/quickload/config.php.dist |
@@ -1,7 +1,32 @@ |
<?php |
|
# Set this to the filesystem to the folder where the files should be uploaded. |
########################################################################### |
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
########################################################################### |
|
# Set this to the filesystem to the folder where the files should be |
# uploaded. |
$STORE_FOLDER = '/var/www/incoming/'; |
|
# Set this to the URL path of the folder where the files can be retrieved. |
# Set this to the URL path of the folder where the files can be |
# retrieved. |
$URL_PATH = 'http://my.tld/incoming/'; |
|
# A list of allowed files by extension that the template will accept. |
$ALLOWED_FILE_EXTENSIONS = [ |
"PNG", |
"JPG", |
"JPEG", |
"GIF", |
"TGA", |
"SVG", |
"JP2", |
"JP", |
"ZIP", |
"RAR", |
"GZ", |
"TAR", |
"BZ2", |
"MP4", |
"MP3" |
]; |
/quickload/upload.php |
@@ -8,10 +8,8 @@ |
require_once('includes/functions.php'); |
require_once('config.php'); |
|
# Upload data can be POST'ed as raw form data or uploaded via <iframe> and |
# <form> using regular multipart/form-data enctype (which is handled by |
# PHP $_FILES). |
if (!empty($_FILES['file']) and |
#### Retrieve uploaded file. |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
# Regular multipart/form-data upload. |
$name = $_FILES['file']['name']; |
@@ -22,38 +20,44 @@ |
$data = file_get_contents("php://input"); |
} |
|
## Hash filename and check storage in the upload folder. |
$fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
if ($fileExtension != '') { |
$storePath = realpath($STORE_FOLDER); |
$file = strtolower( |
PseudoCrypt::hash( |
preg_replace( |
'/\D/', |
'', |
hash( |
'sha512', |
$name |
) |
|
#### Check that the file extension is allowed. |
if(!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), $ALLOWED_FILE_EXTENSIONS)) |
return; |
|
#### Hash filename and check storage in the upload folder. |
$storePath = realpath($STORE_FOLDER); |
$file = strtolower( |
PseudoCrypt::hash( |
preg_replace( |
'/\D/', |
'', |
hash( |
'sha512', |
$name |
) |
). |
'.'. |
$fileExtension |
); |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
$STORE_FOLDER, |
$file |
) |
); |
$pathPart = pathinfo($userPath); |
if (realpath($pathPart['dirname']) == $storePath) { |
atomized_put_contents($userPath, $data); |
$output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
} |
). |
'.'. |
$fileExtension |
); |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
$STORE_FOLDER, |
$file |
) |
); |
|
#### Check for path traversals. |
$pathPart = pathinfo($userPath); |
if (realpath($pathPart['dirname']) == $storePath) { |
atomized_put_contents($userPath, $data); |
$output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
} |
|
# Return the URL to the file. |
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo $output; |