/file.php |
@@ -14,13 +14,21 @@ |
#### Retrieve uploaded file. |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
if($_FILES['file']['size'] > $ALLOWED_ASSET_SIZE * 1048576) { |
header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
return; |
} |
# Regular multipart/form-data upload. |
$name = $_FILES['file']['name']; |
$data = file_get_contents($_FILES['file']['tmp_name']); |
$data = atomized_get_contents($_FILES['file']['tmp_name']); |
} else { |
if((int)get_file_size("php://input") > $ALLOWED_ASSET_SIZE * 1048576) { |
header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
return; |
} |
# Raw POST data. |
$name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']); |
$data = file_get_contents("php://input"); |
$data = atomized_get_contents("php://input"); |
} |
|
#### Grab the file extension. |
@@ -30,7 +38,7 @@ |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
header("HTTP/1.1 500 Internal Server Error", true, 500); |
header('File extension not allowed.', true, 403); |
return; |
} |
|
@@ -62,6 +70,7 @@ |
$pathPart = pathinfo($userPath.'.'.$fileExtension); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
header('Internal server error.', true, 500); |
return; |
} |
|
@@ -75,7 +84,7 @@ |
case 'GET': |
### If no file has been specified for download then return. |
if (!isset($_GET['o']) or empty($_GET['o'])) { |
http_response_code(404); |
header('File not found.', true, 404); |
return; |
} |
|
@@ -97,7 +106,7 @@ |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
header("HTTP/1.1 500 Internal Server Error", true, 500); |
header('File extension not allowed.', true, 403); |
return; |
} |
|
@@ -114,6 +123,7 @@ |
$pathPart = pathinfo($userPath); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
header('Internal server error.', true, 500); |
return; |
} |
|
@@ -128,10 +138,9 @@ |
### Open MIME info database and send the content type. |
$finfo = finfo_open(FILEINFO_MIME_TYPE); |
if (!$finfo) { |
http_response_code(500); |
header('Internal server error.', true, 500); |
return; |
} |
|
header('Content-type: '.finfo_file($finfo, $userPath)); |
finfo_close($finfo); |
break; |
/text.php |
@@ -9,19 +9,25 @@ |
require_once('config.php'); |
|
if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or |
!isset($_POST['action']) or empty($_POST['action'])) |
!isset($_POST['action']) or empty($_POST['action'])) { |
header('Internal server error.', true, 500); |
return; |
} |
|
#### Check fingerprint consistency. |
$fingerprint = strtoupper($_POST['fingerprint']); |
if(strlen($fingerprint) !== 32) |
if(strlen($fingerprint) !== 32) { |
header('Internal server error.', true, 500); |
return; |
} |
|
$action = strtoupper($_POST['action']); |
|
#### Data must be sent in order to save a file. |
if($action === 'SAVE' and !isset($_POST['data'])) |
if($action === 'SAVE' and !isset($_POST['data'])) { |
header('Internal server error.', true, 500); |
return; |
} |
|
#### Hash fingerprint. |
$file = strtolower( |
@@ -50,8 +56,10 @@ |
#### Check for path traversals |
$pathPart = pathinfo($userPath.'.html'); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
header('Internal server error.', true, 500); |
return; |
} |
|
switch($action) { |
case 'SAVE': |
@@ -59,8 +67,10 @@ |
atomized_put_contents($userPath.'.html', $_POST['data']); |
break; |
case 'LOAD': |
if(!file_exists($userPath.'.html')) |
if(!file_exists($userPath.'.html')) { |
header('File not found.', true, 404); |
return; |
} |
### Set no-cache |
header('Content-Type: text/html; charset=utf-8'); |
header('Cache-Control: no-cache, no-store, must-revalidate'); |