scratch
/quickload/upload.php |
@@ -20,15 +20,15 @@ |
$data = file_get_contents("php://input"); |
} |
|
#### Grab the file extension. |
$fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
|
#### Check that the file extension is allowed. |
if(!isset($fileExtension) || |
#### If the extension is not allowed then change it to a text extension. |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), $ALLOWED_FILE_EXTENSIONS)) |
return; |
|
#### Hash filename and check storage in the upload folder. |
$storePath = realpath($STORE_FOLDER); |
$fileExtension = 'txt'; |
|
#### Hash filename. |
$file = strtolower( |
PseudoCrypt::hash( |
preg_replace( |
@@ -39,10 +39,11 @@ |
$name |
) |
) |
). |
'.'. |
). '.'. |
$fileExtension |
); |
|
#### Build the user path. |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
@@ -51,13 +52,14 @@ |
) |
); |
|
#### Check for path traversals. |
#### Check for path traversals |
$pathPart = pathinfo($userPath); |
if (realpath($pathPart['dirname']) == $storePath) { |
atomized_put_contents($userPath, $data); |
$output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
} |
if (realpath($pathPart['dirname']) != realpath($STORE_FOLDER)) |
return; |
|
#### Store the file. |
atomized_put_contents($userPath, $data); |
|
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo $output; |
echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |