From 51d758f0ccb33567458003a01ddd49e0356f0f61 Mon Sep 17 00:00:00 2001
From: Julian Hurst <julian.hurst@digdash.com>
Date: Wed, 9 Apr 2025 15:03:05 +0200
Subject: Add header and option to preserve the filename

When uploading it's now possible to specify a X-ResourceMeta-Filename
header to specify the final filename of the file. This supercedes the
X-ResourceMeta-Extension header.
Note: this option can make it easier to guess the resource url so if
uploading a sensitive file (which is not recommended anyway) an easy to
guess filename could make it easier for an "attacker" to get the file.
---
 main.go | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

(limited to 'main.go')

diff --git a/main.go b/main.go
index e4020c3..964fbb1 100644
--- a/main.go
+++ b/main.go
@@ -116,15 +116,18 @@ func (handler BoxHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
-		ext := r.Header.Get("X-ResourceMeta-Extension")
-		u, err := uuid.NewRandom()
-		if err != nil {
-			log.Println(err)
-			fmt.Fprint(w, err.Error())
-			w.WriteHeader(http.StatusInternalServerError)
-			return
+		filename := r.Header.Get("X-ResourceMeta-Filename")
+		if filename == "" {
+			ext := r.Header.Get("X-ResourceMeta-Extension")
+			u, err := uuid.NewRandom()
+			if err != nil {
+				log.Println(err)
+				fmt.Fprint(w, err.Error())
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			filename = filepath.Join(handler.filesPath, u.String()) + ext
 		}
-		filename := filepath.Join(handler.filesPath, u.String()) + ext
 		log.Printf("Boxing %s...\n", filename)
 		f, err := os.Create(filename)
 		if err != nil {
-- 
cgit v1.2.3