making browser decodes optional

Justin Angel · Justin Angel · commit 06c32a3b7d2d · 2021-03-15T08:06:31.000-06:00
diff --git a/server.py b/server.py
@@ -124,15 +124,16 @@ def list_directory(self, path):
         linkname = urllib.parse.quote(linkname)
         displayname = html.escape(displayname)
 
-        # TODO: Handle insertion of JS links
+        # Handle insertion of JS links
         if self.B64_ENCODE_PAYLOAD:
+
             # implenet call to JS via onClick
-            
             f.write(
-                    '<li><a href="javascript:decoder(\'{}\')">{}</a>\n'.format(
-                    linkname,
-                    linkname,
-                    displayname).encode('utf8')
+                    self.B64_LINK.format(
+                        linkname,
+                        linkname,
+                        displayname
+                    ).encode('utf8')
             )
 
         else:
@@ -158,6 +159,11 @@ class CorsHandler(http.server.SimpleHTTPRequestHandler):
 
     B64_ENCODE_PAYLOAD = False
     B64_JS_TEMPLATE = None
+    B64_LINK = None
+    B64_LINK_TEMPLATE = \
+        '<li><a href="javascript:downloader(\'{}\',true)">{}</a>\n'
+    B64_NO_DECODE_LINK_TEMPLATE = \
+        '<li><a href="javascript:downloader(\'{}\',false)">{}</a>\n'
 
     @property
     def client_ip(self):
@@ -473,7 +479,7 @@ def do_basic_POST(self):
 
 def run_server(interface, port, keyfile, certfile, 
         webroot=None, enable_uploads=False, enable_b64=False,
-        *args, **kwargs):
+        disable_browser_decode=False, *args, **kwargs):
 
     # ============================
     # CONFIGURE BASE64 OBFUSCATION
@@ -488,6 +494,12 @@ def run_server(interface, port, keyfile, certfile,
                 '/templates/b64_obfuscation.js','r') as infile:
             CorsHandler.B64_JS_TEMPLATE = infile.read()
 
+        # Select proper link template based on supplied options
+        if disable_browser_decode:
+            CorsHandler.B64_LINK = CorsHandler.B64_NO_DECODE_LINK_TEMPLATE
+        else:
+            CorsHandler.B64_LINK = CorsHandler.B64_LINK_TEMPLATE
+
     webroot=webroot or '.'
 
     # Update CorsHandler with upload functionality
@@ -633,8 +645,23 @@ def generate_certificate(certfile, keyfile):
     obf_group.add_argument('--enable-b64',
         help='Enable double base 64 obfuscation of files.',
         action='store_true')
+    obf_group.add_argument('--disable-browser-decode',
+        help='Disable decoding at the browser. This may be disirable '
+        'in situations where browser developers don\'t give a damn ab'
+        'out your privacy and upload your downloaded files to scanner'
+        's.',
+        action='store_true')
 
     args = parser.parse_args()
+
+
+    if not args.enable_b64 and args.disable_browser_decode:
+
+        spring('Warning: Browser decoding has been disabled but '
+        'Base64 encoding has not been enabled. Configuration ign'
+        'ored.')
+
+        args.disable_browser_decode=False
     
     # handle basic auth credentials
     if args.basic_username and not args.basic_password or (
diff --git a/templates/b64_obfuscation.js b/templates/b64_obfuscation.js
@@ -63,13 +63,19 @@ function encoder(iterations){
 }
 
 // For downloads
-function decoder(fname){
+function downloader(fname,decode){
+    if(decode == undefined){ decode = false; }
 	var xhttp = new XMLHttpRequest();
 	xhttp.open("GET",fname,true);
     xhttp.timeout=30000;
 	xhttp.onreadystatechange = function() {
 		if(this.readyState == 4 && this.status == 200){
-			var blob = decode64(this.responseText, 2);
+			var blob;
+            if(decode){
+                blob = decode64(this.responseText, 2);
+            } else {
+                blob = new Blob([this.responseText], {type:'text/base64'});
+            }
 			var a = document.createElement('a');
 			var u = window.URL.createObjectURL(blob);
 			document.body.appendChild(a);
