/file.php |
@@ -18,8 +18,8 @@ |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
if($_FILES['file']['size'] > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
return; |
http_response_code(403); |
die('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.'); |
} |
# Regular multipart/form-data upload. |
$name = $_FILES['file']['name']; |
@@ -26,8 +26,8 @@ |
$data = atomized_get_contents($_FILES['file']['tmp_name']); |
} else { |
if((int)get_file_size("php://input") > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
return; |
http_response_code(403); |
die('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.'); |
} |
# Raw POST data. |
$name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']); |
@@ -41,8 +41,8 @@ |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
header('File extension not allowed.', true, 403); |
return; |
http_response_code(403); |
die('File extension not allowed.'); |
} |
|
#### Hash filename. |
@@ -73,34 +73,41 @@ |
$pathPart = pathinfo($userPath.'.'.$fileExtension); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
header('Internal server error.', true, 500); |
return; |
http_response_code(500); |
die('Internal server error.'); |
} |
|
#### Store the file. |
atomized_put_contents($userPath.'.'.$fileExtension, $data); |
$timestamp = atomized_put_contents($userPath.'.'.$fileExtension, $data); |
|
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo $file; |
echo json_encode( |
array( |
"hash" => $file, |
"timestamp" => $timestamp |
) |
); |
break; |
case 'GET': |
### If no file has been specified for download then return. |
if (!isset($_GET['o']) or empty($_GET['o'])) { |
header('File not found.', true, 404); |
return; |
if (!isset($_GET['hash']) or empty($_GET['hash'])) { |
http_response_code(404); |
die('File not found.'); |
} |
|
### Find the requested file. |
$file = array_shift( |
preg_grep( |
"/$_GET[o]/", |
'/'.$_GET['hash'].'/', |
scandir($config['STORE_FOLDER']) |
) |
); |
|
if (!isset($file) or empty($file)) |
return; |
if (!isset($file) or empty($file)) { |
http_response_code(404); |
die('File not found.'); |
} |
|
### Check the path for path traversals. |
$fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
@@ -109,8 +116,8 @@ |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
header('File extension not allowed.', true, 403); |
return; |
http_response_code(403); |
die('File extension not allowed.'); |
} |
|
#### Build the user path. |
@@ -126,8 +133,8 @@ |
$pathPart = pathinfo($userPath); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
header('Internal server error.', true, 500); |
return; |
http_response_code(500); |
die('Internal server error.'); |
} |
|
### Hook for HTML files to display properly. |
@@ -141,8 +148,8 @@ |
### Open MIME info database and send the content type. |
$finfo = finfo_open(FILEINFO_MIME_TYPE); |
if (!$finfo) { |
header('Internal server error.', true, 500); |
return; |
http_response_code(500); |
die('Internal server error.'); |
} |
header('Content-type: '.finfo_file($finfo, $userPath)); |
finfo_close($finfo); |
@@ -149,6 +156,10 @@ |
break; |
} |
|
### Tell browser not to cache files. |
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0"); |
header("Cache-Control: post-check=0, pre-check=0", false); |
header("Pragma: no-cache"); |
### Send the file along with the inline content disposition. |
header('Content-length: '.(int)get_file_size($userPath)); |
header('Content-Disposition: inline; filename="' . basename($userPath) . '"'); |