Merge branch 'master' into fix-mail-sentbox

master
Kevin Froman 2020-01-29 16:08:13 -06:00
commit 68ebb2f0df
10 changed files with 99 additions and 10 deletions

View File

@ -17,7 +17,7 @@
| | | |
| ----------- | ----------- | ----------- |
| [Install](#install-and-run-on-linux) | [Features](#main-features) | [Screenshots](#screenshots)|
| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/) | [Get involved](#help-out) | [Onionr.net](https://onionr.net/)/[.onion](http://onionr.onionkvc5ibm37bmxwr56bdxcdnb6w3wm4bdghh5qo6f6za7gn7styid.onion/) |
| [Docs](#documentation)/[web copy](https://beardog108.github.io/onionr/) | [Get involved](#help-out) | [Onionr.net](https://onionr.net/)/[.onion](http://onionrbak72t5zhbzuey2fdkpczlvhowgcpqc6uoyrd3uxztzxwz5cyd.onion/) |
<hr>

59
docs/usage/pages.md Normal file
View File

@ -0,0 +1,59 @@
Onionr sites come in two forms:
* Single-page sites, identified by the hash of a single page contained within a single Onionr block.
* Multi-page sites, identified by a user ID. Contains directory archives of a full site.
# Metadata Awareness
Before creating an Onionr site, one should be cautious of the metadata one could be leaking. For example, some HTML generators may insert author meta tags. Onionr does not filter out any web page data.
# No JavaScript, no third-party resources
Currently, in order to protect Onionr users, JavaScript is disabled within Onionr sites. JS will remain present in the HTML file, but be non functional. Additionally, third party resources outside of Onionr cannot be loaded.
# Creating multi page sites
Multi page sites are the most useful, as they can contain an arbitrary amount of static files.
To create a single page site, create a directory for your site and write standard HTML file(s) within them. CSS, images and other files can be placed in the directory as well. The home page should be name index.html and in the parent level directory.
Then, create a strong passphrase for the site. If the site will be updated, be sure to write it down or remember it. A strong passphrase can be generated by running:
`$ scripts/passphrase-generator.py`
Sample output: lovesick blubberer haemoglobin... and so on.
## Generating or updating the site:
`$ ./onionr.sh addsite`
All files in the current working directory will be added to the site.
The command will prompt for a passphrase.
After the site is generated, a user ID that identifies the site will be outputted.
# Creating single page sites
Single page sites are incredibly straight forward.
Single page sites cannot be modified or updated, but are somewhat more secure due to having lower complexity.
To create a single page site, write a standard HTML file. Inline or data-uri CSS can be included, as well as data-uri images. Data-URI generators can be found online.
After creating the HTML file, run this command:
`$ ./onionr.sh addhtml filename.html`
![single page screenshot](single-page.png)
# Viewing sites
To view a site, open the Onionr web interface and paste the site hash or ID into the site opener box that looks like this:
![site opener box screenshot](site-opener.png)
Then, press open.

BIN
docs/usage/single-page.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/usage/site-opener.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.9 KiB

3
scripts/README.md Normal file
View File

@ -0,0 +1,3 @@
This directory contains useful scripts and utilities that don't make sense to include as official Onionr features.
passphrase-generator.py: very simple utility to generate and print a strong passphrase to stdout. 256 bits of entropy by default.

21
scripts/passphrase-generator.py Executable file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python3
"""Generate a 16 word passphase with 256 bits of entropy.
Specify true to reduce to 128 bits"""
import sys
import niceware
byte_count = 32 # 256 bits of entropy with niceware
arg = False
try:
arg = sys.argv[1].lower()
if arg == 'true':
byte_count = 16
except IndexError: pass
print(' '.join(niceware.generate_passphrase(byte_count)))

View File

@ -45,9 +45,11 @@ def block_exec(event, info):
"""Prevent arbitrary code execution in eval/exec and log it."""
# because libraries have stupid amounts of compile/exec/eval,
# We have to use a whitelist where it can be tolerated
# Generally better than nothing, not a silver bullet
whitelisted_code = [
'netrc.py',
'shlex.py',
'gzip.py',
'<werkzeug routing>',
'werkzeug/test.py',
'multiprocessing/popen_fork.py',

View File

@ -51,13 +51,13 @@ class ClientAPISecurity:
return
if request.path.startswith('/site/'): return
# try:
# if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
# if not hmac.compare_digest(request.form['token'], client_api.clientToken):
# abort(403)
# except KeyError:
# if not hmac.compare_digest(request.form['token'], client_api.clientToken):
# abort(403)
try:
if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
if not hmac.compare_digest(request.form['token'], client_api.clientToken):
abort(403)
except KeyError:
if not hmac.compare_digest(request.form['token'], client_api.clientToken):
abort(403)
@client_api_security_bp.after_app_request
def after_req(resp):

View File

@ -40,7 +40,7 @@ If you want to update your site later you must remember the passphrase.''',
passphrase = getpass.getpass(
'Please enter a site passphrase of at least ' +
onionrvalues.PASSWORD_LENGTH + ' characters.')
str(onionrvalues.PASSWORD_LENGTH) + ' characters.')
confirm = getpass.getpass('Confirm passphrase:')
if passphrase != confirm:

View File

@ -1,4 +1,8 @@
var torSource = new EventSourcePolyfill("/torcircuits")
var torSource = new EventSourcePolyfill('/torcircuits', {
headers: {
"token": webpass
}
})
var displays = document.getElementsByClassName('torInfo')
for (x = 0; x < displays.length; x++){