noirscape
/
elimage


								#!/usr/bin/env python3


								import os

								import sys

								import logging

								import hashlib

								from collections import OrderedDict

								import mimetypes

								import subprocess

								from functools import lru_cache

								from hmac import compare_digest

								from pathlib import Path


								import tornado.web

								import tornado.template

								import tornado.process


								import config

								from models import model

								try:

								  from checker import check_executable

								except ImportError:

								  async def check_executable(

								    ip: str, sha1: str, content: bytes, filename: str,

								  ) -> None:

								    pass


								SCRIPT_PATH = 'elimage'

								RISKY_TYPES = [

								  'application/x-dosexec',

								  'application/x-executable',

								]


								@lru_cache()

								def guess_mime_using_file_p(path):

								  with open(path, 'rb') as f:

								    data = f.read()

								  return guess_mime_using_file(data)


								def guess_mime_using_file(content):

								  result = subprocess.check_output(

								    ['file', '-i', '-'],

								    input = content,

								  ).decode()

								  _, mime, encoding = result.split()

								  mime = mime.rstrip(';')

								  encoding = encoding.split('=')[-1]


								  # older file doesn't know webp

								  if mime == 'application/octet-stream':

								    result = subprocess.check_output(

								      ['file', '-'],

								      input = content,

								    ).decode()

								    _, desc = result.split(None, 1)

								    if 'Web/P image' in desc:

								      return 'image/webp', None


								  # Tornado will treat non-gzip encoding as application/octet-stream

								  if encoding != 'gzip':

								    encoding = None

								  return mime, encoding


								def qrencode(s):

								  return subprocess.check_output(

								    ['qrencode', '-t', 'UTF8', s]).decode()


								# for StaticFileHandler

								mimetypes.guess_type = guess_mime_using_file_p


								def guess_extension(ftype):

								  if ftype == 'application/octet-stream':

								    return '.bin'

								  elif ftype == 'image/webp':

								    return '.webp'

								  ext = mimetypes.guess_extension(ftype)

								  if ext in ('.jpe', '.jpeg'):

								    ext = '.jpg'

								  return ext


								def get_url_prefix(request):

								  if HTTPS:

								    return "https" + "://" + request.host + request.uri

								  else:

								    return "http" + "://" + request.host + request.uri


								class IndexHandler(tornado.web.RequestHandler):

								  index_template = None

								  def get(self):

								    # self.render() would compress whitespace after it meets '{{' even in <pre>

								    if self.index_template is None:

								      template_path = Path(self.settings['template_path'])

								      try:

								        file_name = template_path / 'index-site.html'

								        try:

								          with open(file_name) as index_file:

								            text = index_file.read()

								        except FileNotFoundError:

								          file_name = template_path / 'index.html'

								          with open(file_name) as index_file:

								            text = index_file.read()


								        self.__class__.index_template = tornado.template.Template(

								          text, compress_whitespace=False)

								      except IOError:

								        logging.exception('failed to open the file: %s', file_name)

								        raise tornado.web.HTTPError(404, 'index.html is missing')


								    url_prefix = get_url_prefix(self.request)


								    if '?' in url_prefix:

								      url_prefix = url_prefix.split('?', 1)[0]


								    content = self.index_template.generate(

								      url=url_prefix,

								      password_required=bool(self.settings['password'])

								    )

								    self.write(content)


								  async def post(self):

								    # Check the user has been blocked or not

								    user = model.get_user_by_ip(self.request.remote_ip)

								    if user is None:

								      uid = model.add_user(self.request.remote_ip)

								    else:

								      if user['blocked']:

								        raise tornado.web.HTTPError(403, 'You are on our blacklist.')

								      else:

								        uid = user['id']


								    # Check whether password is required

								    expected_password = self.settings['password']

								    if expected_password and \

								      not compare_digest(self.get_argument('password'), expected_password):

								        raise tornado.web.HTTPError(403, 'You need a valid password to post.')


								    files = self.request.files

								    if not files:

								      raise tornado.web.HTTPError(400, 'upload your image please')


								    ret = OrderedDict()

								    url_prefix = get_url_prefix(self.request)

								    if '?' in url_prefix:

								      url_prefix = url_prefix.split('?', 1)[0]

								    url_prefix = url_prefix.rstrip('/')


								    for filelist in files.values():

								      for file in filelist:

								        m = hashlib.sha1()

								        m.update(file['body'])

								        h = m.hexdigest()

								        model.add_image(uid, h, file['filename'], len(file['body']))

								        ftype = guess_mime_using_file(file['body'])[0]

								        if ftype in RISKY_TYPES:

								          await check_executable(

								            self.request.remote_ip,

								            h, file['body'], file['filename'])


								        d = h[:2]

								        f = h[2:]

								        p = os.path.join(self.settings['datadir'], d)

								        if not os.path.exists(p):

								          os.mkdir(p, 0o750)

								        fpath = os.path.join(p, f)

								        if not os.path.exists(fpath):

								          try:

								            with open(fpath, 'wb') as img_file:

								              img_file.write(file['body'])

								          except IOError:

								            logging.exception('failed to open the file: %s', fpath)

								            ret[file['filename']] = 'FAIL'

								            self.set_status(500)

								            continue


								        ext = None

								        if ftype:

								          ext = guess_extension(ftype)

								        if ext:

								          f += ext

								        ret[file['filename']] = '%s/%s/%s' % (url_prefix, d, f)


								    output_qr = self.get_argument('qr', None) is not None

								    if len(ret) > 1:

								      for item in ret.items():

								        self.write('%s: %s\n' % item)

								        if output_qr:

								          self.write('%s\n' % qrencode(item[1]))

								    elif ret:

								      img_url = tuple(ret.values())[0]

								      self.write("%s\n" % img_url)

								      if output_qr:

								        self.write('%s\n' % qrencode(img_url))

								    logging.info('%s posted: %s', self.request.remote_ip, ret)


								class ToolHandler(tornado.web.RequestHandler):

								  def get(self):

								    self.set_header('Content-Type', 'text/x-python')

								    self.render('elimage', url=self.request.full_url()[:-len(SCRIPT_PATH)])


								class HashHandler(tornado.web.RequestHandler):

								  def get(self, p):

								    if '.' in p:

								      h, ext = p.split('.', 1)

								      ext = '.' + ext

								    else:

								      h, ext = p, ''


								    h = h.replace('/', '')

								    if len(h) != 40:

								      raise tornado.web.HTTPError(404)

								    else:

								      self.redirect('/%s/%s%s' % (h[:2], h[2:], ext), permanent=True)


								def main():

								  import tornado.httpserver

								  from tornado.options import define, options


								  from tornado.platform.asyncio import AsyncIOMainLoop

								  import asyncio

								  AsyncIOMainLoop().install()


								  define("port", default=config.DEFAULT_PORT, help="run on the given port", type=int)

								  define("address", default='', help="run on the given address", type=str)

								  define("datadir", default=config.DEFAULT_DATA_DIR, help="the directory to put uploaded data", type=str)

								  define("fork", default=False, help="fork after startup", type=bool)

								  define("cloudflare", default=config.CLOUDFLARE, help="check for Cloudflare IPs", type=bool)

								  define("password", default=config.UPLOAD_PASSWORD, help="optional password", type=str)


								  tornado.options.parse_command_line()

								  if options.fork:

								    if os.fork():

								      sys.exit()


								  if options.cloudflare:

								    import cloudflare

								    cloudflare.install()

								    loop = asyncio.get_event_loop()

								    loop.create_task(cloudflare.updater())


								  application = tornado.web.Application([

								    (r"/", IndexHandler),

								    (r"/" + SCRIPT_PATH, ToolHandler),

								    (r"/([a-fA-F0-9]{2}/[a-fA-F0-9]{38})(?:\.\w*)?", tornado.web.StaticFileHandler, {

								      'path': options.datadir,

								    }),

								    (r"/([a-fA-F0-9/]+(?:\.\w*)?)", HashHandler),

								  ],

								    datadir=options.datadir,

								    debug=config.DEBUG,

								    template_path=os.path.join(os.path.dirname(__file__), "templates"),

								    password=config.UPLOAD_PASSWORD,

								  )

								  http_server = tornado.httpserver.HTTPServer(

								    application,

								    xheaders=config.XHEADERS,

								  )

								  http_server.listen(options.port, address=options.address)


								  asyncio.get_event_loop().run_forever()


								if __name__ == "__main__":

								  try:

								    main()

								  except KeyboardInterrupt:

								    pass