scratch – Diff between revs 86 and 87
?pathlinks?
| Rev 86 | Rev 87 | |||
|---|---|---|---|---|
| 1 | <?php |
1 | <?php |
|
| 2 | |
2 | |
|
| 3 | ########################################################################### |
3 | ########################################################################### |
|
| 4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
|
| 5 | ########################################################################### |
5 | ########################################################################### |
|
| 6 | |
6 | |
|
| 7 | require_once('php/pseudocrypt.php'); |
7 | require_once('php/pseudocrypt.php'); |
|
| 8 | require_once('php/functions.php'); |
8 | require_once('php/functions.php'); |
|
| 9 | require_once('vendor/mustangostang/spyc/Spyc.php'); |
9 | require_once('vendor/autoload.php'); |
|
| 10 | require_once('vendor/chriskonnertz/open-graph/src/ChrisKonnertz/OpenGraph/OpenGraph.php'); |
- | ||
| 11 | require_once('vendor/chriskonnertz/open-graph/src/ChrisKonnertz/OpenGraph/OpenGraphTag.php'); |
- | ||
| 12 | use ChrisKonnertz\OpenGraph\OpenGraph as OpenGraph; |
- | ||
| 13 | use ChrisKonnertz\OpenGraph\OpenGraphTag as OpenGraphTag; |
- | ||
| 14 | |
10 | |
|
| 15 | ### Load configuration. |
11 | ### Load configuration. |
|
| 16 | $config = spyc_load_file('config.yaml'); |
12 | $config = spyc_load_file('config.yaml'); |
|
| 17 | |
13 | |
|
| 18 | ### If no file has been specified for download then return. |
14 | ### If no file has been specified for download then return. |
|
| 19 | if (!isset($_GET['hash']) or empty($_GET['hash'])) { |
15 | if (!isset($_GET['hash']) or empty($_GET['hash'])) { |
|
| 20 | http_response_code(404); |
16 | http_response_code(404); |
|
| 21 | die('File not found.'); |
17 | die('File not found.'); |
|
| 22 | } |
18 | } |
|
| 23 | |
19 | |
|
| 24 | ### Find the requested file. |
20 | ### Find the requested file. |
|
| 25 | $file = array_shift( |
21 | $file = array_shift( |
|
| 26 | preg_grep( |
22 | preg_grep( |
|
| 27 | "/".$_GET['hash']."/", |
23 | "/".$_GET['hash']."/", |
|
| 28 | scandir($config['STORE_FOLDER']) |
24 | scandir($config['STORE_FOLDER']) |
|
| 29 | ) |
25 | ) |
|
| 30 | ); |
26 | ); |
|
| 31 | |
27 | |
|
| 32 | if (!isset($file) or empty($file)) { |
28 | if (!isset($file) or empty($file)) { |
|
| 33 | http_response_code(404); |
29 | http_response_code(404); |
|
| 34 | die('File not found.'); |
30 | die('File not found.'); |
|
| 35 | } |
31 | } |
|
| 36 | |
32 | |
|
| 37 | ### Check the path for path traversals. |
33 | ### Check the path for path traversals. |
|
| 38 | $fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
34 | $fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
|
| 39 | |
35 | |
|
| 40 | #### If the extension is not allowed then return. |
36 | #### If the extension is not allowed then return. |
|
| 41 | if (!isset($fileExtension) || |
37 | if (!isset($fileExtension) || |
|
| 42 | !in_array(strtoupper($fileExtension), |
38 | !in_array(strtoupper($fileExtension), |
|
| 43 | array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
39 | array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
|
| 44 | http_response_code(403); |
40 | http_response_code(403); |
|
| 45 | die('File extension not allowed.'); |
41 | die('File extension not allowed.'); |
|
| 46 | } |
42 | } |
|
| 47 | |
43 | |
|
| 48 | #### Build the user path. |
44 | #### Build the user path. |
|
| 49 | $userPath = join( |
45 | $userPath = join( |
|
| 50 | DIRECTORY_SEPARATOR, |
46 | DIRECTORY_SEPARATOR, |
|
| 51 | array( |
47 | array( |
|
| 52 | $config['STORE_FOLDER'], |
48 | $config['STORE_FOLDER'], |
|
| 53 | $file |
49 | $file |
|
| 54 | ) |
50 | ) |
|
| 55 | ); |
51 | ); |
|
| 56 | |
52 | |
|
| 57 | #### Check for path traversals |
53 | #### Check for path traversals |
|
| 58 | $pathPart = pathinfo($userPath); |
54 | $pathPart = pathinfo($userPath); |
|
| 59 | if (strcasecmp( |
55 | if (strcasecmp( |
|
| 60 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
56 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
|
| 61 | http_response_code(500); |
57 | http_response_code(500); |
|
| 62 | die('Internal server error.'); |
58 | die('Internal server error.'); |
|
| 63 | } |
59 | } |
|
| 64 | |
60 | |
|
| 65 | #### Check if the file exists. |
61 | #### Check if the file exists. |
|
| 66 | if (!file_exists($userPath)) { |
62 | if (!file_exists($userPath)) { |
|
| 67 | http_response_code(404); |
63 | http_response_code(404); |
|
| 68 | die('File not found.'); |
64 | die('File not found.'); |
|
| 69 | } |
65 | } |
|
| 70 | |
66 | |
|
| 71 | list($width, $height) = getimagesize($userPath); |
67 | list($width, $height) = getimagesize($userPath); |
|
| 72 | |
68 | |
|
| 73 | # Create an OpenGraph object with validation. |
69 | # Create an OpenGraph object with validation. |
|
| 74 | $og = new OpenGraph(); |
70 | $og = new OpenGraph(); |
|
| 75 | |
71 | |
|
| 76 | $og->title('Scratch Copy') |
72 | $og->title('Scratch Copy') |
|
| 77 | ->description('Asset Sharing') |
73 | ->description('Asset Sharing') |
|
| 78 | ->url($config['URL_PATH'].$_GET['hash']) |
74 | ->url($config['URL_PATH'].$_GET['hash']) |
|
| 79 | ->type('movie') |
75 | ->type('movie') |
|
| 80 | ->image($config['URL_PATH'].$_GET['hash'], [ |
76 | ->image($config['URL_PATH'].$_GET['hash'], [ |
|
| 81 | type => 'image/png', |
77 | type => 'image/png', |
|
| 82 | width => $width, |
78 | width => $width, |
|
| 83 | height => $height |
79 | height => $height |
|
| 84 | ]); |
80 | ]); |
|
| 85 | |
81 | |
|
| 86 | |
82 | |
|
| 87 | echo $og->renderTags(); |
83 | echo $og->renderTags(); |
|
| 88 | |
84 | |
|
| 89 | |
85 | |
|