scratch – Diff between revs 49 and 52
?pathlinks?
Rev 49 | Rev 52 | |||
---|---|---|---|---|
Line 6... | Line 6... | |||
6 | |
6 | |
|
7 | require_once('inc/pseudocrypt.php'); |
7 | require_once('inc/pseudocrypt.php'); |
|
8 | require_once('inc/functions.php'); |
8 | require_once('inc/functions.php'); |
|
Line -... | Line 9... | |||
- | 9 | require_once('config.php'); |
||
- | 10 | |
||
- | 11 | #### POST -> upload / GET -> download |
||
9 | require_once('config.php'); |
12 | switch ($_SERVER['REQUEST_METHOD']) { |
|
10 | |
13 | case 'POST': |
|
11 | #### Retrieve uploaded file. |
14 | #### Retrieve uploaded file. |
|
12 | if (!empty($_FILES['file']) and |
15 | if (!empty($_FILES['file']) and |
|
13 | is_uploaded_file($_FILES['file']['tmp_name'])) { |
16 | is_uploaded_file($_FILES['file']['tmp_name'])) { |
|
Line 56... | Line 59... | |||
56 | ); |
59 | ); |
|
Line 57... | Line 60... | |||
57 | |
60 | |
|
58 | #### Check for path traversals |
61 | #### Check for path traversals |
|
59 | $pathPart = pathinfo($userPath.'.'.$fileExtension); |
62 | $pathPart = pathinfo($userPath.'.'.$fileExtension); |
|
60 | if (strcasecmp( |
63 | if (strcasecmp( |
|
61 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) |
64 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
|
- | 65 | return; |
||
Line 62... | Line 66... | |||
62 | return; |
66 | } |
|
63 | |
67 | |
|
Line 64... | Line 68... | |||
64 | #### Store the file. |
68 | #### Store the file. |
|
65 | atomized_put_contents($userPath.'.'.$fileExtension, $data); |
69 | atomized_put_contents($userPath.'.'.$fileExtension, $data); |
|
66 | |
70 | |
|
- | 71 | ### Return the URL to the file. |
||
- | 72 | header('Content-Type: text/plain; charset=utf-8'); |
||
- | 73 | echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
||
- | 74 | break; |
||
- | 75 | case 'GET': |
||
- | 76 | ### If no file has been specified for download then return. |
||
- | 77 | if (!isset($_GET['o']) or empty($_GET['o'])) { |
||
- | 78 | http_response_code(404); |
||
- | 79 | return; |
||
- | 80 | } |
||
- | 81 | |
||
- | 82 | $file = array_shift( |
||
- | 83 | preg_grep( |
||
- | 84 | "/$_GET[o]/", |
||
- | 85 | scandir($STORE_FOLDER) |
||
- | 86 | ) |
||
- | 87 | ); |
||
- | 88 | |
||
- | 89 | if (!isset($file) or empty($file)) |
||
- | 90 | return; |
||
- | 91 | |
||
- | 92 | ### Open MIME info database and send the content type. |
||
- | 93 | $finfo = finfo_open(FILEINFO_MIME_TYPE); |
||
- | 94 | if (!$finfo) { |
||
- | 95 | http_response_code(500); |
||
- | 96 | return; |
||
- | 97 | } |
||
- | 98 | |
||
- | 99 | header('Content-type: '.finfo_file($finfo, $STORE_FOLDER.'/'.$file)); |
||
- | 100 | finfo_close($finfo); |
||
- | 101 | |
||
- | 102 | ### Send the file along with the inline content disposition. |
||
- | 103 | header('Content-length: '.(int)get_file_size($STORE_FOLDER.'/'.$file)); |
||
- | 104 | header('Content-Disposition: inline; filename="' . basename($STORE_FOLDER.'/'.$file) . '"'); |