scratch
/quickload/config.php.dist |
@@ -1,7 +1,32 @@ |
<?php |
|
# Set this to the filesystem to the folder where the files should be uploaded. |
########################################################################### |
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
########################################################################### |
|
# Set this to the filesystem to the folder where the files should be |
# uploaded. |
$STORE_FOLDER = '/var/www/incoming/'; |
|
# Set this to the URL path of the folder where the files can be retrieved. |
# Set this to the URL path of the folder where the files can be |
# retrieved. |
$URL_PATH = 'http://my.tld/incoming/'; |
|
# A list of allowed files by extension that the template will accept. |
$ALLOWED_FILE_EXTENSIONS = [ |
"PNG", |
"JPG", |
"JPEG", |
"GIF", |
"TGA", |
"SVG", |
"JP2", |
"JP", |
"ZIP", |
"RAR", |
"GZ", |
"TAR", |
"BZ2", |
"MP4", |
"MP3" |
]; |
/quickload/upload.php |
@@ -8,9 +8,7 @@ |
require_once('includes/functions.php'); |
require_once('config.php'); |
|
# Upload data can be POST'ed as raw form data or uploaded via <iframe> and |
# <form> using regular multipart/form-data enctype (which is handled by |
# PHP $_FILES). |
#### Retrieve uploaded file. |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
# Regular multipart/form-data upload. |
@@ -22,9 +20,14 @@ |
$data = file_get_contents("php://input"); |
} |
|
## Hash filename and check storage in the upload folder. |
$fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
if ($fileExtension != '') { |
|
#### Check that the file extension is allowed. |
if(!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), $ALLOWED_FILE_EXTENSIONS)) |
return; |
|
#### Hash filename and check storage in the upload folder. |
$storePath = realpath($STORE_FOLDER); |
$file = strtolower( |
PseudoCrypt::hash( |
@@ -47,13 +50,14 @@ |
$file |
) |
); |
|
#### Check for path traversals. |
$pathPart = pathinfo($userPath); |
if (realpath($pathPart['dirname']) == $storePath) { |
atomized_put_contents($userPath, $data); |
$output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
} |
} |
|
# Return the URL to the file. |
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo $output; |