From 4e7c730faf40f3ee45c0f2d9baaa506df7a6d863 Mon Sep 17 00:00:00 2001
From: Henrique Dias <hacdias@gmail.com>
Date: Sat, 22 Oct 2016 15:45:45 +0100
Subject: [PATCH] download improvements; CSRF token commented

---
 filemanager.go       | 47 ++++++++++++++++++++++++++++++++++++++------
 handlers/download.go | 21 ++++++++++++++++----
 2 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/filemanager.go b/filemanager.go
index 0e0d2ebb..8827e772 100644
--- a/filemanager.go
+++ b/filemanager.go
@@ -43,6 +43,10 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 			return f.Next.ServeHTTP(w, r)
 		}
 
+		w.Header().Set("x-frame-options", "SAMEORIGIN")
+		w.Header().Set("x-content-type", "nosniff")
+		w.Header().Set("x-xss-protection", "1; mode=block")
+
 		c = &f.Configs[i]
 
 		// Checks if the URL matches the Assets URL. Returns the asset if the
@@ -65,6 +69,10 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 
 		// Checks if the request URL is for the WebDav server
 		if strings.HasPrefix(r.URL.Path, c.WebDavURL) {
+			//	if !c.CheckToken(r) {
+			//	return http.StatusForbidden, nil
+			//	}
+
 			// Checks for user permissions relatively to this PATH
 			if !user.Allowed(strings.TrimPrefix(r.URL.Path, c.WebDavURL)) {
 				return http.StatusForbidden, nil
@@ -105,6 +113,36 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 		}
 
 		if r.Method == http.MethodGet {
+			// Generate anti security token.
+			/* c.GenerateToken()
+
+			http.SetCookie(w, &http.Cookie{
+				Name:     "token",
+				Value:    c.Token,
+				Path:     "/",
+				HttpOnly: true,
+			})
+
+			co, err := r.Cookie("token")
+			fmt.Println(co.Value) */
+
+			/* Name  string
+			   Value string
+
+			   Path       string    // optional
+			   Domain     string    // optional
+			   Expires    time.Time // optional
+			   RawExpires string    // for reading cookies only
+
+			   // MaxAge=0 means no 'Max-Age' attribute specified.
+			   // MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'
+			   // MaxAge>0 means Max-Age attribute present and given in seconds
+			   MaxAge   int
+			   Secure   bool
+			   HttpOnly bool
+			   Raw      string
+			   Unparsed []string // Raw text of unparsed attribute-value pairs*/
+
 			// Gets the information of the directory/file
 			fi, code, err = file.GetInfo(r.URL, c, user)
 			if err != nil {
@@ -121,9 +159,6 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 				return 0, nil
 			}
 
-			// Generate anti security token.
-			c.GenerateToken()
-
 			switch {
 			case r.URL.Query().Get("download") != "":
 				code, err = handlers.Download(w, r, c, fi)
@@ -146,9 +181,9 @@ func (f FileManager) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, err
 		if r.Method == http.MethodPost {
 			// TODO: This anti CSCF measure is not being applied to requests
 			// to the WebDav URL namespace. Anyone has ideas?
-			if !c.CheckToken(r) {
-				return http.StatusForbidden, nil
-			}
+			//	if !c.CheckToken(r) {
+			//	return http.StatusForbidden, nil
+			//	}
 
 			// VCS commands.
 			if r.Header.Get("Command") != "" {
diff --git a/handlers/download.go b/handlers/download.go
index f4fc95a2..4b064499 100644
--- a/handlers/download.go
+++ b/handlers/download.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/hacdias/caddy-filemanager/config"
 	"github.com/hacdias/caddy-filemanager/file"
@@ -23,6 +24,18 @@ func Download(w http.ResponseWriter, r *http.Request, c *config.Config, i *file.
 		return 0, nil
 	}
 
+	files := []string{}
+	names := strings.Split(r.URL.Query().Get("files"), ",")
+
+	if len(names) != 0 {
+		for _, name := range names {
+			files = append(files, filepath.Join(i.Path, name))
+		}
+
+	} else {
+		files = append(files, i.Path)
+	}
+
 	if query == "true" {
 		query = "zip"
 	}
@@ -44,13 +57,13 @@ func Download(w http.ResponseWriter, r *http.Request, c *config.Config, i *file.
 
 	switch query {
 	case "zip":
-		extension, err = ".zip", archiver.Zip.Make(tempfile, []string{i.Path})
+		extension, err = ".zip", archiver.Zip.Make(tempfile, files)
 	case "tar":
-		extension, err = ".tar", archiver.Tar.Make(tempfile, []string{i.Path})
+		extension, err = ".tar", archiver.Tar.Make(tempfile, files)
 	case "targz":
-		extension, err = ".tar.gz", archiver.TarGz.Make(tempfile, []string{i.Path})
+		extension, err = ".tar.gz", archiver.TarGz.Make(tempfile, files)
 	case "tarbz2":
-		extension, err = ".tar.bz2", archiver.TarBz2.Make(tempfile, []string{i.Path})
+		extension, err = ".tar.bz2", archiver.TarBz2.Make(tempfile, files)
 	default:
 		return http.StatusNotImplemented, nil
 	}