diff --git a/assets/templates/html/pasteMeta.html.tmpl b/assets/templates/html/pasteMeta.html.tmpl
index d0be461..15c113d 100644
--- a/assets/templates/html/pasteMeta.html.tmpl
+++ b/assets/templates/html/pasteMeta.html.tmpl
@@ -1,3 +1,36 @@
{{define "title"}}
-'{{.Paste.Key}}' meta info - rushlink
+'{{.Paste.Key}}{{.FileExt}}' metadata - rushlink
+{{end}}
+
+{{define "body"}}
+
+{{.Host}}/{{.Paste.Key}}{{.FileExt}}
+---
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+with delete token: {{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}
+{{else -}}
+with delete token: <unknown>
+{{end -}}
+type: {{.Paste.Type}}
+state: {{.Paste.State}}
+{{if .Paste.TimeCreated.IsZero -}}
+created: unknown
+{{else -}}
+created: {{.Paste.TimeCreated}}
+{{end -}}
+delete token: {{.CanDelete.String}}
+
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+```
+# To delete this {{.Paste.Type}}, execute:
+{{- /*
+ We have the option here to take the deleteToken from the user request or
+ from .Paste. Both are equivalent as long as .CanDelete is correct. We
+ use the .Request value, because leaking the deleteToken would be a more
+ dramatic vulnerability.
+*/}}
+curl --request "DELETE" "{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
+```
+
+{{end}}
{{end}}
\ No newline at end of file
diff --git a/assets/templates/txt/pasteMeta.txt.tmpl b/assets/templates/txt/pasteMeta.txt.tmpl
index 0eb2ceb..04cb8dc 100644
--- a/assets/templates/txt/pasteMeta.txt.tmpl
+++ b/assets/templates/txt/pasteMeta.txt.tmpl
@@ -1,17 +1,27 @@
-METADATA on <{{.Host}}/{{.Paste.Key}}>:
-
-TYPE: {{.Paste.Type}}
-STATE: {{.Paste.State}}
-{{if .Paste.TimeCreated.IsZero -}}
-CREATED: undefined
+{{.Host}}/{{.Paste.Key}}{{.FileExt}}
+---
+{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
+with delete token: {{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}
{{else -}}
-CREATED: {{.Paste.TimeCreated}}
+with delete token:
+{{end -}}type: {{.Paste.Type}}
+state: {{.Paste.State}}
+{{if .Paste.TimeCreated.IsZero -}}
+created: unknown
+{{else -}}
+created: {{.Paste.TimeCreated}}
{{end -}}
-DELETE TOKEN: {{.CanDelete.String}}
+delete token: {{.CanDelete.String}}
{{if and (ne .Paste.State.String "deleted") .CanDelete.Bool}}
```
# To delete this {{.Paste.Type}}, execute:
-curl --request "DELETE" "{{.Host}}/{{.Paste.Key}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
+{{- /*
+ We have the option here to take the deleteToken from the user request or
+ from .Paste. Both are equivalent as long as .CanDelete is correct. We
+ use the .Request value, because leaking the deleteToken would be a more
+ dramatic vulnerability.
+*/ -}}
+curl --request "DELETE" "{{.Host}}/{{.Paste.Key}}{{.FileExt}}?deleteToken={{.Request.URL.Query.Get "deleteToken"}}"
```
{{end}}
diff --git a/handlers.go b/handlers.go
index 20b7c77..f7a9429 100644
--- a/handlers.go
+++ b/handlers.go
@@ -93,6 +93,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
var p *db.Paste
var fuID *uuid.UUID
var fu *db.FileUpload
+ var fileExt string
if err := rl.db.Bolt.View(func(tx *bolt.Tx) error {
var err error
p, err = db.GetPaste(tx, key)
@@ -107,6 +108,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
if err != nil {
return err
}
+ fileExt = filepath.Ext(fu.FileName)
}
return nil
}); err != nil {
@@ -137,6 +139,7 @@ func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request
data := map[string]interface{}{
"Paste": p,
+ "FileExt": fileExt,
"CanDelete": canDelete,
}
rl.render(w, r, "pasteMeta", data)
@@ -210,10 +213,7 @@ func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Req
}); err != nil {
panic(err)
}
- data := map[string]interface{}{
- "Paste": paste,
- "FileUpload": fu,
- "FileExt": filepath.Ext(fu.FileName)}
+ data := map[string]interface{}{"Paste": paste, "FileUpload": fu}
rl.render(w, r, "newFileUploadPasteSuccess", data)
}