Merge pull request #103 from onionshare/random-content-url

Use a random path to prevent other apps from accessing content
onionshare · Sep 11, 2023 · 144eb6b · 144eb6b
2 parents 3a3657b + f023a0f
commit 144eb6b
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 12 deletions.
diff --git a/app/src/main/assets/templates/send.html b/app/src/main/assets/templates/send.html
@@ -23,7 +23,7 @@ <h1>{% if title %}{{ title }}{% else %}OnionShare{% endif %}</h1>
         <div>Total size: <strong>{{ filesize_human }}</strong> {% if is_zipped %} (compressed){%
             endif %}
         </div>
-        <a class="button" href='/download'>Download Files</a>
+        <a class="button" href='{{ content_path }}/download'>Download Files</a>
     </div>
 </header>
 

diff --git a/app/src/main/java/org/onionshare/android/ShareManager.kt b/app/src/main/java/org/onionshare/android/ShareManager.kt
@@ -148,7 +148,7 @@ class ShareManager @Inject constructor(
                 // We only create the hidden service after files have been zipped and webserver was started,
                 // so we are in sharing state once the first HS descriptor has been published.
                 notificationManager.onSharing()
-                ShareUiState.Sharing("http://${torState.onion}.onion")
+                ShareUiState.Sharing("http://${torState.onion}.onion/${webserverManager.contentPath}")
             }
 
             TorState.FailedToConnect -> {

diff --git a/app/src/main/java/org/onionshare/android/server/WebserverManager.kt b/app/src/main/java/org/onionshare/android/server/WebserverManager.kt
@@ -53,11 +53,12 @@ class WebserverManager @Inject constructor() {
     private var server: ApplicationEngine? = null
     private val _state = MutableStateFlow<WebServerState>(WebServerState.Stopped(false))
     val state = _state.asStateFlow()
+    val contentPath = getRandomPath()
 
     suspend fun start(sendPage: SendPage): Int {
         _state.value = WebServerState.Starting
         val staticPath = getStaticPath()
-        val staticPathMap = mapOf("static_url_path" to staticPath)
+        val pathMap = mapOf("static_url_path" to staticPath, "content_path" to contentPath)
         TrafficStats.setThreadStatsTag(0x42)
         val server = embeddedServer(
             factory = Netty,
@@ -72,11 +73,11 @@ class WebserverManager @Inject constructor() {
             install(Pebble) {
                 loader(ClasspathLoader().apply { prefix = "assets/templates" })
             }
-            installStatusPages(staticPathMap)
+            installStatusPages(pathMap)
             addListener()
             routing {
                 defaultRoutes(staticPath)
-                sendRoutes(sendPage, staticPathMap)
+                sendRoutes(sendPage, pathMap)
             }
         }.also { it.start() }
         this.server = server
@@ -98,11 +99,13 @@ class WebserverManager @Inject constructor() {
         }
     }
 
+    private fun getRandomPath(): String {
+        val randomBytes = ByteArray(16).apply { secureRandom.nextBytes(this) }
+        return Base64.encodeToString(randomBytes, NO_PADDING or URL_SAFE).trimEnd()
+    }
+
     private fun getStaticPath(): String {
-        val staticSuffixBytes = ByteArray(16).apply { secureRandom.nextBytes(this) }
-        val staticSuffix =
-            Base64.encodeToString(staticSuffixBytes, NO_PADDING or URL_SAFE).trimEnd()
-        return "/static_$staticSuffix"
+        return "/static_${getRandomPath()}"
     }
 
     private fun Application.addListener() {
@@ -142,11 +145,11 @@ class WebserverManager @Inject constructor() {
     }
 
     private fun Route.sendRoutes(sendPage: SendPage, staticPathMap: Map<String, String>) {
-        get("/") {
+        get("/$contentPath") {
             val model = sendPage.model + staticPathMap
             call.respond(PebbleContent("send.html", model))
         }
-        get("/download") {
+        get("/$contentPath/download") {
             call.response.header(
                 ContentDisposition,
                 Attachment.withParameter(FileName, sendPage.fileName).toString()

diff --git a/app/src/main/java/org/onionshare/android/ui/share/ShareBottomSheet.kt b/app/src/main/java/org/onionshare/android/ui/share/ShareBottomSheet.kt
@@ -257,7 +257,7 @@ fun ShareBottomSheetSharingPreview() {
         Surface(color = MaterialTheme.colors.background) {
             BottomSheet(
                 state = ShareUiState.Sharing(
-                    "http://openpravyvc6spbd4flzn4g2iqu4sxzsizbtb5aqec25t76dnoo5w7yd.onion/",
+                    "http://openpravyvc6spbd4flzn4g2iqu4sxzsizbtb5aqec25t76dnoo5w7yd.onion/eW91IGFyZSBhIG5lcmQ7KQ",
                 ),
                 onSheetButtonClicked = {},
             )