scratch – Blame information for rev 49
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 7 | office | 1 | <?php |
| 2 | |||
| 3 | ########################################################################### |
||
| 4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
||
| 5 | ########################################################################### |
||
| 6 | |||
| 13 | office | 7 | require_once('inc/pseudocrypt.php'); |
| 8 | require_once('inc/functions.php'); |
||
| 7 | office | 9 | require_once('config.php'); |
| 10 | |||
| 11 | office | 11 | #### Retrieve uploaded file. |
| 12 | if (!empty($_FILES['file']) and |
||
| 7 | office | 13 | is_uploaded_file($_FILES['file']['tmp_name'])) { |
| 14 | # Regular multipart/form-data upload. |
||
| 15 | $name = $_FILES['file']['name']; |
||
| 16 | $data = file_get_contents($_FILES['file']['tmp_name']); |
||
| 17 | } else { |
||
| 18 | # Raw POST data. |
||
| 19 | $name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']); |
||
| 20 | $data = file_get_contents("php://input"); |
||
| 21 | } |
||
| 22 | |||
| 14 | office | 23 | #### Grab the file extension. |
| 7 | office | 24 | $fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
| 11 | office | 25 | |
| 14 | office | 26 | #### If the extension is not allowed then change it to a text extension. |
| 27 | if (!isset($fileExtension) || |
||
| 16 | office | 28 | !in_array(strtoupper($fileExtension), |
| 47 | office | 29 | array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
| 30 | header("HTTP/1.1 500 Internal Server Error", true, 500); |
||
| 31 | return; |
||
| 32 | } |
||
| 14 | office | 33 | |
| 34 | #### Hash filename. |
||
| 11 | office | 35 | $file = strtolower( |
| 36 | PseudoCrypt::hash( |
||
| 37 | preg_replace( |
||
| 38 | '/\D/', |
||
| 39 | '', |
||
| 40 | hash( |
||
| 41 | 'sha512', |
||
| 20 | office | 42 | $data |
| 7 | office | 43 | ) |
| 48 | office | 44 | ), |
| 45 | $ASSET_HASH_SIZE |
||
| 49 | office | 46 | ) |
| 11 | office | 47 | ); |
| 14 | office | 48 | |
| 49 | #### Build the user path. |
||
| 11 | office | 50 | $userPath = join( |
| 51 | DIRECTORY_SEPARATOR, |
||
| 52 | array( |
||
| 53 | $STORE_FOLDER, |
||
| 54 | $file |
||
| 55 | ) |
||
| 56 | ); |
||
| 57 | |||
| 14 | office | 58 | #### Check for path traversals |
| 49 | office | 59 | $pathPart = pathinfo($userPath.'.'.$fileExtension); |
| 17 | office | 60 | if (strcasecmp( |
| 61 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) |
||
| 14 | office | 62 | return; |
| 7 | office | 63 | |
| 14 | office | 64 | #### Store the file. |
| 49 | office | 65 | atomized_put_contents($userPath.'.'.$fileExtension, $data); |
| 14 | office | 66 | |
| 11 | office | 67 | ### Return the URL to the file. |
| 7 | office | 68 | header('Content-Type: text/plain; charset=utf-8'); |
| 14 | office | 69 | echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |