mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

idp: add anon-read sanchk

Browse source
This commit is contained in:
ed 2024-03-13 21:36:36 +00:00
parent dbf1cbc8af
commit 2ebfdc2562
2 changed files with 17 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
copyparty/authsrv.py
View file

@ -33,6 +33,7 @@ from .util import (
uncyg, uncyg,
undot, undot,
unhumanize, unhumanize,
vsplit,
) )
if True: # pylint: disable=using-constant-test if True: # pylint: disable=using-constant-test
@ -790,7 +791,7 @@ class AuthSrv(object):
self.grps: dict[str, list[str]] = {} self.grps: dict[str, list[str]] = {}
self.re_pwd: Optional[re.Pattern] = None self.re_pwd: Optional[re.Pattern] = None
# all volumes ever seen (from current or previous runs) # all volumes observed since last restart
self.idp_vols: dict[str, str] = {} # vpath->abspath self.idp_vols: dict[str, str] = {} # vpath->abspath
# all users/groups observed since last restart # all users/groups observed since last restart
@ -889,6 +890,8 @@ class AuthSrv(object):
src, dst = self._map_volume(src, dst, mount, daxs, mflags) src, dst = self._map_volume(src, dst, mount, daxs, mflags)
if src: if src:
ret.append((src, dst, un, gn)) ret.append((src, dst, un, gn))
if un or gn:
self.idp_vols[dst] = src
return ret return ret
@ -1352,6 +1355,8 @@ class AuthSrv(object):
mflags: dict[str, dict[str, Any]] = {} # moutpoint:flags mflags: dict[str, dict[str, Any]] = {} # moutpoint:flags
mount: dict[str, str] = {} # dst:src (mountpoint:realpath) mount: dict[str, str] = {} # dst:src (mountpoint:realpath)
self.idp_vols = {} # yolo
if self.args.a: if self.args.a:
# list of username:password # list of username:password
for x in self.args.a: for x in self.args.a:
@ -2001,6 +2006,17 @@ class AuthSrv(object):
except Pebkac: except Pebkac:
self.warn_anonwrite = True self.warn_anonwrite = True
idp_err = "WARNING! The following IdP volumes are mounted directly below another volume where anonymous users can read and/or write files. This is a SECURITY HAZARD!! When copyparty is restarted, it will not know about these IdP volumes yet. These volumes will then be accessible by anonymous users UNTIL one of the users associated with their volume sends a request to the server. RECOMMENDATION: You should create a restricted volume where nobody can read/write files, and make sure that all IdP volumes are configured to appear somewhere below that volume."
for idp_vp in self.idp_vols:
parent_vp = vsplit(idp_vp)[0]
vn, _ = vfs.get(parent_vp, "*", False, False)
zs = "READABLE" if "*" in vn.axs.uread else "WRITABLE" if "*" in vn.axs.uwrite else ""
if zs:
t = '\nWARNING: Volume "/%s" appears below "/%s" and would be WORLD-%s'
idp_err += t % (idp_vp, vn.vpath, zs)
if "\n" in idp_err:
self.log(idp_err, 1)
self.vfs = vfs self.vfs = vfs
self.acct = acct self.acct = acct
self.grps = grps self.grps = grps

1
docs/TODO.md
View file

@ -9,7 +9,6 @@ a living list of upcoming features / fixes / changes, very roughly in order of p
* [github issue #62](https://github.com/9001/copyparty/issues/62) - IdP / single-sign-on powered by a local identity provider service which is possibly hooked up to ldap or an oauth service * [github issue #62](https://github.com/9001/copyparty/issues/62) - IdP / single-sign-on powered by a local identity provider service which is possibly hooked up to ldap or an oauth service
* persist autogenerated volumes for db-init + nullmapping on next startup (`_map_volume` += `only_if_exist`) * persist autogenerated volumes for db-init + nullmapping on next startup (`_map_volume` += `only_if_exist`)
* sanchk that autogenerated volumes below inaccessible parent
* download accelerator * download accelerator
* definitely download chunks in parallel * definitely download chunks in parallel