scratch – Blame information for rev 96

Subversion Repositories:
Rev:
Rev Author Line No. Line
28 office 1 <?php
2  
3 ###########################################################################
4 ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
5 ###########################################################################
6  
66 office 7 require_once('php/pseudocrypt.php');
8 require_once('php/functions.php');
87 office 9 require_once('vendor/autoload.php');
28 office 10  
67 office 11 ### Load configuration.
12 $config = spyc_load_file('config.yaml');
13  
93 office 14 #### Script restrictions.
96 office 15 session_start();
16 if (empty($_POST['token']) || !hash_equals($_SESSION['token'], $_POST['token'])) {
93 office 17 http_response_code(403);
18 die('Forbidden.');
19 }
20  
94 office 21 #### Check if the fingerprint and action are set parameters.
37 office 22 if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or
94 office 23 !preg_match('/^[A-Za-z0-9]{32}$/', $_POST['fingerprint']) or
57 office 24 !isset($_POST['action']) or empty($_POST['action'])) {
81 office 25 http_response_code(500);
26 die('Internal server error.');
57 office 27 }
37 office 28  
29 #### Check fingerprint consistency.
30 $fingerprint = strtoupper($_POST['fingerprint']);
57 office 31 if(strlen($fingerprint) !== 32) {
81 office 32 http_response_code(500);
33 die('Internal server error.');
57 office 34 }
37 office 35  
36 $action = strtoupper($_POST['action']);
37  
38 #### Data must be sent in order to save a file.
57 office 39 if($action === 'SAVE' and !isset($_POST['data'])) {
81 office 40 http_response_code(500);
41 die('Internal server error.');
57 office 42 }
37 office 43  
44 #### Hash fingerprint.
45 $file = strtolower(
46 PseudoCrypt::hash(
47 preg_replace(
48 '/\D/',
49 '',
50 hash(
51 'sha512',
50 office 52 $fingerprint
37 office 53 )
48 office 54 ),
67 office 55 $config['ASSET_HASH_SIZE']
49 office 56 )
37 office 57 );
58  
28 office 59 #### Build the user path.
60 $userPath = join(
61 DIRECTORY_SEPARATOR,
62 array(
67 office 63 $config['STORE_FOLDER'],
37 office 64 $file
28 office 65 )
66 );
67  
68 #### Check for path traversals
49 office 69 $pathPart = pathinfo($userPath.'.html');
28 office 70 if (strcasecmp(
67 office 71 realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) {
81 office 72 http_response_code(500);
73 die('Internal server error.');
57 office 74 }
28 office 75  
37 office 76 switch($action) {
77 case 'SAVE':
28 office 78 #### Store the file.
49 office 79 atomized_put_contents($userPath.'.html', $_POST['data']);
28 office 80 break;
37 office 81 case 'LOAD':
57 office 82 if(!file_exists($userPath.'.html')) {
62 office 83 ### If the file does not exist, present an empty file instead of 404.
84 echo '';
29 office 85 return;
57 office 86 }
53 office 87 ### Set no-cache
88 header('Content-Type: text/html; charset=utf-8');
89 header('Cache-Control: no-cache, no-store, must-revalidate');
90 header('Pragma: no-cache');
91 header('Expires: 0');
92 ### Open MIME info database and send the content type.
93 header('Content-type: text/html');
94 ### Send the file along with the inline content disposition.
95 header('Content-length: '.(int)get_file_size($userPath.'.html'));
96 header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"');
97 header('X-Sendfile: '.$userPath.'.html');
28 office 98 break;
99 }
100