scratch – Blame information for rev 73
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
73 | office | 1 | <?php |
2 | |||
3 | ########################################################################### |
||
4 | ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
||
5 | ########################################################################### |
||
6 | |||
7 | require_once('php/pseudocrypt.php'); |
||
8 | require_once('php/functions.php'); |
||
9 | require_once('vendor/mustangostang/spyc/Spyc.php'); |
||
10 | |||
11 | ### Load configuration. |
||
12 | $config = spyc_load_file('config.yaml'); |
||
13 | |||
14 | ### If no file has been specified for download then return. |
||
15 | if (!isset($_GET['o']) or empty($_GET['o'])) { |
||
16 | header('File not found.', true, 404); |
||
17 | return; |
||
18 | } |
||
19 | |||
20 | ### Find the requested file. |
||
21 | $file = array_shift( |
||
22 | preg_grep( |
||
23 | "/$_GET[o]/", |
||
24 | scandir($config['STORE_FOLDER']) |
||
25 | ) |
||
26 | ); |
||
27 | |||
28 | if (!isset($file) or empty($file)) { |
||
29 | header('File not found.', true, 404); |
||
30 | return; |
||
31 | } |
||
32 | |||
33 | ### Check the path for path traversals. |
||
34 | $fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
||
35 | |||
36 | #### If the extension is not allowed then return. |
||
37 | if (!isset($fileExtension) || |
||
38 | !in_array(strtoupper($fileExtension), |
||
39 | array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
||
40 | header('File extension not allowed.', true, 403); |
||
41 | return; |
||
42 | } |
||
43 | |||
44 | #### Build the user path. |
||
45 | $userPath = join( |
||
46 | DIRECTORY_SEPARATOR, |
||
47 | array( |
||
48 | $config['STORE_FOLDER'], |
||
49 | $file |
||
50 | ) |
||
51 | ); |
||
52 | |||
53 | #### Check for path traversals |
||
54 | $pathPart = pathinfo($userPath); |
||
55 | if (strcasecmp( |
||
56 | realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
||
57 | header('Internal server error.', true, 500); |
||
58 | return; |
||
59 | } |
||
60 | |||
61 | if (!file_exists($userPath)) { |
||
62 | header('File not found.', true, 404); |
||
63 | return; |
||
64 | } |
||
65 | |||
66 | unlink($userPath); |