| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
If users send no payload data to a POST request, libweb sets a null
pointer as part of the payload. Therefore, null pointers must always be
checked as a sanity check.
|
| |
|
|
|
| |
Otherwise, usergen(1) would be built without linking against libsodium,
and thus would fail to build.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The following commit fixes a memory leak caused by untrusted user input:
commit 953210bd1930e1734f1acde86eadd7a1997bb7c3
Author: Xavier Del Campo Romero
Date: Sun Oct 26 20:12:46 2025 +0100
form.c: Fix leak on invalid form
When one or more entries have been appended to a struct form instance,
but then an error occurs, those valid entries must be deallocated, too.
|
| |
|
|
|
|
|
|
|
|
| |
This was a leftover from the following commit:
commit 10e42591ac72285736d5cc4ee5e7c2f68dbf1e4b
Author: Xavier Del Campo Romero
Date: Wed Oct 8 13:50:52 2025 +0200
Replace OpenSSL with libsodium and argon2id
|
| | |
|
| |
|
|
|
|
|
| |
Otherwise, it is not ensured web browsers would translate a relative
directory such as "dir/.." to a URL with a trailing '/'. Therefore, a
POST request to "/user?download=1" would fail because slcl only
considers "/user/" (note the trailing '/') as valid.
|
| |
|
|
|
|
|
|
| |
When an empty directory is to be downloaded, z->lread would always equal
zero because read_file is never called.
Therefore, it is more sensible not to assume any number of bytes, and
just dump as much data as possible into buf.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This functionality was moved from slcl to libweb since it can be shared
with other web applications.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, cookies set by previous, OpenSSL-based versions of slcl would
be now invalidated because URL-safe base64 transforms some characters,
thus breaking backwards compatiblity.
For example, '/' is transformed into '_' on the example cookies below:
- Original base64 encoding:
a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp/SsraDR/3zlAnDLyj05VHulUNbDNHaPowvUkLto4=
- URL-safe base64 encoding:
a=eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJuYW1lIjogImEifQ==.jgp_SsraDR_3zlAnDLyj05VHulUNbDNHaPowvUkLto4=
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SHA256-based password hashing algorithm used by slcl(1) and
usergen(1) is considered insecure against several kinds of attacks,
including brute force attacks. [1]
Therefore, a stronger password hashing algorithm based on the Argon2id
key derivation function is now used by default. While OpenSSL does
support Argon2id, it is only supported by very recent versions [2],
which are still not packaged by most distributions as of the time of
this writing. [3]
As an alternative to OpenSSL, libsodium [4] had several benefits:
- It provides easy-to-use functions for password hashing, base64
encoding/decoding and other cryptographic primitives used by slcl(1)
and usergen(1).
- It is packaged by most distributions [5], and most often only the patch
version differs, which ensures good compatibility across distributions.
Unfortunately, and as opposed to OpenSSL, libsodium does not come with
command-line tools. Therefore, usergen(1) had to be rewritten in C.
In order to maintain backwards compatiblity with existing databases,
slcl(1) and usergen(1) shall support the insecure, SHA256-based password
hashing algorithm. However, Argon2id shall now be the default choice for
usergen(1).
[1]: https://security.stackexchange.com/questions/195563/why-is-sha-256-not-good-for-passwords
[2]: https://docs.openssl.org/3.3/man7/EVP_KDF-ARGON2/
[3]: https://repology.org/project/openssl/versions
[4]: https://www.libsodium.org/
[5]: https://repology.org/project/libsodium/versions
|
| |
|
|
|
|
| |
libweb now supports deallocating user-defined data whenever an error
occurs during a chunked transfer or an asynchronous HTTP response, thus
avoiding memory leaks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far, clicking on a directory name previewed it, whereas clicking on a
file name would download it, and file previews were on a separate
column. This behaviour was found to be confusing, so it has been
simplified.
Now, clicking on a file or directory name would preview it. On the other
hand, the "Preview" column has been replaced with a "Download" column,
so that both files and directories can be downloaded.
Thanks to Avron for the suggestion. [1]
[1]: https://codeberg.org/xavidcr/slcl/issues/2
|
| |
|
|
|
|
| |
It feels more intuitive to keep the thumbnail and file name as first
columns. It is assumed removing files and/or directories is not the
main interaction from users.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to the fdzipstream library [1] and zlib [2], it is possible to
generate ZIP files on-the-fly, therefore requiring no extra disk space
usage and only a small amount of memory.
Unfortunately, as of the time of this writing fdzipstream is not
packaged by any distributions yet [3], so it had to be imported as a git
submodule as a workaround.
While libarchive [4] could be an interesting alternative, writing ZIP
files is only supported by very recent versions (>= 3.8.0), which are
still not packaged by many distributions [5], either.
Moreover, libarchive is a package with several dependencies other than
zlib and is significantly larger compared to fdzipstreams, so
fdzipstreams was ultimately considered a better fit for this purpose.
[1]: https://github.com/CTrabant/fdzipstream.git
[2]: http://zlib.net/
[3]: https://repology.org/projects/?search=fdzipstream
[4]: https://www.libarchive.org/
[5]: https://repology.org/project/libarchive/versions
|
| | |
|
| |
|
|
|
|
| |
Thanks to Avron for the suggestion. [1]
[1]: https://codeberg.org/xavidcr/slcl/issues/2
|
| |
|
|
|
|
| |
Thanks to Avron for the suggestion. [1]
[1]: https://codeberg.org/xavidcr/slcl/issues/2
|
| |
|
|
|
| |
libweb now allows to set up a custom value for the backlog argument in
the internal call to listen(2).
|
| |
|
|
|
|
|
|
| |
The older, synchronous implementation for cftw recursed as long as there
were children directories and, finally, it called the user function.
This commit therefore fixes the newer, asynchronous implementation to
honor that behaviour. Otherwise, rmdir_r would fail because rmdir(2)
would be called for non-empty directories.
|
| |
|
|
|
|
| |
The base64 string is considered untrusted input and, therefore, it might
cause a decoding error. Therefore, this should not cause the server to
close.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4fa1b3e8 missed to update other calls to cftw that were still
relying on the older interface, causing unexpected errors.
As a side effect, user quotas are now calculated asynchronously i.e.,
without blocking other clients.
While the same improvement was planned for the /rm endpoint, it proved
too challenging to implement for a first refactor: on one hand, /rm
takes one or more key-value pairs involving the top-level directories
and/or files to remove. On the other hand, every directory must be
traversed recursively as rmdir(2) must be used on empty directories.
While certainly possible, it was considered to keep a synchronous
behaviour for do_rm for the sake of simplicity.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
So far, auth_login was looking for a key that matched the expected HMAC,
among all registered users, and therefore without looking up the
username from the cookie key.
This allowed attackers to forge a cookie with a valid key but another
username, and therefore see the contents from other users.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was a leftover from the following commit:
commit 173528aef50a4b452acdd8ec9aff13f25c3e092c
Author: Xavier Del Campo Romero
Date: Wed Sep 24 11:01:31 2025 +0200
Make search non-blocking
Thanks to a new feature in libweb, it is now possible to generate HTTP
responses asynchronously i.e., without blocking other clients if the
response takes a long time to generate.
This now allow users to search for files or directories without blocking
other users, regardless how much time the search operation takes.
This required cftw to deviate from the POSIX-like, blocking interface it
had so far, and has been replaced now with a non-blocking interface, so
that directories are inspected one entry at a time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to a new feature in libweb, it is now possible to generate HTTP
responses asynchronously i.e., without blocking other clients if the
response takes a long time to generate.
This now allow users to search for files or directories without blocking
other users, regardless how much time the search operation takes.
This required cftw to deviate from the POSIX-like, blocking interface it
had so far, and has been replaced now with a non-blocking interface, so
that directories are inspected one entry at a time.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This new application runs separately from slcl and communicates with it
via a named pipe. When files are added/removed to/from the user
directory, slcl shall write to the named pipe.
Then, this new tool shall process incoming entries and generate
or remove thumbnails accordingly. Such thumbnails are stored into a new
directory inside the database directory, namely thumbnails/, which
replicates the same structure as user/.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This write-only named pipe is meant to inform other processes about
files that have been added/removed to/from the user/ directory.
The syntax is line-oriented and is described below.
For added files:
+<space ...><path><LF>
For removed files:
-<space ...><path><LF>
Paths shall always be absolute.
Examples:
+ /home/test/db/user/alice/a picture.jpg
- /home/test/db/user/bob/essay.txt
As reported above, this feature has been made completely optional so as
not to introduce breaking changes. A new command line option, namely -m,
is required to enable this feature.
|
| |
|
|
|
| |
crealpath already provides a mechanism to determine the current working
directory from getcwd(3).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
crealpath (for "custom realpath") is a custom implementation of
realpath(3) that aims to work similarly to GNU's realpath(1). This
implementation is provided due to the following reasons:
- Future commits will require extracting an absolute path from a
relative path, and/or process relative components from a path, such as
".." or ".".
- realpath(3) is defined by POSIX.1-2008 as a XSI extension, and
extensions are generally avoided in this repository whenever possible.
- Additionally, realpath(3) requires the file or directory pointed to by
the path to exist, which might not always be the case for slcl.
- auth.c uses its own implementation to extract a dynamically allocated
string by repeatedly calling getcwd(3). Future commits will also
require this future, so it makes sense to keep it on a separate
component.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
commit f7864cb7d49a8ca5bddf8d1f68b71ecd5ed85adc
Author: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Tue Sep 23 16:28:44 2025 +0200
http.c: Always set SameSite=Strict to cookies
This cookie attribute allows to mitigate CSRF attacks, while not
requiring the server to store additional data. [1]
[1]: https://owasp.org/www-community/SameSite
|
| |
|
|
|
|
|
| |
Even if OpenSSL 1.0 is no longer supported [1], slcl still builds and
works fine with it, so there is no reason to require a higher version.
[1]: https://openssl-library.org/policies/releasestrat/index.html
|
| | |
|