Use a random path to prevent other apps from accessing content.

The path is the Base64 encoding of 128 bits from SecureRandom. This prevents anyone who doesn't know the path (eg untrusted apps running on localhost) from accessing the content. The root URL now returns a 404 page.
onionshare · Sep 8, 2023 · f023a0f · f023a0f
1 parent 3a3657b
commit f023a0f
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 12 deletions.
diff --git a/app/src/main/assets/templates/send.html b/app/src/main/assets/templates/send.html
@@ -23,7 +23,7 @@ <h1>{% if title %}{{ title }}{% else %}OnionShare{% endif %}</h1>
         <div>Total size: <strong>{{ filesize_human }}</strong> {% if is_zipped %} (compressed){%
             endif %}
         </div>
-        <a class="button" href='/download'>Download Files</a>
+        <a class="button" href='{{ content_path }}/download'>Download Files</a>
     </div>
 </header>
 

diff --git a/app/src/main/java/org/onionshare/android/ShareManager.kt b/app/src/main/java/org/onionshare/android/ShareManager.kt
@@ -148,7 +148,7 @@ class ShareManager @Inject constructor(
                 // We only create the hidden service after files have been zipped and webserver was started,
                 // so we are in sharing state once the first HS descriptor has been published.
                 notificationManager.onSharing()
-                ShareUiState.Sharing("http://${torState.onion}.onion")
+                ShareUiState.Sharing("http://${torState.onion}.onion/${webserverManager.contentPath}")
             }
 
             TorState.FailedToConnect -> {

diff --git a/app/src/main/java/org/onionshare/android/server/WebserverManager.kt b/app/src/main/java/org/onionshare/android/server/WebserverManager.kt
@@ -53,11 +53,12 @@ class WebserverManager @Inject constructor() {
     private var server: ApplicationEngine? = null
     private val _state = MutableStateFlow<WebServerState>(WebServerState.Stopped(false))
     val state = _state.asStateFlow()
+    val contentPath = getRandomPath()
 
     suspend fun start(sendPage: SendPage): Int {
         _state.value = WebServerState.Starting
         val staticPath = getStaticPath()
-        val staticPathMap = mapOf("static_url_path" to staticPath)
+        val pathMap = mapOf("static_url_path" to staticPath, "content_path" to contentPath)
         TrafficStats.setThreadStatsTag(0x42)
         val server = embeddedServer(
             factory = Netty,
@@ -72,11 +73,11 @@ class WebserverManager @Inject constructor() {
             install(Pebble) {
                 loader(ClasspathLoader().apply { prefix = "assets/templates" })
             }
-            installStatusPages(staticPathMap)
+            installStatusPages(pathMap)
             addListener()
             routing {
                 defaultRoutes(staticPath)
-                sendRoutes(sendPage, staticPathMap)
+                sendRoutes(sendPage, pathMap)
             }
         }.also { it.start() }
         this.server = server
@@ -98,11 +99,13 @@ class WebserverManager @Inject constructor() {
         }
     }
 
+    private fun getRandomPath(): String {
+        val randomBytes = ByteArray(16).apply { secureRandom.nextBytes(this) }
+        return Base64.encodeToString(randomBytes, NO_PADDING or URL_SAFE).trimEnd()
+    }
+
     private fun getStaticPath(): String {
-        val staticSuffixBytes = ByteArray(16).apply { secureRandom.nextBytes(this) }
-        val staticSuffix =
-            Base64.encodeToString(staticSuffixBytes, NO_PADDING or URL_SAFE).trimEnd()
-        return "/static_$staticSuffix"
+        return "/static_${getRandomPath()}"
     }
 
     private fun Application.addListener() {
@@ -142,11 +145,11 @@ class WebserverManager @Inject constructor() {
     }
 
     private fun Route.sendRoutes(sendPage: SendPage, staticPathMap: Map<String, String>) {
-        get("/") {
+        get("/$contentPath") {
             val model = sendPage.model + staticPathMap
             call.respond(PebbleContent("send.html", model))
         }
-        get("/download") {
+        get("/$contentPath/download") {
             call.response.header(
                 ContentDisposition,
                 Attachment.withParameter(FileName, sendPage.fileName).toString()

diff --git a/app/src/main/java/org/onionshare/android/ui/share/ShareBottomSheet.kt b/app/src/main/java/org/onionshare/android/ui/share/ShareBottomSheet.kt
@@ -257,7 +257,7 @@ fun ShareBottomSheetSharingPreview() {
         Surface(color = MaterialTheme.colors.background) {
             BottomSheet(
                 state = ShareUiState.Sharing(
-                    "http://openpravyvc6spbd4flzn4g2iqu4sxzsizbtb5aqec25t76dnoo5w7yd.onion/",
+                    "http://openpravyvc6spbd4flzn4g2iqu4sxzsizbtb5aqec25t76dnoo5w7yd.onion/eW91IGFyZSBhIG5lcmQ7KQ",
                 ),
                 onSheetButtonClicked = {},
             )