scratch – Blame information for rev 93

Subversion Repositories:
Rev:
Rev Author Line No. Line
28 office 1 <?php
2  
3 ###########################################################################
4 ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
5 ###########################################################################
6  
66 office 7 require_once('php/pseudocrypt.php');
8 require_once('php/functions.php');
87 office 9 require_once('vendor/autoload.php');
28 office 10  
67 office 11 ### Load configuration.
12 $config = spyc_load_file('config.yaml');
13  
93 office 14 #### Script restrictions.
15 if(
16 (
17 !isset($_SERVER['HTTP_X_REQUESTED_WITH']) ||
18 empty($_SERVER['HTTP_X_REQUESTED_WITH']) ||
19 strtoupper($_SERVER['HTTP_X_REQUESTED_WITH']) != 'XMLHTTPREQUEST'
20 )
21 ||
22 (
23 (
24 !isset($_SERVER['HTTP_REFERER']) ||
25 empty($_SERVER['HTTP_REFERER'])
26 )
27 &&
28 (
29 #strtoupper($_SERVER['HTTP_REFERER']) != strtoupper($config['URL_PATH'].'FILE.HTML') ||
30 strtoupper($_SERVER['HTTP_REFERER']) != strtoupper($config['URL_PATH'].'TEXT.HTML')
31 )
32 )
33 )
34 {
35 http_response_code(403);
36 die('Forbidden.');
37 }
38  
37 office 39 if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or
57 office 40 !isset($_POST['action']) or empty($_POST['action'])) {
81 office 41 http_response_code(500);
42 die('Internal server error.');
57 office 43 }
37 office 44  
45 #### Check fingerprint consistency.
46 $fingerprint = strtoupper($_POST['fingerprint']);
57 office 47 if(strlen($fingerprint) !== 32) {
81 office 48 http_response_code(500);
49 die('Internal server error.');
57 office 50 }
37 office 51  
52 $action = strtoupper($_POST['action']);
53  
54 #### Data must be sent in order to save a file.
57 office 55 if($action === 'SAVE' and !isset($_POST['data'])) {
81 office 56 http_response_code(500);
57 die('Internal server error.');
57 office 58 }
37 office 59  
60 #### Hash fingerprint.
61 $file = strtolower(
62 PseudoCrypt::hash(
63 preg_replace(
64 '/\D/',
65 '',
66 hash(
67 'sha512',
50 office 68 $fingerprint
37 office 69 )
48 office 70 ),
67 office 71 $config['ASSET_HASH_SIZE']
49 office 72 )
37 office 73 );
74  
28 office 75 #### Build the user path.
76 $userPath = join(
77 DIRECTORY_SEPARATOR,
78 array(
67 office 79 $config['STORE_FOLDER'],
37 office 80 $file
28 office 81 )
82 );
83  
84 #### Check for path traversals
49 office 85 $pathPart = pathinfo($userPath.'.html');
28 office 86 if (strcasecmp(
67 office 87 realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) {
81 office 88 http_response_code(500);
89 die('Internal server error.');
57 office 90 }
28 office 91  
37 office 92 switch($action) {
93 case 'SAVE':
28 office 94 #### Store the file.
49 office 95 atomized_put_contents($userPath.'.html', $_POST['data']);
28 office 96 break;
37 office 97 case 'LOAD':
57 office 98 if(!file_exists($userPath.'.html')) {
62 office 99 ### If the file does not exist, present an empty file instead of 404.
100 echo '';
29 office 101 return;
57 office 102 }
53 office 103 ### Set no-cache
104 header('Content-Type: text/html; charset=utf-8');
105 header('Cache-Control: no-cache, no-store, must-revalidate');
106 header('Pragma: no-cache');
107 header('Expires: 0');
108 ### Open MIME info database and send the content type.
109 header('Content-type: text/html');
110 ### Send the file along with the inline content disposition.
111 header('Content-length: '.(int)get_file_size($userPath.'.html'));
112 header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"');
113 header('X-Sendfile: '.$userPath.'.html');
28 office 114 break;
115 }
116