scratch – Diff between revs 66 and 67
?pathlinks?
| Rev 66 | Rev 67 | |||
|---|---|---|---|---|
| 1 | <?php |
1 | <?php |
|
| 2 | |
2 | |
|
| 3 | ########################################################################### |
3 | ########################################################################### |
|
| 4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
|
| 5 | ########################################################################### |
5 | ########################################################################### |
|
| 6 | |
6 | |
|
| 7 | require_once('php/pseudocrypt.php'); |
7 | require_once('php/pseudocrypt.php'); |
|
| 8 | require_once('php/functions.php'); |
8 | require_once('php/functions.php'); |
|
| 9 | require_once('config.php'); |
9 | require_once('vendor/mustangostang/spyc/Spyc.php'); |
|
| - | 10 | |
||
| - | 11 | ### Load configuration. |
||
| - | 12 | $config = spyc_load_file('config.yaml'); |
||
| 10 | |
13 | |
|
| 11 | if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
14 | if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
|
| 12 | !isset($_POST['action']) or empty($_POST['action'])) { |
15 | !isset($_POST['action']) or empty($_POST['action'])) { |
|
| 13 | header('Internal server error.', true, 500); |
16 | header('Internal server error.', true, 500); |
|
| 14 | return; |
17 | return; |
|
| 15 | } |
18 | } |
|
| 16 | |
19 | |
|
| 17 | #### Check fingerprint consistency. |
20 | #### Check fingerprint consistency. |
|
| 18 | $fingerprint = strtoupper($_POST['fingerprint']); |
21 | $fingerprint = strtoupper($_POST['fingerprint']); |
|
| 19 | if(strlen($fingerprint) !== 32) { |
22 | if(strlen($fingerprint) !== 32) { |
|
| 20 | header('Internal server error.', true, 500); |
23 | header('Internal server error.', true, 500); |
|
| 21 | return; |
24 | return; |
|
| 22 | } |
25 | } |
|
| 23 | |
26 | |
|
| 24 | $action = strtoupper($_POST['action']); |
27 | $action = strtoupper($_POST['action']); |
|
| 25 | |
28 | |
|
| 26 | #### Data must be sent in order to save a file. |
29 | #### Data must be sent in order to save a file. |
|
| 27 | if($action === 'SAVE' and !isset($_POST['data'])) { |
30 | if($action === 'SAVE' and !isset($_POST['data'])) { |
|
| 28 | header('Internal server error.', true, 500); |
31 | header('Internal server error.', true, 500); |
|
| 29 | return; |
32 | return; |
|
| 30 | } |
33 | } |
|
| 31 | |
34 | |
|
| 32 | #### Hash fingerprint. |
35 | #### Hash fingerprint. |
|
| 33 | $file = strtolower( |
36 | $file = strtolower( |
|
| 34 | PseudoCrypt::hash( |
37 | PseudoCrypt::hash( |
|
| 35 | preg_replace( |
38 | preg_replace( |
|
| 36 | '/\D/', |
39 | '/\D/', |
|
| 37 | '', |
40 | '', |
|
| 38 | hash( |
41 | hash( |
|
| 39 | 'sha512', |
42 | 'sha512', |
|
| 40 | $fingerprint |
43 | $fingerprint |
|
| 41 | ) |
44 | ) |
|
| 42 | ), |
45 | ), |
|
| 43 | $ASSET_HASH_SIZE |
46 | $config['ASSET_HASH_SIZE'] |
|
| 44 | ) |
47 | ) |
|
| 45 | ); |
48 | ); |
|
| 46 | |
49 | |
|
| 47 | #### Build the user path. |
50 | #### Build the user path. |
|
| 48 | $userPath = join( |
51 | $userPath = join( |
|
| 49 | DIRECTORY_SEPARATOR, |
52 | DIRECTORY_SEPARATOR, |
|
| 50 | array( |
53 | array( |
|
| 51 | $STORE_FOLDER, |
54 | $config['STORE_FOLDER'], |
|
| 52 | $file |
55 | $file |
|
| 53 | ) |
56 | ) |
|
| 54 | ); |
57 | ); |
|
| 55 | |
58 | |
|
| 56 | #### Check for path traversals |
59 | #### Check for path traversals |
|
| 57 | $pathPart = pathinfo($userPath.'.html'); |
60 | $pathPart = pathinfo($userPath.'.html'); |
|
| 58 | if (strcasecmp( |
61 | if (strcasecmp( |
|
| 59 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
62 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
|
| 60 | header('Internal server error.', true, 500); |
63 | header('Internal server error.', true, 500); |
|
| 61 | return; |
64 | return; |
|
| 62 | } |
65 | } |
|
| 63 | |
66 | |
|
| 64 | switch($action) { |
67 | switch($action) { |
|
| 65 | case 'SAVE': |
68 | case 'SAVE': |
|
| 66 | #### Store the file. |
69 | #### Store the file. |
|
| 67 | atomized_put_contents($userPath.'.html', $_POST['data']); |
70 | atomized_put_contents($userPath.'.html', $_POST['data']); |
|
| 68 | break; |
71 | break; |
|
| 69 | case 'LOAD': |
72 | case 'LOAD': |
|
| 70 | if(!file_exists($userPath.'.html')) { |
73 | if(!file_exists($userPath.'.html')) { |
|
| 71 | ### If the file does not exist, present an empty file instead of 404. |
74 | ### If the file does not exist, present an empty file instead of 404. |
|
| 72 | echo ''; |
75 | echo ''; |
|
| 73 | return; |
76 | return; |
|
| 74 | } |
77 | } |
|
| 75 | ### Set no-cache |
78 | ### Set no-cache |
|
| 76 | header('Content-Type: text/html; charset=utf-8'); |
79 | header('Content-Type: text/html; charset=utf-8'); |
|
| 77 | header('Cache-Control: no-cache, no-store, must-revalidate'); |
80 | header('Cache-Control: no-cache, no-store, must-revalidate'); |
|
| 78 | header('Pragma: no-cache'); |
81 | header('Pragma: no-cache'); |
|
| 79 | header('Expires: 0'); |
82 | header('Expires: 0'); |
|
| 80 | ### Open MIME info database and send the content type. |
83 | ### Open MIME info database and send the content type. |
|
| 81 | header('Content-type: text/html'); |
84 | header('Content-type: text/html'); |
|
| 82 | ### Send the file along with the inline content disposition. |
85 | ### Send the file along with the inline content disposition. |
|
| 83 | header('Content-length: '.(int)get_file_size($userPath.'.html')); |
86 | header('Content-length: '.(int)get_file_size($userPath.'.html')); |
|
| 84 | header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); |
87 | header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); |
|
| 85 | header('X-Sendfile: '.$userPath.'.html'); |
88 | header('X-Sendfile: '.$userPath.'.html'); |
|
| 86 | break; |
89 | break; |
|
| 87 | } |
90 | } |
|
| 88 | |
91 | |
|
| 89 | |
92 | |
|