scratch
/quickload/upload.php |
@@ -8,9 +8,7 @@ |
require_once('includes/functions.php'); |
require_once('config.php'); |
|
# Upload data can be POST'ed as raw form data or uploaded via <iframe> and |
# <form> using regular multipart/form-data enctype (which is handled by |
# PHP $_FILES). |
#### Retrieve uploaded file. |
if (!empty($_FILES['file']) and |
is_uploaded_file($_FILES['file']['tmp_name'])) { |
# Regular multipart/form-data upload. |
@@ -22,9 +20,14 @@ |
$data = file_get_contents("php://input"); |
} |
|
## Hash filename and check storage in the upload folder. |
$fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
if ($fileExtension != '') { |
|
#### Check that the file extension is allowed. |
if(!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), $ALLOWED_FILE_EXTENSIONS)) |
return; |
|
#### Hash filename and check storage in the upload folder. |
$storePath = realpath($STORE_FOLDER); |
$file = strtolower( |
PseudoCrypt::hash( |
@@ -47,13 +50,14 @@ |
$file |
) |
); |
|
#### Check for path traversals. |
$pathPart = pathinfo($userPath); |
if (realpath($pathPart['dirname']) == $storePath) { |
atomized_put_contents($userPath, $data); |
$output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
} |
} |
|
# Return the URL to the file. |
### Return the URL to the file. |
header('Content-Type: text/plain; charset=utf-8'); |
echo $output; |