scratch – Rev 16

Subversion Repositories:
Rev:
<?php

###########################################################################
##  Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3      ##
###########################################################################

require_once('inc/pseudocrypt.php');
require_once('inc/functions.php');
require_once('config.php');

#### Retrieve uploaded file.
if (!empty($_FILES['file']) and
    is_uploaded_file($_FILES['file']['tmp_name'])) {
    # Regular multipart/form-data upload.
    $name = $_FILES['file']['name'];
    $data = file_get_contents($_FILES['file']['tmp_name']);
} else {
    # Raw POST data.
    $name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']);
    $data = file_get_contents("php://input");
}

#### Grab the file extension.
$fileExtension = pathinfo($name, PATHINFO_EXTENSION);

#### If the extension is not allowed then change it to a text extension.
if (!isset($fileExtension) ||
    !in_array(strtoupper($fileExtension),
        array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS)))
    $fileExtension = 'txt';
    
#### Hash filename.
$file = strtolower(
    PseudoCrypt::hash(
        preg_replace(
            '/\D/',
            '',
            hash(
                'sha512',
                $name
            )
        )
    ).    '.'.
    $fileExtension
);

#### Build the user path.
$userPath = join(
    DIRECTORY_SEPARATOR,
    array(
        $STORE_FOLDER,
        $file
    )
);

#### Check for path traversals
$pathPart = pathinfo($userPath);
if (strcasecmp(realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0)
    return;

#### Store the file.
atomized_put_contents($userPath, $data);

### Return the URL to the file.
header('Content-Type: text/plain; charset=utf-8');
echo sprintf('%s/%s', trim($URL_PATH, '/'), $file);