 | |
| 	default:
 | |
| 		listing.Layout = "list"
 | |
| 	}
 | |
| 
 | |
| 	// figure out what to sort by
 | |
| 	switch sortParam {
 | |
| 	case "":
 | |
| 		sortParam = sortByNameDirFirst
 | |
| 		if sortCookie, sortErr := r.Cookie("sort"); sortErr == nil {
 | |
| 			sortParam = sortCookie.Value
 | |
| 		}
 | |
| 	case sortByName, sortByNameDirFirst, sortBySize, sortByTime:
 | |
| 		http.SetCookie(w, &http.Cookie{Name: "sort", Value: sortParam, Secure: r.TLS != nil})
 | |
| 	}
 | |
| 
 | |
| 	// then figure out the order
 | |
| 	switch orderParam {
 | |
| 	case "":
 | |
| 		orderParam = "asc"
 | |
| 		if orderCookie, orderErr := r.Cookie("order"); orderErr == nil {
 | |
| 			orderParam = orderCookie.Value
 | |
| 		}
 | |
| 	case "asc", "desc":
 | |
| 		http.SetCookie(w, &http.Cookie{Name: "order", Value: orderParam, Secure: r.TLS != nil})
 | |
| 	}
 | |
| 
 | |
| 	// finally, apply the sorting and limiting
 | |
| 	listing.applySortAndLimit(sortParam, orderParam, limitParam, offsetParam)
 | |
| }
 | |
| 
 | |
| // makeBrowseTemplate creates the template to be used for directory listings.
 | |
| func (fsrv *FileServer) makeBrowseTemplate(tplCtx *templateContext) (*template.Template, error) {
 | |
| 	var tpl *template.Template
 | |
| 	var err error
 | |
| 
 | |
| 	if fsrv.Browse.TemplateFile != "" {
 | |
| 		tpl = tplCtx.NewTemplate(path.Base(fsrv.Browse.TemplateFile))
 | |
| 		tpl, err = tpl.ParseFiles(fsrv.Browse.TemplateFile)
 | |
| 		if err != nil {
 | |
| 			return nil, fmt.Errorf("parsing browse template file: %v", err)
 | |
| 		}
 | |
| 	} else {
 | |
| 		tpl = tplCtx.NewTemplate("default_listing")
 | |
| 		tpl, err = tpl.Parse(BrowseTemplate)
 | |
| 		if err != nil {
 | |
| 			return nil, fmt.Errorf("parsing default browse template: %v", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return tpl, nil
 | |
| }
 | |
| 
 | |
| // isSymlinkTargetDir returns true if f's symbolic link target
 | |
| // is a directory.
 | |
| func (fsrv *FileServer) isSymlinkTargetDir(fileSystem fs.FS, f fs.FileInfo, root, urlPath string) bool {
 | |
| 	if !isSymlink(f) {
 | |
| 		return false
 | |
| 	}
 | |
| 	target := caddyhttp.SanitizedPathJoin(root, path.Join(urlPath, f.Name()))
 | |
| 	targetInfo, err := fs.Stat(fileSystem, target)
 | |
| 	if err != nil {
 | |
| 		return false
 | |
| 	}
 | |
| 	return targetInfo.IsDir()
 | |
| }
 | |
| 
 | |
| // isSymlink return true if f is a symbolic link.
 | |
| func isSymlink(f fs.FileInfo) bool {
 | |
| 	return f.Mode()&os.ModeSymlink != 0
 | |
| }
 | |
| 
 | |
| // templateContext powers the context used when evaluating the browse template.
 | |
| // It combines browse-specific features with the standard templates handler
 | |
| // features.
 | |
| type templateContext struct {
 | |
| 	templates.TemplateContext
 | |
| 	*browseTemplateContext
 | |
| }
 | |
| 
 | |
| // bufPool is used to increase the efficiency of file listings.
 | |
| var bufPool = sync.Pool{
 | |
| 	New: func() any {
 | |
| 		return new(bytes.Buffer)
 | |
| 	},
 | |
| }
 |