web: remove /vdrive/private, replace with a start.html file that points at the /uri/PRIVATE_URI, to prevent XSRF attacks

2025-06-18 23:38:18 +00:00 · 2007-08-22 14:54:34 -07:00
parent 8717905e35
commit 4de5767c98
6 changed files with 93 additions and 20 deletions
--- a/src/allmydata/client.py
+++ b/src/allmydata/client.py
@ -50,10 +50,7 @@ class Client(node.Node, Referenceable):
        except EnvironmentError:
            pass # absent or unreadable webport file
        else:
-            ws = WebishServer(webport)
-            ws.allow_local_access(os.path.exists(os.path.join(self.basedir,
-                                  self.WEB_ALLOW_LOCAL_ACCESS_FILE)))
-            self.add_service(ws)
+            self.init_web(webport)

        INTRODUCER_FURL_FILE = os.path.join(self.basedir,
                                            self.INTRODUCER_FURL_FILE)
@ -100,6 +97,18 @@ class Client(node.Node, Referenceable):
        if os.path.exists(filename):
            self.push_to_ourselves = True

+    def init_web(self, webport):
+        # this must be called after the VirtualDrive is attached
+        ws = WebishServer(webport)
+        ws.allow_local_access(os.path.exists(os.path.join(self.basedir,
+                              self.WEB_ALLOW_LOCAL_ACCESS_FILE)))
+        self.add_service(ws)
+        vd = self.getServiceNamed("vdrive")
+        startfile = os.path.join(self.basedir, "start.html")
+        d = vd.when_private_root_available()
+        d.addCallback(ws.create_start_html, startfile)
+
+
    def _check_hotline(self, hotline_file):
        if os.path.exists(hotline_file):
            mtime = os.stat(hotline_file)[stat.ST_MTIME]