stackp / droopy Goto Github PK

Hi! Thank you very much for this great project. Could you please add an option to prevent the download of files? Even without --publish-files aka --dl it is still possible to download files if you know their names.

For some reasons, I only want user to upload files, but they can not download files, are there start up option to do this? Thanks.

I just wanted to tell you that I love you. :)

Thanks for this tool.

👋 Hello, @stackp - a potential medium severity Cross-Site Request Forgery (CSRF) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-stackp/Droopy for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

I can try to do this. Any suggestion ?

For some reason i can't get droopy to redirect to the file list page after uploading a file. It just takes me to the "upload another file" file page.

Kinda hard to share files when the users can't access the files that are on the server.

Thanks for a great product :-)

I'm trying to integrate Droopy in some of my code but it's hard to use because there is no way to stop the server reliably. I've implemented something that starts Droopy in a new thread and even stops it but I can't then start it up again. I had to override the serve_forever function with some code like this

A simple, externally available start and stop routine would be nice.

I am attempting to use happy to implement a POST command using multipart/formdata using happyhttp (e.g., https://github.com/Zintinio/HappyHTTP) to upload files to droopy directly from a c++ application.
The issue is that the server will accept the POST command and create the file as requested, but it when trying to get the return page data. This is likely an interaction between some low-level implementation in droopy and in happyhttp, but a suitably-modified test case works for other servers, such as http://posttestserver.com/upload.php. Furthermore, the test code I have will work when pointed to a straight html page--it successfully downloads the page data.

The underlying situation is that happy tries to download the data, and although it knows there is outstanding data to process, it checks whether there is data waiting on the open socket and finds there is none. I don't really know what that means on the droopy side, but when I ctrl-c out of the program, droopy throws this error--this may not really be meaningful.

127.0.0.1 - - [02/Jun/2017 08:57:52] "POST / HTTP/1.1" 200 -
127.0.0.1 - - [02/Jun/2017 08:57:52] [Errno 32] Broken pipe
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 50762)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 654, in __init__
    self.finish()
  File "/usr/lib/python2.7/SocketServer.py", line 713, in finish
    self.wfile.close()
  File "/usr/lib/python2.7/socket.py", line 283, in close
    self.flush()
  File "/usr/lib/python2.7/socket.py", line 307, in flush
    self._sock.sendall(view[write_offset:write_offset+buffer_size])
error: [Errno 32] Broken pipe
----------------------------------------

A happyhttp test case can be put into Test.cpp is as follows. Just add this after Test3.cpp, which can be compiled via g++ test.cpp happyhttp.cpp -o testpost

then, test with droopy running on localhost:8000

//This posts to local droopy server running on 8000
void Test4()
{
	puts("-----------------Test4------------------------" );
	// POST example using lower-level interface

	const char* params = "--||||\nContent-Disposition: form-data; name=\"upfile\"; filename=\"testfile.txt\" \nContent-Type: application/octet-stream \n\nfile contents1\nfile contents2\nfile contents3\nfile contents4\nfile contents5\nfile contents6\nfile contents7\nfile contents8\nfile contents9\nfile contents10\n--||||--";
	int l = strlen(params);

	happyhttp::Connection conn( "localhost", 8000 );
	conn.setcallbacks( OnBegin, OnData, OnComplete, 0 );

	conn.putrequest( "POST", "/" );
	conn.putheader( "Connection", "close" );
	conn.putheader( "Content-Length", l );
	conn.putheader( "Content-Type", "multipart/form-data; boundary=||||" );
	conn.putheader( "Accept", "text/plain" );
	conn.endheaders();
	conn.send( (const unsigned char*)params, l );

	while( conn.outstanding() )
	  {
		conn.pump();
	  }
}

and later:

try
	{
	  //Test1();
	  //Test2();
	  //Test3();
	  Test4();
	}

The problem seems to be that outstanding() returns true, but when pump() is called, it returns on the datawaiting check:

	if( !datawaiting( m_Sock ) )
		return;				// recv will block

I can't be sure whether happy or droopy are to blame; this works when pointed to posttestserver.com/upload.php, retrieving the custom response code; but fails on droopy. On the other hand, droopy works fine when used via a browser.

Dear Pierre,

wonderful Tool! Thank you very much for sharing Droopy!

Unluckily I do knot know Python yet and therefore I send you this feature suggestion:
When enabling SSL it would be cool if a non-SSL request would send a redirect to the https page.

Cheers, marc

Hey there,

when I try to start the encrypted version of Droopy with my letsencrypt cert.pem (I even tried generating a new selfsigned cert for testing purposes), I get the following error:

Traceback (most recent call last):
File "droopy", line 1114, in
main()
File "droopy", line 1109, in main
localisations=default_localisations)
File "droopy", line 462, in run
server_side=True)
File "/usr/lib/python3.5/ssl.py", line 1077, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python3.5/ssl.py", line 699, in init
self._context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:2957)

Can you help me, what am I doing wrong?
Thx

Your server is working very effectively.
How can I add the following
Once anyone uploaded the file, browser should close automatically or redirect to another page which not have upload option.

I observed a get request that I don't understand and may be a security vulnerability: 45.148.10.241 - - [18/Jan/2022 12:39:39] "GET http://example.com/ HTTP/1.1" 200 -. I am running Debian Buster with default Python 2.7.16.

The cgi module has been deprecated and will be removed as of Python 3.13. Debian Bookworm currently runs Python 3.11 but I imagine that unless fixed, droopy will not work with Debian Trixie. Unfortunately, the fix does not look trivial: https://peps.python.org/pep-0594/#cgi

great web server and so easy to set up. Sometimes the files I receive will not open and have a permission error, have you come across this before?

For a 1M size file, it takes about many seconds(about 20 seconds) to upload. A larger file is also much longer, so my question is: is it possible to make it a bit faster? Thanks.

BTW: I'm using it under a 100M speed intranet.

I ran the same droopy.py with Python 2 then Python 3.
--auth works as expected with Python 2.
With Python 3.6.4 on Win 7 -64bit, I get this error:

>python droopy.py --auth test:test

Exception happened during processing of request from ('127.0.0.1', 53806)
Traceback (most recent call last):
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\socketserver.py", line 639, in process_request_thread
    self.finish_request(request, client_address)
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\socketserver.py", line 696, in __init__
    self.handle()
  File "droopy.py", line 352, in handle
    httpserver.BaseHTTPRequestHandler.handle(self)
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\http\server.py", line 418, in handle
    self.handle_one_request()
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\http\server.py", line 406, in handle_one_request
    method()
  File "droopy.py", line 77, in decorated
    expected = 'Basic ' + base64.b64encode(self.auth)
  File "C:\Users\user\AppData\Local\Programs\Python\Python36-32\lib\base64.py", line 58, in b64encode
    encoded = binascii.b2a_base64(s, newline=False)
TypeError: a bytes-like object is required, not 'str'

When droopy is started using unicode characters in directory path or message, it fails. The server stays up, but in terminal I get error, "UnicodeDecodeError: 'ascii' codec can't decode byte 0xce in position 18: ordinal not in range(128)". (Position differs of course). On the browser "Unable to connect" message, telnet localhost 8888 connects.

I've tested it on Debian Buster Linux.
Both of them fail (using greek characters in the example):
droopy -d /home/user -m "Το μήνυμα - unicode" 8888
droopy -d /home/κάποιοςUnicode -m "message" 8888