scratch – Diff between revs 87 and 93

Subversion Repositories:
Rev:
Only display areas with differencesIgnore whitespace
Rev 87 Rev 93
1 <?php 1 <?php
2   2  
3 ########################################################################### 3 ###########################################################################
4 ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ## 4 ## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
5 ########################################################################### 5 ###########################################################################
6   6  
7 require_once('php/pseudocrypt.php'); 7 require_once('php/pseudocrypt.php');
8 require_once('php/functions.php'); 8 require_once('php/functions.php');
9 require_once('vendor/autoload.php'); 9 require_once('vendor/autoload.php');
10   10  
11 ### Load configuration. 11 ### Load configuration.
12 $config = spyc_load_file('config.yaml'); 12 $config = spyc_load_file('config.yaml');
-   13  
-   14 #### Script restrictions.
-   15 if(
-   16 (
-   17 !isset($_SERVER['HTTP_X_REQUESTED_WITH']) ||
-   18 empty($_SERVER['HTTP_X_REQUESTED_WITH']) ||
-   19 strtoupper($_SERVER['HTTP_X_REQUESTED_WITH']) != 'XMLHTTPREQUEST'
-   20 )
-   21 ||
-   22 (
-   23 (
-   24 !isset($_SERVER['HTTP_REFERER']) ||
-   25 empty($_SERVER['HTTP_REFERER'])
-   26 )
-   27 &&
-   28 (
-   29 #strtoupper($_SERVER['HTTP_REFERER']) != strtoupper($config['URL_PATH'].'FILE.HTML') ||
-   30 strtoupper($_SERVER['HTTP_REFERER']) != strtoupper($config['URL_PATH'].'TEXT.HTML')
-   31 )
-   32 )
-   33 )
-   34 {
-   35 http_response_code(403);
-   36 die('Forbidden.');
-   37 }
13   38  
14 if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or 39 if(!isset($_POST['fingerprint']) or empty($_POST['fingerprint']) or
15 !isset($_POST['action']) or empty($_POST['action'])) { 40 !isset($_POST['action']) or empty($_POST['action'])) {
16 http_response_code(500); 41 http_response_code(500);
17 die('Internal server error.'); 42 die('Internal server error.');
18 } 43 }
19   44  
20 #### Check fingerprint consistency. 45 #### Check fingerprint consistency.
21 $fingerprint = strtoupper($_POST['fingerprint']); 46 $fingerprint = strtoupper($_POST['fingerprint']);
22 if(strlen($fingerprint) !== 32) { 47 if(strlen($fingerprint) !== 32) {
23 http_response_code(500); 48 http_response_code(500);
24 die('Internal server error.'); 49 die('Internal server error.');
25 } 50 }
26   51  
27 $action = strtoupper($_POST['action']); 52 $action = strtoupper($_POST['action']);
28   53  
29 #### Data must be sent in order to save a file. 54 #### Data must be sent in order to save a file.
30 if($action === 'SAVE' and !isset($_POST['data'])) { 55 if($action === 'SAVE' and !isset($_POST['data'])) {
31 http_response_code(500); 56 http_response_code(500);
32 die('Internal server error.'); 57 die('Internal server error.');
33 } 58 }
34   59  
35 #### Hash fingerprint. 60 #### Hash fingerprint.
36 $file = strtolower( 61 $file = strtolower(
37 PseudoCrypt::hash( 62 PseudoCrypt::hash(
38 preg_replace( 63 preg_replace(
39 '/\D/', 64 '/\D/',
40 '', 65 '',
41 hash( 66 hash(
42 'sha512', 67 'sha512',
43 $fingerprint 68 $fingerprint
44 ) 69 )
45 ), 70 ),
46 $config['ASSET_HASH_SIZE'] 71 $config['ASSET_HASH_SIZE']
47 ) 72 )
48 ); 73 );
49   74  
50 #### Build the user path. 75 #### Build the user path.
51 $userPath = join( 76 $userPath = join(
52 DIRECTORY_SEPARATOR, 77 DIRECTORY_SEPARATOR,
53 array( 78 array(
54 $config['STORE_FOLDER'], 79 $config['STORE_FOLDER'],
55 $file 80 $file
56 ) 81 )
57 ); 82 );
58   83  
59 #### Check for path traversals 84 #### Check for path traversals
60 $pathPart = pathinfo($userPath.'.html'); 85 $pathPart = pathinfo($userPath.'.html');
61 if (strcasecmp( 86 if (strcasecmp(
62 realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) { 87 realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) {
63 http_response_code(500); 88 http_response_code(500);
64 die('Internal server error.'); 89 die('Internal server error.');
65 } 90 }
66   91  
67 switch($action) { 92 switch($action) {
68 case 'SAVE': 93 case 'SAVE':
69 #### Store the file. 94 #### Store the file.
70 atomized_put_contents($userPath.'.html', $_POST['data']); 95 atomized_put_contents($userPath.'.html', $_POST['data']);
71 break; 96 break;
72 case 'LOAD': 97 case 'LOAD':
73 if(!file_exists($userPath.'.html')) { 98 if(!file_exists($userPath.'.html')) {
74 ### If the file does not exist, present an empty file instead of 404. 99 ### If the file does not exist, present an empty file instead of 404.
75 echo ''; 100 echo '';
76 return; 101 return;
77 } 102 }
78 ### Set no-cache 103 ### Set no-cache
79 header('Content-Type: text/html; charset=utf-8'); 104 header('Content-Type: text/html; charset=utf-8');
80 header('Cache-Control: no-cache, no-store, must-revalidate'); 105 header('Cache-Control: no-cache, no-store, must-revalidate');
81 header('Pragma: no-cache'); 106 header('Pragma: no-cache');
82 header('Expires: 0'); 107 header('Expires: 0');
83 ### Open MIME info database and send the content type. 108 ### Open MIME info database and send the content type.
84 header('Content-type: text/html'); 109 header('Content-type: text/html');
85 ### Send the file along with the inline content disposition. 110 ### Send the file along with the inline content disposition.
86 header('Content-length: '.(int)get_file_size($userPath.'.html')); 111 header('Content-length: '.(int)get_file_size($userPath.'.html'));
87 header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"'); 112 header('Content-Disposition: inline; filename="' . basename($userPath.'.html') . '"');
88 header('X-Sendfile: '.$userPath.'.html'); 113 header('X-Sendfile: '.$userPath.'.html');
89 break; 114 break;
90 } 115 }
91   116  
92   117