scratch
| /quickload/upload.php |
|---|
| @@ -8,9 +8,7 @@ |
| require_once('includes/functions.php'); |
| require_once('config.php'); |
| # Upload data can be POST'ed as raw form data or uploaded via <iframe> and |
| # <form> using regular multipart/form-data enctype (which is handled by |
| # PHP $_FILES). |
| #### Retrieve uploaded file. |
| if (!empty($_FILES['file']) and |
| is_uploaded_file($_FILES['file']['tmp_name'])) { |
| # Regular multipart/form-data upload. |
| @@ -22,9 +20,14 @@ |
| $data = file_get_contents("php://input"); |
| } |
| ## Hash filename and check storage in the upload folder. |
| $fileExtension = pathinfo($name, PATHINFO_EXTENSION); |
| if ($fileExtension != '') { |
| #### Check that the file extension is allowed. |
| if(!isset($fileExtension) || |
| !in_array(strtoupper($fileExtension), $ALLOWED_FILE_EXTENSIONS)) |
| return; |
| #### Hash filename and check storage in the upload folder. |
| $storePath = realpath($STORE_FOLDER); |
| $file = strtolower( |
| PseudoCrypt::hash( |
| @@ -47,13 +50,14 @@ |
| $file |
| ) |
| ); |
| #### Check for path traversals. |
| $pathPart = pathinfo($userPath); |
| if (realpath($pathPart['dirname']) == $storePath) { |
| atomized_put_contents($userPath, $data); |
| $output = sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
| } |
| } |
| # Return the URL to the file. |
| ### Return the URL to the file. |
| header('Content-Type: text/plain; charset=utf-8'); |
| echo $output; |