/file.php |
@@ -79,6 +79,7 @@ |
return; |
} |
|
### Find the requested file. |
$file = array_shift( |
preg_grep( |
"/$_GET[o]/", |
@@ -88,20 +89,58 @@ |
|
if (!isset($file) or empty($file)) |
return; |
|
### Check the path for path traversals. |
$fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
|
### Open MIME info database and send the content type. |
$finfo = finfo_open(FILEINFO_MIME_TYPE); |
if (!$finfo) { |
http_response_code(500); |
#### If the extension is not allowed then return. |
if (!isset($fileExtension) || |
!in_array(strtoupper($fileExtension), |
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
header("HTTP/1.1 500 Internal Server Error", true, 500); |
return; |
} |
|
header('Content-type: '.finfo_file($finfo, $STORE_FOLDER.'/'.$file)); |
finfo_close($finfo); |
|
#### Build the user path. |
$userPath = join( |
DIRECTORY_SEPARATOR, |
array( |
$STORE_FOLDER, |
$file |
) |
); |
|
#### Check for path traversals |
$pathPart = pathinfo($userPath); |
if (strcasecmp( |
realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
return; |
} |
|
### Hook for HTML files to display properly. |
switch(strtoupper($fileExtension)) { |
case "HTML": |
case "HTM": |
header('Content-type: text/html'); |
break; |
break; |
default: |
### Open MIME info database and send the content type. |
$finfo = finfo_open(FILEINFO_MIME_TYPE); |
if (!$finfo) { |
http_response_code(500); |
return; |
} |
|
header('Content-type: '.finfo_file($finfo, $userPath)); |
finfo_close($finfo); |
break; |
} |
|
### Send the file along with the inline content disposition. |
header('Content-length: '.(int)get_file_size($STORE_FOLDER.'/'.$file)); |
header('Content-Disposition: inline; filename="' . basename($STORE_FOLDER.'/'.$file) . '"'); |
header('X-Sendfile: '.$STORE_FOLDER.'/'.$file); |
header('Content-length: '.(int)get_file_size($userPath)); |
header('Content-Disposition: inline; filename="' . basename($userPath) . '"'); |
header('Content-Transfer-Encoding: binary'); |
header('X-Sendfile: '.$userPath); |
break; |
} |
/text.php |
@@ -4,11 +4,6 @@ |
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
########################################################################### |
|
header('Content-Type: text/html; charset=utf-8'); |
header('Cache-Control: no-cache, no-store, must-revalidate'); |
header('Pragma: no-cache'); |
header('Expires: 0'); |
|
require_once('inc/pseudocrypt.php'); |
require_once('inc/functions.php'); |
require_once('config.php'); |
@@ -66,7 +61,17 @@ |
case 'LOAD': |
if(!file_exists($userPath.'.html')) |
return; |
echo atomized_get_contents($userPath.'.html'); |
### Set no-cache |
header('Content-Type: text/html; charset=utf-8'); |
header('Cache-Control: no-cache, no-store, must-revalidate'); |
header('Pragma: no-cache'); |
header('Expires: 0'); |
### Open MIME info database and send the content type. |
header('Content-type: text/html'); |
### Send the file along with the inline content disposition. |
header('Content-length: '.(int)get_file_size($userPath.'.html')); |
header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); |
header('X-Sendfile: '.$userPath.'.html'); |
break; |
} |
|