Disable file uploading through the site, only allow curl

2024-11-22 06:42:40 +01:00 · 2024-02-27 10:25:43 +00:00 · 2024-02-27 10:25:43 +00:00 · 9c43259012
commit 9c43259012
parent ca1910df1a
3 changed files with 14 additions and 6 deletions
--- a/app/templates/base.html
+++ b/app/templates/base.html
@ -24,6 +24,6 @@
    <hr>
    {% block content %}{% endblock %}
    <hr>
-    <p>xygt.cc v0.2.0 - &copy; Jack Eilles 2024 - <a href="{{ url_for('transparency') }}">Transparency</a> - <a href="{{ url_for('tos') }}">Terms of Service</a> - <a href="{{ url_for('privacy') }}">Privacy Policy</a> </p>
+    <p>xygt.cc v0.3.0 - &copy; Jack Eilles 2024 - <a href="{{ url_for('transparency') }}">Transparency</a> - <a href="{{ url_for('tos') }}">Terms of Service</a> - <a href="{{ url_for('privacy') }}">Privacy Policy</a> </p>
 </body>
 </html>
--- a/app/templates/index.html
+++ b/app/templates/index.html
@ -23,6 +23,9 @@
    <p>You can pipe plain text into the file flag, for example:</p>
    <code>echo "Hello, World!" | curl -F "file=@-" https://xygt.cc</code>
    <br>
+    <h3>File uploading through the site is currently disabled due to a security vulnerability.</h3>
+    <h5>Use curl instead.</h5>
+    <!-- Disabled 
    <form action="/" method="post" enctype="multipart/form-data">
        <input type="file" name="file" id="file">
        <input type="number" name="retention" placeholder="Retention (in seconds)">
@ -32,7 +35,7 @@
        {% endif %}
        <input type="submit" value="Upload">
    </form>
-    <br>
+    -->
    <h3>How do I shorten URLs?</h3>
    <p>You can either use the `shorten` form, or use a POST request.</p>
    <p>For example, using curl:</p>
@ -40,6 +43,9 @@
    <p>You can also add extra <a href="faq#flags">flags</a> onto your command, for example:</p>
    <code>curl -F "url=https://example.com" -F "retention=1024" -F "userid=6fd12a"</code>
    <br>
+    <h3>URL Shortening through the site is currently disabled due to a security vulnerability.</h3>
+    <h5>Use curl instead.</h5>
+    <!-- Disabled
    <form action="/" method="post">
        <input type="url" name="url" placeholder="URL to shorten">
        <input type="number" name="retention" placeholder="Retention (in seconds)">
@ -49,7 +55,7 @@
        {% endif %}
        <input type="submit" value="Shorten!">
    </form>
-    <br>
+    -->
    <h3>How do I view my files or URL's?</h3>
    <p>Simply use the link that is returned when you submit a POST request.</p>
    <p>When you upload a file or shorten a URL, you'll simply get this in response:</p>
--- a/app/worker.py
+++ b/app/worker.py
@ -123,12 +123,14 @@ def idInfo(id):
 def userInfo(id):
    # Grab user entry from userID
    user = Config.users.find_one({"userid": id})
-    
+    print(user)
+
    username = user['user']
    userid = id

    # Search for all files from that userID
-    files = Config.files.find_many({"userid": userid}, {"_id": False, "ip": False})
+    files = Config.files.find({"userid": userid}, {"_id": False, "ip": False})
+    print(files)
    list = {}

    # Create file listing
@ -145,7 +147,7 @@ def userInfo(id):
        })

    # Search for all URL's from that userID
-    url = Config.url.find_many({"userid": userid})
+    url = Config.url.find({"userid": userid})

    # Format all into one JSON
    return {