scratch – Diff between revs 49 and 52

Subversion Repositories:

?pathlinks?

Rev 49 – Rev 53 – Go to most recent revision – Details – Blame – Last modification – View Log

Only display areas with differences – Ignore whitespace

 <?php
 ###########################################################################
 ##  Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3      ##
 ###########################################################################
 require_once('inc/pseudocrypt.php');
 require_once('inc/functions.php');
 require_once('config.php');
+#### POST -> upload / GET -> download
+switch ($_SERVER['REQUEST_METHOD']) {
+    case 'POST':
-#### Retrieve uploaded file.
+        #### Retrieve uploaded file.
-if (!empty($_FILES['file']) and
+        if (!empty($_FILES['file']) and
-    is_uploaded_file($_FILES['file']['tmp_name'])) {
+            is_uploaded_file($_FILES['file']['tmp_name'])) {
-    # Regular multipart/form-data upload.
+            # Regular multipart/form-data upload.
-    $name = $_FILES['file']['name'];
+            $name = $_FILES['file']['name'];
-    $data = file_get_contents($_FILES['file']['tmp_name']);
+            $data = file_get_contents($_FILES['file']['tmp_name']);
-} else {
+        } else {
-    # Raw POST data.
+            # Raw POST data.
-    $name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']);
+            $name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']);
+            $data = file_get_contents("php://input");
+        }
+        #### Grab the file extension.
+        $fileExtension = pathinfo($name, PATHINFO_EXTENSION);
+        #### If the extension is not allowed then change it to a text extension.
+        if (!isset($fileExtension) ||
+            !in_array(strtoupper($fileExtension),
+                array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) {
+            header("HTTP/1.1 500 Internal Server Error", true, 500);
+            return;
-    $data = file_get_contents("php://input");
+        }
+        #### Hash filename.
+        $file = strtolower(
+            PseudoCrypt::hash(
+                preg_replace(
+                    '/\D/',
+                    '',
+                    hash(
+                        'sha512',
+                        $data
+                    )
+                ),
+                $ASSET_HASH_SIZE
+            )
-}
+        );
+        #### Build the user path.
+        $userPath = join(
+            DIRECTORY_SEPARATOR,
+            array(
+                $STORE_FOLDER,
+                $file
-#### Grab the file extension.
+            )
-$fileExtension = pathinfo($name, PATHINFO_EXTENSION);
+        );
-#### If the extension is not allowed then change it to a text extension.
+        #### Check for path traversals
-if (!isset($fileExtension) ||
+        $pathPart = pathinfo($userPath.'.'.$fileExtension);
-    !in_array(strtoupper($fileExtension),
+        if (strcasecmp(
-        array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS))) {
+            realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) {
+            return;
+        }
-    header("HTTP/1.1 500 Internal Server Error", true, 500);
-    return;
+        #### Store the file.
+        atomized_put_contents($userPath.'.'.$fileExtension, $data);
-}
+        ### Return the URL to the file.
+        header('Content-Type: text/plain; charset=utf-8');
+        echo sprintf('%s/%s', trim($URL_PATH, '/'), $file);
+    break;
-#### Hash filename.
+    case 'GET':
-$file = strtolower(
+        ### If no file has been specified for download then return.
-    PseudoCrypt::hash(
+        if (!isset($_GET['o']) or empty($_GET['o'])) {
+            http_response_code(404);
+            return;
-        preg_replace(
+        }
-            '/\D/',
-            '',
+        $file = array_shift(
-            hash(
+            preg_grep(
-                'sha512',
+                "/$_GET[o]/",
-                $data
-            )
-        ),
-        $ASSET_HASH_SIZE
+                scandir($STORE_FOLDER)
-    )
-);
-#### Build the user path.
-$userPath = join(
+            )
-    DIRECTORY_SEPARATOR,
+        );
-    array(
-        $STORE_FOLDER,
-        $file
-    )
+        if (!isset($file) or empty($file))
-);
+            return;
-#### Check for path traversals
+        ### Open MIME info database and send the content type.
-$pathPart = pathinfo($userPath.'.'.$fileExtension);
+        $finfo = finfo_open(FILEINFO_MIME_TYPE);
+        if (!$finfo) {
-if (strcasecmp(
+            http_response_code(500);
-    realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0)
+            return;
-    return;
+        }
-#### Store the file.
+        header('Content-type: '.finfo_file($finfo, $STORE_FOLDER.'/'.$file));
-atomized_put_contents($userPath.'.'.$fileExtension, $data);
+        finfo_close($finfo);
+        ### Send the file along with the inline content disposition.
+        header('Content-length: '.(int)get_file_size($STORE_FOLDER.'/'.$file));
+        header('Content-Disposition: inline; filename="' . basename($STORE_FOLDER.'/'.$file) . '"');
-### Return the URL to the file.
+        header('X-Sendfile: '.$STORE_FOLDER.'/'.$file);
-header('Content-Type: text/plain; charset=utf-8');
+    break;
 echo sprintf('%s/%s', trim($URL_PATH, '/'), $file);