| /file.php |
|---|
| @@ -6,8 +6,11 @@ |
|---|
| |
| require_once('php/pseudocrypt.php'); |
| require_once('php/functions.php'); |
| require_once('config.php'); |
| require_once('vendor/mustangostang/spyc/Spyc.php'); |
| |
| ### Load configuration. |
| $config = spyc_load_file('config.yaml'); |
| |
| #### POST -> upload / GET -> download |
| switch ($_SERVER['REQUEST_METHOD']) { |
| case 'POST': |
| @@ -14,8 +17,8 @@ |
|---|
| #### Retrieve uploaded file. |
| if (!empty($_FILES['file']) and |
| is_uploaded_file($_FILES['file']['tmp_name'])) { |
| if($_FILES['file']['size'] > $ALLOWED_ASSET_SIZE * 1048576) { |
| header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
| if($_FILES['file']['size'] > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
| header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
| return; |
| } |
| # Regular multipart/form-data upload. |
| @@ -22,8 +25,8 @@ |
|---|
| $name = $_FILES['file']['name']; |
| $data = atomized_get_contents($_FILES['file']['tmp_name']); |
| } else { |
| if((int)get_file_size("php://input") > $ALLOWED_ASSET_SIZE * 1048576) { |
| header('File size exceeds '.$ALLOWED_ASSET_SIZE.'MiB.', true, 403); |
| if((int)get_file_size("php://input") > $config['ALLOWED_ASSET_SIZE'] * 1048576) { |
| header('File size exceeds '.$config['ALLOWED_ASSET_SIZE'].'MiB.', true, 403); |
| return; |
| } |
| # Raw POST data. |
| @@ -37,7 +40,7 @@ |
|---|
| #### If the extension is not allowed then change it to a text extension. |
| if (!isset($fileExtension) || |
| !in_array(strtoupper($fileExtension), |
| array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
| array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
| header('File extension not allowed.', true, 403); |
| return; |
| } |
| @@ -53,7 +56,7 @@ |
|---|
| $data |
| ) |
| ), |
| $ASSET_HASH_SIZE |
| $config['ASSET_HASH_SIZE'] |
| ) |
| ); |
| |
| @@ -61,7 +64,7 @@ |
|---|
| $userPath = join( |
| DIRECTORY_SEPARATOR, |
| array( |
| $STORE_FOLDER, |
| $config['STORE_FOLDER'], |
| $file |
| ) |
| ); |
| @@ -69,7 +72,7 @@ |
|---|
| #### Check for path traversals |
| $pathPart = pathinfo($userPath.'.'.$fileExtension); |
| if (strcasecmp( |
| realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
| realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
| header('Internal server error.', true, 500); |
| return; |
| } |
| @@ -79,7 +82,7 @@ |
|---|
| |
| ### Return the URL to the file. |
| header('Content-Type: text/plain; charset=utf-8'); |
| echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
| echo sprintf('%s/%s', trim($config['URL_PATH'], '/'), $file); |
| break; |
| case 'GET': |
| ### If no file has been specified for download then return. |
| @@ -92,7 +95,7 @@ |
|---|
| $file = array_shift( |
| preg_grep( |
| "/$_GET[o]/", |
| scandir($STORE_FOLDER) |
| scandir($config['STORE_FOLDER']) |
| ) |
| ); |
| |
| @@ -105,7 +108,7 @@ |
|---|
| #### If the extension is not allowed then return. |
| if (!isset($fileExtension) || |
| !in_array(strtoupper($fileExtension), |
| array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) { |
| array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) { |
| header('File extension not allowed.', true, 403); |
| return; |
| } |
| @@ -114,7 +117,7 @@ |
|---|
| $userPath = join( |
| DIRECTORY_SEPARATOR, |
| array( |
| $STORE_FOLDER, |
| $config['STORE_FOLDER'], |
| $file |
| ) |
| ); |
| @@ -122,7 +125,7 @@ |
|---|
| #### Check for path traversals |
| $pathPart = pathinfo($userPath); |
| if (strcasecmp( |
| realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
| realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { |
| header('Internal server error.', true, 500); |
| return; |
| } |
