add ?smsg

2026-04-06 07:47:56 +10:00 · 2026-01-21 04:55:50 +00:00
parent 0a3a80725a
commit 6dcb1efb7c
5 changed files with 46 additions and 1 deletions
--- a/copyparty/main.py
+++ b/copyparty/main.py
@@ -1562,6 +1562,7 @@ def add_optouts(ap):
    ap2.add_argument("-nih", action="store_true", help="no info hostname -- don't show in UI")
    ap2.add_argument("-nid", action="store_true", help="no info disk-usage -- don't show in UI. This is the same as --du-who no")
    ap2.add_argument("-nb", action="store_true", help="no powered-by-copyparty branding in UI")
+    ap2.add_argument("--smsg", metavar="T,T", type=u, default="POST", help="HTTP-methods to allow ?smsg for; will execute xm hooks like urlform / message-to-serverlog; dangerous example: [\033[32mGET,POST\033[0m]. \033[1;31mWARNING:\033[0m The default (POST) is safe, but GET is dangerous; security/CSRF hazard")
    ap2.add_argument("--zipmaxn", metavar="N", type=u, default="0", help="reject download-as-zip if more than \033[33mN\033[0m files in total; optionally takes a unit suffix: [\033[32m256\033[0m], [\033[32m9K\033[0m], [\033[32m4G\033[0m] (volflag=zipmaxn)")
    ap2.add_argument("--zipmaxs", metavar="SZ", type=u, default="0", help="reject download-as-zip if total download size exceeds \033[33mSZ\033[0m bytes; optionally takes a unit suffix: [\033[32m256M\033[0m], [\033[32m4G\033[0m], [\033[32m2T\033[0m] (volflag=zipmaxs)")
    ap2.add_argument("--zipmaxt", metavar="TXT", type=u, default="", help="custom errormessage when download size exceeds max (volflag=zipmaxt)")
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -1434,6 +1434,9 @@ class HttpCli(object):

                self.uparam["h"] = ""

+        if "smsg" in self.uparam:
+            return self.handle_smsg()
+
        if "tree" in self.uparam:
            return self.tx_tree()

@@ -2246,6 +2249,9 @@ class HttpCli(object):
        ):
            return self.handle_post_json()

+        if "smsg" in self.uparam:
+            return self.handle_smsg()
+
        if "move" in self.uparam:
            return self.handle_mv()

@@ -2332,6 +2338,37 @@ class HttpCli(object):

        raise Pebkac(405, "don't know how to handle POST(%r)" % (ctype,))

+    def handle_smsg(self) -> bool:
+        if self.mode not in self.args.smsg_set:
+            raise Pebkac(403, "smsg is disabled for this http-method in server config")
+
+        msg = self.uparam["smsg"]
+        self.log("smsg %d @ %r\n  %r\n" % (len(msg), "/" + self.vpath, msg))
+
+        xm = self.vn.flags.get("xm")
+        if xm:
+            xm_rsp = runhook(
+                self.log,
+                self.conn.hsrv.broker,
+                None,
+                "xm",
+                xm,
+                self.vn.canonical(self.rem),
+                self.vpath,
+                self.host,
+                self.uname,
+                self.asrv.vfs.get_perms(self.vpath, self.uname),
+                time.time(),
+                len(msg),
+                self.ip,
+                time.time(),
+                [msg, msg],
+            )
+            self.loud_reply(xm_rsp.get("stdout") or "", status=202)
+        else:
+            self.loud_reply("k", status=202)
+        return True
+
    def get_xml_enc(self, txt: str) -> str:
        ofs = txt[:512].find(' encoding="')
        enc = ""
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@@ -1118,6 +1118,12 @@ class SvcHub(object):
            vsa = [x.lower() for x in vsa if x]
            setattr(al, k + "_set", set(vsa))

+        for k in "smsg".split(" "):
+            vs = getattr(al, k)
+            vsa = [x.strip() for x in vs.split(",")]
+            vsa = [x.upper() for x in vsa if x]
+            setattr(al, k + "_set", set(vsa))
+
        zs = "dav_ua1 sus_urls nonsus_urls ua_nodav ua_nodoc ua_nozip"
        for k in zs.split(" "):
            vs = getattr(al, k)