Closed Jacalz closed 3 years ago
True. Running recv-file example for a directory should work, it just doesn't extract the zip file for you.
Until we have an example you can see the logic that the wormhole-william
cli uses here: https://github.com/psanford/wormhole-william/blob/master/cmd/recv.go#L130
I realized that this could quite easily be implemented using mholt/archiver and thus dropping a lot of complicated code for unpacking the zip. It was what I did in wormhole-gui. See permalink for more context: https://github.com/Jacalz/wormhole-gui/blob/021b0637aecf47c496144b418278621ea6f1e359/internal/bridge/receiver.go#L58
You should be a little bit careful extracting a zip without verifying it doesn't have any dangerous/malicious paths in it. Specifically zip files can have relative paths such as ../../etc/passwd
that could overwrite existing files.
It looks like mholt/archiver does not attempt to protect against these types of malicious files.
Both the python Magic Wormhole and wormhole-william's cli code attempt to protect against these types of files by erroring out if detected.
Good point. I had not realized that it didn't do that. Could the zip extractor used withing the cli perhaps be added as a function within the wormhole
package? Sending a folder and getting back a zip file might seem a bit confusing and thus I think having a safe and easy to use zip extractor might make a lot of sense.
That might be worth revisiting with the new io/fs
changes coming to the std library in 1.16.
The main reason it doesn't work that way today is for applications that don't want to extract the files to disk.
That is a good point. Do you want me to open a new issue for that?
Looking at this closer, it actually looks like it does try to prevent malicious zip files. Looks like the README just hasn’t been updated. See https://github.com/mholt/archiver/commit/8217ed3a206c0473b4ec1aff51375b398838073a as an example.
Trying to download 1.0.5… and it is missing as well.
$ wget https://github.com/psanford/wormhole-william/releases/download/refs%2Ftags%2Fv1.0.5/wormhole-william-windows-386.exe
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
@sergeevabc can you open a new issue for that?
@psanford, it seems to be fixed by now, I downloaded and tried the app.
A couple of points to consider thinking about:
a) receive/recv
is a hard verb to spell right (recieve, recive, etc), get
is easier, lack of it like croc
does is even better.
b) interface is inconsistent about units of measurement: kB
and KiB
Receiving file (14.0 kB) into: Von Franz Dream Analysis v. 0.3.txt
ok? (y/N):y
13.66 KiB / 13.66 KiB [---------------------------------------------
@sergeevabc I appreciate your feedback, but please open a new issue as your comments are not relevant to this current issue.
The examples directory has examples for everything except for receiving directories. Adding that example would make the examples directory complete for anyone wanting to see how the API can be used.