/file.php |
@@ -6,8 +6,11 @@ |
|
require_once('php/pseudocrypt.php'); |
require_once('php/functions.php'); |
require_once('config.php'); |
require_once('vendor/mustangostang/spyc/Spyc.php'); |
|
### Load configuration. |
$config = spyc_load_file('config.yaml'); |
|
#### POST -> upload / GET -> download |
switch ($_SERVER['REQUEST_METHOD']) { |
case 'POST': |
@@ -14,8 +17,8 @@ |
#### Retrieve uploaded file. |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
if($_FILES['file']['size'] > $ALLOWED_ASSET_SIZE * 1048576) { |
header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
if($_FILES['file']['size'] > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
return; |
} |
# Regular multipart/form-data upload. |
@@ -22,8 +25,8 @@ |
$name = $_FILES['file']['name']; |
$data = atomized_get_contents($_FILES['file']['tmp_name']); |
} else { |
if((int)get_file_size("php://input") > $ALLOWED_ASSET_SIZE * 1048576) { |
header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
if((int)get_file_size("php://input") > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
return; |
} |
# Raw POST data. |
@@ -37,7 +40,7 @@ |
#### If the extension is not allowed then change it to a text extension. |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
header('File extension not allowed.', true, 403); |
return; |
} |
@@ -53,7 +56,7 @@ |
$data |
) |
), |
$ASSET_HASH_SIZE |
$config['ASSET_HASH_SIZE'] |
) |
); |
|
@@ -61,7 +64,7 @@ |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
$STORE_FOLDER, |
$config['STORE_FOLDER'], |
$file |
) |
); |
@@ -69,7 +72,7 @@ |
#### Check for path traversals |
$pathPart = pathinfo($userPath.'.'.$fileExtension); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
header('Internal server error.', true, 500); |
return; |
} |
@@ -79,7 +82,7 @@ |
|
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
echo sprintf('%s/%s', trim($config['URL_PATH'], '/'), $file); |
break; |
case 'GET': |
### If no file has been specified for download then return. |
@@ -92,7 +95,7 @@ |
$file = array_shift( |
preg_grep( |
"/$_GET[o]/", |
scandir($STORE_FOLDER) |
scandir($config['STORE_FOLDER']) |
) |
); |
|
@@ -105,7 +108,7 @@ |
#### If the extension is not allowed then return. |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
header('File extension not allowed.', true, 403); |
return; |
} |
@@ -114,7 +117,7 @@ |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
$STORE_FOLDER, |
$config['STORE_FOLDER'], |
$file |
) |
); |
@@ -122,7 +125,7 @@ |
#### Check for path traversals |
$pathPart = pathinfo($userPath); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
header('Internal server error.', true, 500); |
return; |
} |