| /file.php |
|---|
| @@ -79,6 +79,7 @@ |
|---|
| return; |
| } |
| |
| ### Find the requested file. |
| $file = array_shift( |
| preg_grep( |
| "/$_GET[o]/", |
| @@ -88,20 +89,58 @@ |
|---|
| |
| if (!isset($file) or empty($file)) |
| return; |
| |
| ### Check the path for path traversals. |
| $fileExtension = pathinfo($file, PATHINFO_EXTENSION); |
| |
| ### Open MIME info database and send the content type. |
| $finfo = finfo_open(FILEINFO_MIME_TYPE); |
| if (!$finfo) { |
| http_response_code(500); |
| #### If the extension is not allowed then return. |
| if (!isset($fileExtension) || |
| !in_array(strtoupper($fileExtension), |
| array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
| header("HTTP/1.1 500 Internal Server Error", true, 500); |
| return; |
| } |
| |
| header('Content-type: '.finfo_file($finfo, $STORE_FOLDER.'/'.$file)); |
| finfo_close($finfo); |
| |
| #### Build the user path. |
| $userPath = join( |
| DIRECTORY_SEPARATOR, |
| array( |
| $STORE_FOLDER, |
| $file |
| ) |
| ); |
| |
| #### Check for path traversals |
| $pathPart = pathinfo($userPath); |
| if (strcasecmp( |
| realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
| return; |
| } |
| |
| ### Hook for HTML files to display properly. |
| switch(strtoupper($fileExtension)) { |
| case "HTML": |
| case "HTM": |
| header('Content-type: text/html'); |
| break; |
| break; |
| default: |
| ### Open MIME info database and send the content type. |
| $finfo = finfo_open(FILEINFO_MIME_TYPE); |
| if (!$finfo) { |
| http_response_code(500); |
| return; |
| } |
| |
| header('Content-type: '.finfo_file($finfo, $userPath)); |
| finfo_close($finfo); |
| break; |
| } |
| |
| ### Send the file along with the inline content disposition. |
| header('Content-length: '.(int)get_file_size($STORE_FOLDER.'/'.$file)); |
| header('Content-Disposition: inline; filename="' . basename($STORE_FOLDER.'/'.$file) . '"'); |
| header('X-Sendfile: '.$STORE_FOLDER.'/'.$file); |
| header('Content-length: '.(int)get_file_size($userPath)); |
| header('Content-Disposition: inline; filename="' . basename($userPath) . '"'); |
| header('Content-Transfer-Encoding: binary'); |
| header('X-Sendfile: '.$userPath); |
| break; |
| } |
| /text.php |
|---|
| @@ -4,11 +4,6 @@ |
|---|
| ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## |
| ########################################################################### |
| |
| header('Content-Type: text/html; charset=utf-8'); |
| header('Cache-Control: no-cache, no-store, must-revalidate'); |
| header('Pragma: no-cache'); |
| header('Expires: 0'); |
| |
| require_once('inc/pseudocrypt.php'); |
| require_once('inc/functions.php'); |
| require_once('config.php'); |
| @@ -66,7 +61,17 @@ |
|---|
| case 'LOAD': |
| if(!file_exists($userPath.'.html')) |
| return; |
| echo atomized_get_contents($userPath.'.html'); |
| ### Set no-cache |
| header('Content-Type: text/html; charset=utf-8'); |
| header('Cache-Control: no-cache, no-store, must-revalidate'); |
| header('Pragma: no-cache'); |
| header('Expires: 0'); |
| ### Open MIME info database and send the content type. |
| header('Content-type: text/html'); |
| ### Send the file along with the inline content disposition. |
| header('Content-length: '.(int)get_file_size($userPath.'.html')); |
| header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); |
| header('X-Sendfile: '.$userPath.'.html'); |
| break; |
| } |
| |
