| /delete.php |
|---|
| @@ -12,22 +12,28 @@ |
|---|
| $config = spyc_load_file('config.yaml'); |
| |
| ### If no file has been specified for download then return. |
| if (!isset($_GET['o']) or empty($_GET['o'])) { |
| header('File not found.', true, 404); |
| return; |
| if (!isset($_GET['hash']) or empty($_GET['hash'])) { |
| http_response_code(404); |
| die('File not found.'); |
| } |
| |
| ### If no timestamp has been provided then return. |
| if (!isset($_GET['timestamp']) or empty($_GET['timestamp'])) { |
| http_response_code(403); |
| die('Forbidden.'); |
| } |
| |
| ### Find the requested file. |
| $file = array_shift( |
| preg_grep( |
| "/$_GET[o]/", |
| "/".$_GET['hash']."/", |
| scandir($config['STORE_FOLDER']) |
| ) |
| ); |
| |
| if (!isset($file) or empty($file)) { |
| header('File not found.', true, 404); |
| return; |
| http_response_code(404); |
| die('File not found.'); |
| } |
| |
| ### Check the path for path traversals. |
| @@ -37,8 +43,8 @@ |
|---|
| if (!isset($fileExtension) || |
| !in_array(strtoupper($fileExtension), |
| array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
| header('File extension not allowed.', true, 403); |
| return; |
| http_response_code(403); |
| die('File extension not allowed.'); |
| } |
| |
| #### Build the user path. |
| @@ -54,13 +60,20 @@ |
|---|
| $pathPart = pathinfo($userPath); |
| if (strcasecmp( |
| realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
| header('Internal server error.', true, 500); |
| return; |
| http_response_code(500); |
| die('Internal server error.'); |
| } |
| |
| #### Check if the file exists. |
| if (!file_exists($userPath)) { |
| header('File not found.', true, 404); |
| return; |
| http_response_code(404); |
| die('File not found.'); |
| } |
| |
| ### Check if the timestamp matches. |
| if (filemtime($userPath) != $_GET['timestamp']) { |
| http_response_code(403); |
| die('Forbidden.'); |
| } |
| |
| unlink($userPath); |
