#!/usr/bin/env python2 import templates import settings, db, os, random, datetime, mimetypes, cgi, tempfile, hashlib, Cookie, urllib, subprocess, json from PIL import Image base62_alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' rfc1123_format = '%a, %d %b %Y %H:%M:%S +0000' rfc1123_format_tzname = '%a, %d %b %Y %H:%M:%S %Z' if not os.path.isdir(settings.file_directory): os.mkdir(settings.file_directory) if not os.path.isdir(settings.thumb_directory): os.mkdir(settings.thumb_directory) try: # Throws OSError if mogrify doesn't exist. subprocess.call(['mogrify', '-quiet']) except OSError: has_mogrify = False else: has_mogrify = True class FileUploadFieldStorage(cgi.FieldStorage): def make_file(self, binary = None): # Make a temporary file in the destination directory, which will be renamed on completion. return tempfile.NamedTemporaryFile(prefix = 'upload_', dir = settings.file_directory, delete = False) class Application(object): def get_user(self, username, password): session = db.Session() try: user = session.query(db.User).filter(db.and_(db.User.username == username, db.User.password == password)).one() except db.NoResultFound: return None finally: session.close() return user def get_user_by_name(self, username): session = db.Session() try: return session.query(db.User).filter(db.User.username == username).one() except db.NoResultFound: return None finally: session.close() def get_user_by_id(self, uid): session = db.Session() try: return session.query(db.User).filter(db.User.id == uid).one() except db.NoResultFound: return None finally: session.close() def add_user(self, username, password): session = db.Session() try: user = db.User(username, password) session.add(user) session.commit() except db.IntegrityError: return None finally: session.close() return user def save_user_pass(self, user, password): session = db.Session() try: user.password = password session.add(user) session.commit() # Avoid having to fetch user again (used by changepass) session.refresh(user) finally: session.close() def get_file(self, hash, update_accessed = False): session = db.Session() try: f = session.query(db.File).filter(db.File.hash == hash).one() if update_accessed: f.accessed = datetime.datetime.utcnow() session.add(f) session.commit() # Refresh after field update. session.refresh(f) return f except db.NoResultFound: return None finally: session.close() def add_file(self, path, filename, file_hash, user = None, ip = None): hash = ''.join(random.choice(base62_alphabet) for x in xrange(5)) new_path = os.path.join(settings.file_directory, hash + os.path.splitext(filename)[1]) os.rename(path, new_path) if hasattr(settings, 'destination_mode'): os.chmod(new_path, settings.destination_mode) session = db.Session() try: file = db.File(hash, file_hash, filename, datetime.datetime.utcnow(), user.id if user else None, ip) session.add(file) session.commit() finally: session.close() return hash def get_files(self, user): session = db.Session() try: session.add(user) files = user.files except db.NoResultFound: return [] finally: session.close() return files def validate_cookie(self, cookie): if not cookie: return None identifier = cookie['identifier'].value if 'username' in cookie: user = self.get_user_by_name(cookie['username'].value) if not user: return None digest = hashlib.sha1(user.username + user.password).hexdigest() return user if (digest == identifier) else None user = self.get_user_by_id(cookie['uid'].value) if not user: return None digest = hashlib.sha1(str(user.id) + user.password).hexdigest() return user if (digest == identifier) else None def get_file_by_file_hash(self, file_hash): session = db.Session() try: return session.query(db.File).filter(db.File.file_hash == file_hash).one() except db.NoResultFound: return None finally: session.close() def delete_file(self, file): session = db.Session() try: session.delete(file) session.commit() os.unlink(file.get_path()) except: raise finally: session.close() def not_modified(self, environ, date): if not 'HTTP_IF_MODIFIED_SINCE' in environ: return False try: mod_since_date = datetime.datetime.strptime(environ['HTTP_IF_MODIFIED_SINCE'], rfc1123_format) except ValueError: # some clients use timezone names (eg. GMT) instead of numeric timezones mod_since_date = datetime.datetime.strptime(environ['HTTP_IF_MODIFIED_SINCE'], rfc1123_format_tzname) return date == mod_since_date def file(self, environ, start_response, path): hash = path[1] if '.' in hash: hash = hash.split('.')[0] file = self.get_file(hash, True) filename = file.get_path() if filename == None: start_response('404 Not Found', [('Content-Type', 'text/html')]) return ['

Not Found

The file you requested does not exist.

'] # strip microseconds if self.not_modified(environ, file.date - datetime.timedelta(microseconds = file.date.microsecond)): start_response('304 Not Modified', [('Last-Modified', file.date.strftime(rfc1123_format))]) return [] do_range = 'HTTP_RANGE' in environ if do_range: file_range = environ['HTTP_RANGE'].split('bytes=')[1] mime = mimetypes.guess_type(file.filename, strict = False)[0] or 'application/octet-stream' # X-Sendfile handling if settings.use_xsendfile: headers = [('Content-Type', mime), ('Last-Modified', file.date.strftime(rfc1123_format))] if do_range: headers.append(('X-Sendfile2', '{filename} {range}'.format(filename = urllib.quote(filename.encode('utf8')), range = file_range))) if file_range.endswith('-'): file_range += str(os.path.getsize(filename)-1) headers.append(('Content-Range', 'bytes {range}/{size}'.format(range = file_range, size = os.path.getsize(filename)))) status = '206 Partial Content' else: headers.append(('X-Sendfile', filename.encode('utf8'))) status = '200 OK' start_response(status, headers) return [] # Range handling if do_range: start, end = [int(x or 0) for x in file_range.split('-')] size = os.path.getsize(filename) if end == 0: end = size-1 write_out = start_response('206 Partial Content', [('Content-Type', mime), ('Content-Range', 'bytes {start}-{end}/{size}'.format(start = start, end = end, size = size)), ('Content-Length', str(end - start + 1)), ('Last-Modified', file.date.strftime(rfc1123_format))]) f = open(filename, 'rb') f.seek(start) remaining = end-start+1 s = f.read(min(remaining, 1024)) while s: write_out(s) remaining -= len(s) s = f.read(min(remaining, 1024)) return [] start_response('200 OK', [('Content-Type', mime), ('Content-Length', str(os.path.getsize(filename))), ('Last-Modified', file.date.strftime(rfc1123_format))]) return open(filename, 'rb') def upload(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) tempfile.tempdir = settings.file_directory form = FileUploadFieldStorage(fp = environ['wsgi.input'], environ = environ) if environ['REQUEST_METHOD'] != 'POST' or not 'file' in form or not 'filename' in form: if 'file' in form: form['file'].file.delete = True start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.upload(searchList = {'root': settings.virtual_root, 'user': user})) filename = form.getvalue('filename') temp = form['file'].file # If the name attribute is missing, assume this is a StringIO object, then create a new temporary file and copy the contents. if not hasattr(temp, 'name'): new_temp = tempfile.NamedTemporaryFile(prefix = 'upload_', dir = settings.file_directory, delete = False) new_temp.write(temp.getvalue()) new_temp.seek(0) temp = new_temp m = hashlib.md5() s = temp.read(128) while len(s): m.update(s) s = temp.read(128) temp.close() file_hash = m.hexdigest() f = self.get_file_by_file_hash(file_hash) # TODO: Currently users uploading existing files won't get their files added to their account. if f: hash = f.hash else: # temp.name will be moved to the destination filename hash = self.add_file(temp.name, filename, file_hash, user, environ['REMOTE_ADDR']) # This avoids silly "not bound to a Session" errors when trying to use a newly added file object. f = self.get_file(hash) # If temp.name still exists, we most likely uploaded a file whose file hash already exists, so just delete the file. if os.path.exists(temp.name): os.unlink(temp.name) mime = f.get_mime_type() # TODO: Apparently TIFF also supports EXIF, test this. if has_mogrify and mime == 'image/jpeg': # NOTE: PIL doesn't support lossless rotation, so we call mogrify to do this. # NOTE: This changes the file, so the file_hash applies to the ORIGINAL file contents only. # NOTE: The file hash is only used to detect duplicates when uploading, so this should not be a problem. subprocess.call(['mogrify', '-auto-orient', f.get_path()]) if 'api' in form: start_response('200 OK', [('Content-Type', 'text/plain')]) return ['OK {hash}'.format(hash = hash)] else: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.uploaded(searchList = { 'root': settings.virtual_root, 'user': user, 'hash': hash, 'filename': filename, 'ext': os.path.splitext(filename)[1], 'scheme': environ['wsgi.url_scheme'], 'host': environ['HTTP_HOST'], })) def login(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ) next = form.getvalue('next') if environ['REQUEST_METHOD'] != 'POST' or not 'username' in form or not 'password' in form: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.login(searchList = { 'root': settings.virtual_root, 'user': user, 'error': None, 'next': next, })) username = form.getvalue('username') password = hashlib.sha1(form.getvalue('password')).hexdigest() user = self.get_user(username, password) if user == None: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.login(searchList = { 'root': settings.virtual_root, 'user': user, 'error': 'Login failed', 'next': next, })) c = Cookie.SimpleCookie() c['uid'] = user.id c['identifier'] = hashlib.sha1(str(user.id) + password).hexdigest() dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30) expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT') c['uid']['expires'] = expires c['identifier']['expires'] = expires start_response('302 Found', [ ('Location', next if next else (settings.virtual_root + 'u')), ('Set-Cookie', c['uid'].OutputString()), ('Set-Cookie', c['identifier'].OutputString())]) return [] def register(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ) if environ['REQUEST_METHOD'] != 'POST' or not 'username' in form or not 'password' in form or not 'password2' in form: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.register(searchList = { 'root': settings.virtual_root, 'user': user, 'error': None, })) username = form.getvalue('username') password = form.getvalue('password') password2 = form.getvalue('password2') if password != password2: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.register(searchList = { 'root': settings.virtual_root, 'user': user, 'error': 'Passwords doesn\'t match', })) user = self.add_user(username, hashlib.sha1(password).hexdigest()) if not user: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.register(searchList = { 'root': settings.virtual_root, 'user': None, 'error': 'Username already taken.', })) start_response('302 Found', [('Location', settings.virtual_root + 'l')]) return [] def logout(self, environ, start_response, path): c = Cookie.SimpleCookie() expires = datetime.datetime.utcfromtimestamp(0).strftime('%a, %d-%b-%y %H:%M:%S GMT') c['uid'] = 0 c['uid']['expires'] = expires c['identifier'] = '' c['identifier']['expires'] = expires start_response('302 Found', [ ('Set-Cookie', c['uid'].OutputString()), ('Set-Cookie', c['identifier'].OutputString()), ('Location', settings.virtual_root)]) return [] def changepass(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) form = cgi.FieldStorage(fp = environ['wsgi.input'], environ = environ) if environ['REQUEST_METHOD'] != 'POST' or not 'oldpass' in form or not 'password' in form or not 'password2' in form: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.changepass(searchList = { 'root': settings.virtual_root, 'user': user, 'error': None, })) oldpass = hashlib.sha1(form.getvalue('oldpass')).hexdigest() password = form.getvalue('password') password2 = form.getvalue('password2') if oldpass != user.password: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.changepass(searchList = { 'root': settings.virtual_root, 'user': user, 'error': 'Invalid password.', })) if password != password2: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.changepass(searchList = { 'root': settings.virtual_root, 'user': user, 'error': 'Passwords doesn\'t match.', })) password = hashlib.sha1(password).hexdigest() self.save_user_pass(user, password) dt = datetime.datetime.utcnow() + datetime.timedelta(days = 30) expires = dt.strftime('%a, %d-%b-%y %H:%M:%S GMT') c['uid']['expires'] = expires c['identifier'] = hashlib.sha1(str(user.id) + password).hexdigest() c['identifier']['expires'] = expires start_response('302 Found', [ ('Set-Cookie', c['uid'].OutputString()), ('Set-Cookie', c['identifier'].OutputString()), ('Location', settings.virtual_root)]) return [] def static(self, environ, start_response, path): filename = path[1] if not filename in ('style.css', 'no-thumbnail.png'): start_response('404 Not Found', []) return [] mime = mimetypes.guess_type(filename, strict = False)[0] or 'application/octet-stream' start_response('200 OK', [('Content-Type', mime)]) return open(os.path.join(settings.static_root, filename), 'rb') def help(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.help(searchList = { 'root': settings.virtual_root, 'user': user, 'scheme': environ['wsgi.url_scheme'], 'host': environ['HTTP_HOST'], })) def my_files(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) if user == None: start_response('302 Found', [('Location', settings.virtual_root + 'l?' + urllib.urlencode({'next': settings.virtual_root + 'm'}))]) return [] files = self.get_files(user) start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.my(searchList = { 'root': settings.virtual_root, 'user': user, 'files': files, 'total_size': db.File.pretty_size(sum([f.get_size() for f in files])), })) def images(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) if user == None: start_response('302 Found', [('Location', settings.virtual_root + 'l?' + urllib.urlencode({'next': settings.virtual_root + 'i'}))]) return [] files = [f for f in self.get_files(user) if f.is_image()] start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.images(searchList = { 'root': settings.virtual_root, 'user': user, 'files': files, 'total_size': db.File.pretty_size(sum([f.get_size() for f in files])), })) def thumb(self, environ, start_response, path): hash = path[1] thumbfile = os.path.join(settings.thumb_directory, hash + '.jpg') if not os.access(thumbfile, os.F_OK): file = self.get_file(hash) im = Image.open(file.get_path()) im.thumbnail(settings.thumb_size, Image.ANTIALIAS) im.save(thumbfile) date = datetime.datetime.utcfromtimestamp(os.path.getmtime(thumbfile)) if self.not_modified(environ, date): start_response('304 Not Modified', [('Last-Modified', date.strftime(rfc1123_format))]) return [] start_response('200 OK', [('Content-Type', 'image/jpeg'), ('Last-Modified', date.strftime(rfc1123_format))]) return open(thumbfile, 'rb') def delete(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) if user == None: start_response('200 OK', [('Content-Type', 'text/html')]) return ['Not logged in.'] hash = path[1] file = self.get_file(hash) if file == None: start_response('404 Not Found', [('Content-Type', 'text/html')]) return ['

Not Found

The file you requested does not exist.

'] if file.user_id != user.id: start_response('403 Forbidden', [('Content-Type', 'text/html')]) return ['

Forbidden

You are not allowed to delete this file.

'] if environ['REQUEST_METHOD'] == 'POST': try: self.delete_file(file) except Exception as e: start_response('500 Internal Error', [('Content-Type', 'text/html')]) return ['Failed to delete file {filename} ({error}).'.format(filename = file.filename, error = str(e))] else: start_response('302 Found', [('Location', settings.virtual_root + 'u')]) return [] else: start_response('200 OK', [('Content-Type', 'text/html')]) return str(templates.delete(searchList = { 'root': settings.virtual_root, 'user': user, 'hash': hash, 'filename': file.filename, })) def api(self, environ, start_response, path): c = Cookie.SimpleCookie(environ['HTTP_COOKIE'] if 'HTTP_COOKIE' in environ else None) user = self.validate_cookie(c) if user == None: start_response('200 OK', [('Content-Type', 'application/json')]) return [json.dumps({'status': False, 'message': 'Not logged in'})] form = cgi.FieldStorage(environ = environ) method = form.getvalue('method') data = {'status': False, 'method': method, 'message': None} if method in ('list', 'images'): files = self.get_files(user) data['files'] = [ { 'name': f.filename, 'hash': f.hash, 'date': int(f.date.strftime('%s')), 'size': f.get_size(), } for f in files if method == 'list' or (method == 'images' and f.is_image()) ] data['status'] = True else: data['message'] = 'Unknown method "%s"' start_response('200 OK', [('Content-Type', 'application/json')]) return [json.dumps(data)] f = file u = upload l = login s = static h = help m = my_files i = images t = thumb o = logout r = register c = changepass d = delete a = api def __call__(self, environ, start_response): path = environ['PATH_INFO'].split('/')[1:] module = path[0] if len(path) else '' if len(module) and module in 'fulshmitorcda': return getattr(self, module)(environ, start_response, path) else: start_response('302 Found', [('Location', settings.virtual_root + 'u')]) return [] if __name__ == '__main__': import sys if len(sys.argv) == 3: from flup.server.fcgi import WSGIServer WSGIServer(Application(), bindAddress = (sys.argv[1], int(sys.argv[2]))).run() else: from wsgiref.simple_server import make_server, WSGIServer # enable IPv6 WSGIServer.address_family |= 10 http = make_server('', 8000, Application()) http.serve_forever()