From 82f98dd54de65a74621ae2fb90c80bd90a9cb112 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sat, 28 Jan 2023 01:02:50 +0000
Subject: [PATCH] delete/move is now POST

---
 README.md                |  3 +++
 copyparty/__main__.py    |  1 +
 copyparty/httpcli.py     | 19 +++++++++++++------
 copyparty/web/browser.js |  6 +++---
 docs/devnotes.md         |  4 ++--
 5 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index e51dcded..8181ca6e 100644
--- a/README.md
+++ b/README.md
@@ -281,6 +281,9 @@ server-os-specific:
 
 upgrade notes
 
+* `1.6.0`:
+  * http-api: delete/move is now `POST` instead of `GET`
+  * everything other than `GET` and `HEAD` must pass [cors validation](#cors)
 * `1.5.0` (2022-12-03): [new chunksize formula](https://github.com/9001/copyparty/commit/54e1c8d261df) for files larger than 128 GiB
   * **users:** upgrade to the latest [cli uploader](https://github.com/9001/copyparty/blob/hovudstraum/bin/up2k.py) if you use that
   * **devs:** update third-party up2k clients (if those even exist)
diff --git a/copyparty/__main__.py b/copyparty/__main__.py
index 9c609fe9..39ce356d 100755
--- a/copyparty/__main__.py
+++ b/copyparty/__main__.py
@@ -821,6 +821,7 @@ def add_hooks(ap):
 def add_yolo(ap):
     ap2 = ap.add_argument_group('yolo options')
     ap2.add_argument("--allow-csrf", action="store_true", help="disable csrf protections; let other domains/sites impersonate you through cross-site requests")
+    ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET")
 
 
 def add_optouts(ap):
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 90fea228..616dbf3f 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -747,15 +747,16 @@ class HttpCli(object):
         if "tree" in self.uparam:
             return self.tx_tree()
 
-        if "delete" in self.uparam:
-            return self.handle_rm([])
-
-        if "move" in self.uparam:
-            return self.handle_mv()
-
         if "scan" in self.uparam:
             return self.scanvol()
 
+        if self.args.getmod:
+            if "delete" in self.uparam:
+                return self.handle_rm([])
+
+            if "move" in self.uparam:
+                return self.handle_mv()
+
         if not self.vpath:
             if "reload" in self.uparam:
                 return self.handle_reload()
@@ -1200,6 +1201,12 @@ class HttpCli(object):
         if "raw" in self.uparam:
             return self.handle_stash(False)
 
+        if "delete" in self.uparam:
+            return self.handle_rm([])
+
+        if "move" in self.uparam:
+            return self.handle_mv()
+
         ctype = self.headers.get("content-type", "").lower()
         if not ctype:
             raise Pebkac(400, "you can't post without a content-type header")
diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index e6dffda4..59447008 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -3392,7 +3392,7 @@ var fileman = (function () {
 			}
 
 			var xhr = new XHR();
-			xhr.open('GET', f[0].src + '?move=' + dst, true);
+			xhr.open('POST', f[0].src + '?move=' + dst, true);
 			xhr.onload = xhr.onerror = rename_cb;
 			xhr.send();
 		}
@@ -3423,7 +3423,7 @@ var fileman = (function () {
 			}
 			toast.show('inf r', 0, esc(L.fd_busy.format(vps.length + 1, vp)), 'r');
 
-			xhr.open('GET', vp + '?delete', true);
+			xhr.open('POST', vp + '?delete', true);
 			xhr.onload = xhr.onerror = delete_cb;
 			xhr.send();
 		}
@@ -3531,7 +3531,7 @@ var fileman = (function () {
 
 			var dst = get_evpath() + vp.split('/').pop();
 
-			xhr.open('GET', vp + '?move=' + dst, true);
+			xhr.open('POST', vp + '?move=' + dst, true);
 			xhr.onload = xhr.onerror = paste_cb;
 			xhr.send();
 		}
diff --git a/docs/devnotes.md b/docs/devnotes.md
index 2829265d..786f2945 100644
--- a/docs/devnotes.md
+++ b/docs/devnotes.md
@@ -127,7 +127,7 @@ authenticate using header `Cookie: cppwd=foo` or url param `&pw=foo`
 
 | method | params | result |
 |--|--|--|
-| GET | `?move=/foo/bar` | move/rename the file/folder at URL to /foo/bar |
+| POST | `?move=/foo/bar` | move/rename the file/folder at URL to /foo/bar |
 
 | method | params | body | result |
 |--|--|--|--|
@@ -137,7 +137,7 @@ authenticate using header `Cookie: cppwd=foo` or url param `&pw=foo`
 | mPOST | | `act=bput`, `f=FILE` | upload `FILE` into the folder at URL |
 | mPOST | `?j` | `act=bput`, `f=FILE` | ...and reply with json |
 | mPOST | | `act=mkdir`, `name=foo` | create directory `foo` at URL |
-| GET | `?delete` | | delete URL recursively |
+| POST | `?delete` | | delete URL recursively |
 | jPOST | `?delete` | `["/foo","/bar"]` | delete `/foo` and `/bar` recursively |
 | uPOST | | `msg=foo` | send message `foo` into server log |
 | mPOST | | `act=tput`, `body=TEXT` | overwrite markdown document at URL |