scratch – Blame information for rev 81
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 28 | office | 1 | <?php |
| 2 | |||
| 3 | ########################################################################### |
||
| 4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
||
| 5 | ########################################################################### |
||
| 6 | |||
| 66 | office | 7 | require_once('php/pseudocrypt.php'); |
| 8 | require_once('php/functions.php'); |
||
| 67 | office | 9 | require_once('vendor/mustangostang/spyc/Spyc.php'); |
| 28 | office | 10 | |
| 67 | office | 11 | ### Load configuration. |
| 12 | $config = spyc_load_file('config.yaml'); |
||
| 13 | |||
| 37 | office | 14 | if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
| 57 | office | 15 | !isset($_POST['action']) or empty($_POST['action'])) { |
| 81 | office | 16 | http_response_code(500); |
| 17 | die('Internal server error.'); |
||
| 57 | office | 18 | } |
| 37 | office | 19 | |
| 20 | #### Check fingerprint consistency. |
||
| 21 | $fingerprint = strtoupper($_POST['fingerprint']); |
||
| 57 | office | 22 | if(strlen($fingerprint) !== 32) { |
| 81 | office | 23 | http_response_code(500); |
| 24 | die('Internal server error.'); |
||
| 57 | office | 25 | } |
| 37 | office | 26 | |
| 27 | $action = strtoupper($_POST['action']); |
||
| 28 | |||
| 29 | #### Data must be sent in order to save a file. |
||
| 57 | office | 30 | if($action === 'SAVE' and !isset($_POST['data'])) { |
| 81 | office | 31 | http_response_code(500); |
| 32 | die('Internal server error.'); |
||
| 57 | office | 33 | } |
| 37 | office | 34 | |
| 35 | #### Hash fingerprint. |
||
| 36 | $file = strtolower( |
||
| 37 | PseudoCrypt::hash( |
||
| 38 | preg_replace( |
||
| 39 | '/\D/', |
||
| 40 | '', |
||
| 41 | hash( |
||
| 42 | 'sha512', |
||
| 50 | office | 43 | $fingerprint |
| 37 | office | 44 | ) |
| 48 | office | 45 | ), |
| 67 | office | 46 | $config['ASSET_HASH_SIZE'] |
| 49 | office | 47 | ) |
| 37 | office | 48 | ); |
| 49 | |||
| 28 | office | 50 | #### Build the user path. |
| 51 | $userPath = join( |
||
| 52 | DIRECTORY_SEPARATOR, |
||
| 53 | array( |
||
| 67 | office | 54 | $config['STORE_FOLDER'], |
| 37 | office | 55 | $file |
| 28 | office | 56 | ) |
| 57 | ); |
||
| 58 | |||
| 59 | #### Check for path traversals |
||
| 49 | office | 60 | $pathPart = pathinfo($userPath.'.html'); |
| 28 | office | 61 | if (strcasecmp( |
| 67 | office | 62 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
| 81 | office | 63 | http_response_code(500); |
| 64 | die('Internal server error.'); |
||
| 57 | office | 65 | } |
| 28 | office | 66 | |
| 37 | office | 67 | switch($action) { |
| 68 | case 'SAVE': |
||
| 28 | office | 69 | #### Store the file. |
| 49 | office | 70 | atomized_put_contents($userPath.'.html', $_POST['data']); |
| 28 | office | 71 | break; |
| 37 | office | 72 | case 'LOAD': |
| 57 | office | 73 | if(!file_exists($userPath.'.html')) { |
| 62 | office | 74 | ### If the file does not exist, present an empty file instead of 404. |
| 75 | echo ''; |
||
| 29 | office | 76 | return; |
| 57 | office | 77 | } |
| 53 | office | 78 | ### Set no-cache |
| 79 | header('Content-Type: text/html; charset=utf-8'); |
||
| 80 | header('Cache-Control: no-cache, no-store, must-revalidate'); |
||
| 81 | header('Pragma: no-cache'); |
||
| 82 | header('Expires: 0'); |
||
| 83 | ### Open MIME info database and send the content type. |
||
| 84 | header('Content-type: text/html'); |
||
| 85 | ### Send the file along with the inline content disposition. |
||
| 86 | header('Content-length: '.(int)get_file_size($userPath.'.html')); |
||
| 87 | header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); |
||
| 88 | header('X-Sendfile: '.$userPath.'.html'); |
||
| 28 | office | 89 | break; |
| 90 | } |
||
| 91 |