The following bugs were discovered while using filesender-client (pip package) against a self-hosted FileSender instance. All five bugs were worked around via sed patches applied at Docker image build time.
Bug 1 — auth.py: GuestAuth.prepare() has a hardcoded URL to filesender.aarnet.edu.au
File: filesender/auth.py
Error: .prepare() must be called on the GuestAuth before it is used to sign requests
GuestAuth.prepare() fetches the upload page to extract the CSRF token and the data-security-token body attribute. However, the URL it fetches is hardcoded to "https://filesender.aarnet.edu.au" instead of using the configured base_url. This means the CSRF token is always fetched from the Australian instance, regardless of what URL the client is configured with.
Fix applied:
sed -i 's|"https://filesender.aarnet.edu.au"|"/"|g' filesender/auth.py
Bug 2 — api.py: AsyncClient created without base_url, relative paths fail
File: filesender/api.py
Error: httpx.UnsupportedProtocol: Request URL is missing an 'http://' or 'https://' protocol
After fixing Bug 1 by replacing the hardcoded URL with "/", the relative path cannot be resolved because the AsyncClient is instantiated without a base_url. The EndpointHandler correctly stores self.base = base_url, but this value is not passed to the HTTP client.
Fix applied:
sed -i 's|AsyncClient(timeout=None, follow_redirects=True)|AsyncClient(base_url=self.urls.base, timeout=None, follow_redirects=True)|g' filesender/api.py
Bug 3 — api.py: file_info["size"] returned as str, used in division
File: filesender/api.py, upload_file()
Error: TypeError: unsupported operand type(s) for /: 'str' and 'int'
The REST API returns size as a JSON string ("12345") instead of an integer. The client uses it directly in math.ceil(file_info["size"] / self.chunk_size) without casting, which causes a TypeError.
Fix applied:
sed -i 's|file_info\["size"\] / self\.chunk_size|int(file_info["size"]) / self.chunk_size|g' filesender/api.py
Bug 4 — api.py: file_info["uid"] absent in some FileSender versions
File: filesender/api.py, _upload_chunk() and update_file()
Error: KeyError: 'uid'
The client passes file_info["uid"] as the key query parameter in chunk upload and file update requests. This field is used for client-side encryption. When the server does not return a uid field (either because it is an older FileSender version or because client-side encryption is not enabled), the access raises a KeyError.
Fix applied:
sed -i 's|file_info\["uid"\]|file_info.get("uid", "")|g' filesender/api.py
Bug 5 — download.py: encryption-related HTML attributes returned empty, int('') raises ValueError
File: filesender/download.py, files_from_page()
Error: ValueError: invalid literal for int() with base 10: ''
files_from_page() parses the FileSender download page HTML and extracts file metadata from data-* attributes. Several of these attributes relate to client-side encryption (data-encrypted-size, data-key-version, data-password-hash-iterations, data-password-version) and are returned as empty strings when encryption is not enabled on the server. The code passes them directly to int(), which raises a ValueError.
Fix applied:
sed -i \
-e 's/int(file\.attrs\["data-encrypted-size"\])/int(file.attrs["data-encrypted-size"] or 0)/' \
-e 's/int(file\.attrs\["data-key-version"\])/int(file.attrs["data-key-version"] or 0)/' \
-e 's/int(file\.attrs\["data-password-hash-iterations"\])/int(file.attrs["data-password-hash-iterations"] or 0)/' \
-e 's/int(file\.attrs\["data-password-version"\])/int(file.attrs["data-password-version"] or 0)/' \
filesender/download.py
Summary
| # |
File |
Error type |
Root cause |
| 1 |
auth.py |
Logic error |
GuestAuth.prepare() URL hardcoded to filesender.aarnet.edu.au |
| 2 |
api.py |
UnsupportedProtocol |
AsyncClient has no base_url, relative paths unresolvable |
| 3 |
api.py |
TypeError |
file_info["size"] is str, not int |
| 4 |
api.py |
KeyError |
file_info["uid"] absent when client-side encryption not used |
| 5 |
download.py |
ValueError |
Encryption data-* attributes are empty strings, int('') fails |
All bugs affect compatibility with FileSender instances other than filesender.aarnet.edu.au. They appear to stem from the package being developed and tested exclusively against the AARNET instance.
The following bugs were discovered while using
filesender-client(pip package) against a self-hosted FileSender instance. All five bugs were worked around viasedpatches applied at Docker image build time.Bug 1 —
auth.py:GuestAuth.prepare()has a hardcoded URL tofilesender.aarnet.edu.auFile:
filesender/auth.pyError:
.prepare() must be called on the GuestAuth before it is used to sign requestsGuestAuth.prepare()fetches the upload page to extract the CSRF token and thedata-security-tokenbody attribute. However, the URL it fetches is hardcoded to"https://filesender.aarnet.edu.au"instead of using the configuredbase_url. This means the CSRF token is always fetched from the Australian instance, regardless of what URL the client is configured with.Fix applied:
sed -i 's|"https://filesender.aarnet.edu.au"|"/"|g' filesender/auth.pyBug 2 —
api.py:AsyncClientcreated withoutbase_url, relative paths failFile:
filesender/api.pyError:
httpx.UnsupportedProtocol: Request URL is missing an 'http://' or 'https://' protocolAfter fixing Bug 1 by replacing the hardcoded URL with
"/", the relative path cannot be resolved because theAsyncClientis instantiated without abase_url. TheEndpointHandlercorrectly storesself.base = base_url, but this value is not passed to the HTTP client.Fix applied:
sed -i 's|AsyncClient(timeout=None, follow_redirects=True)|AsyncClient(base_url=self.urls.base, timeout=None, follow_redirects=True)|g' filesender/api.pyBug 3 —
api.py:file_info["size"]returned asstr, used in divisionFile:
filesender/api.py,upload_file()Error:
TypeError: unsupported operand type(s) for /: 'str' and 'int'The REST API returns
sizeas a JSON string ("12345") instead of an integer. The client uses it directly inmath.ceil(file_info["size"] / self.chunk_size)without casting, which causes aTypeError.Fix applied:
sed -i 's|file_info\["size"\] / self\.chunk_size|int(file_info["size"]) / self.chunk_size|g' filesender/api.pyBug 4 —
api.py:file_info["uid"]absent in some FileSender versionsFile:
filesender/api.py,_upload_chunk()andupdate_file()Error:
KeyError: 'uid'The client passes
file_info["uid"]as thekeyquery parameter in chunk upload and file update requests. This field is used for client-side encryption. When the server does not return auidfield (either because it is an older FileSender version or because client-side encryption is not enabled), the access raises aKeyError.Fix applied:
sed -i 's|file_info\["uid"\]|file_info.get("uid", "")|g' filesender/api.pyBug 5 —
download.py: encryption-related HTML attributes returned empty,int('')raisesValueErrorFile:
filesender/download.py,files_from_page()Error:
ValueError: invalid literal for int() with base 10: ''files_from_page()parses the FileSender download page HTML and extracts file metadata fromdata-*attributes. Several of these attributes relate to client-side encryption (data-encrypted-size,data-key-version,data-password-hash-iterations,data-password-version) and are returned as empty strings when encryption is not enabled on the server. The code passes them directly toint(), which raises aValueError.Fix applied:
sed -i \ -e 's/int(file\.attrs\["data-encrypted-size"\])/int(file.attrs["data-encrypted-size"] or 0)/' \ -e 's/int(file\.attrs\["data-key-version"\])/int(file.attrs["data-key-version"] or 0)/' \ -e 's/int(file\.attrs\["data-password-hash-iterations"\])/int(file.attrs["data-password-hash-iterations"] or 0)/' \ -e 's/int(file\.attrs\["data-password-version"\])/int(file.attrs["data-password-version"] or 0)/' \ filesender/download.pySummary
auth.pyGuestAuth.prepare()URL hardcoded tofilesender.aarnet.edu.auapi.pyUnsupportedProtocolAsyncClienthas nobase_url, relative paths unresolvableapi.pyTypeErrorfile_info["size"]isstr, notintapi.pyKeyErrorfile_info["uid"]absent when client-side encryption not useddownload.pyValueErrordata-*attributes are empty strings,int('')failsAll bugs affect compatibility with FileSender instances other than
filesender.aarnet.edu.au. They appear to stem from the package being developed and tested exclusively against the AARNET instance.