scratch – Diff between revs 49 and 52
?pathlinks?
| Rev 49 | Rev 52 | |||
|---|---|---|---|---|
| Line 6... | Line 6... | |||
| 6 | |
6 | |
|
| 7 | require_once('inc/pseudocrypt.php'); |
7 | require_once('inc/pseudocrypt.php'); |
|
| 8 | require_once('inc/functions.php'); |
8 | require_once('inc/functions.php'); |
|
| Line -... | Line 9... | |||
| - | 9 | require_once('config.php'); |
||
| - | 10 | |
||
| - | 11 | #### POST -> upload / GET -> download |
||
| 9 | require_once('config.php'); |
12 | switch ($_SERVER['REQUEST_METHOD']) { |
|
| 10 | |
13 | case 'POST': |
|
| 11 | #### Retrieve uploaded file. |
14 | #### Retrieve uploaded file. |
|
| 12 | if (!empty($_FILES['file']) and |
15 | if (!empty($_FILES['file']) and |
|
| 13 | is_uploaded_file($_FILES['file']['tmp_name'])) { |
16 | is_uploaded_file($_FILES['file']['tmp_name'])) { |
|
| Line 56... | Line 59... | |||
| 56 | ); |
59 | ); |
|
| Line 57... | Line 60... | |||
| 57 | |
60 | |
|
| 58 | #### Check for path traversals |
61 | #### Check for path traversals |
|
| 59 | $pathPart = pathinfo($userPath.'.'.$fileExtension); |
62 | $pathPart = pathinfo($userPath.'.'.$fileExtension); |
|
| 60 | if (strcasecmp( |
63 | if (strcasecmp( |
|
| 61 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) |
64 | realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0) { |
|
| - | 65 | return; |
||
| Line 62... | Line 66... | |||
| 62 | return; |
66 | } |
|
| 63 | |
67 | |
|
| Line 64... | Line 68... | |||
| 64 | #### Store the file. |
68 | #### Store the file. |
|
| 65 | atomized_put_contents($userPath.'.'.$fileExtension, $data); |
69 | atomized_put_contents($userPath.'.'.$fileExtension, $data); |
|
| 66 | |
70 | |
|
| - | 71 | ### Return the URL to the file. |
||
| - | 72 | header('Content-Type: text/plain; charset=utf-8'); |
||
| - | 73 | echo sprintf('%s/%s', trim($URL_PATH, '/'), $file); |
||
| - | 74 | break; |
||
| - | 75 | case 'GET': |
||
| - | 76 | ### If no file has been specified for download then return. |
||
| - | 77 | if (!isset($_GET['o']) or empty($_GET['o'])) { |
||
| - | 78 | http_response_code(404); |
||
| - | 79 | return; |
||
| - | 80 | } |
||
| - | 81 | |
||
| - | 82 | $file = array_shift( |
||
| - | 83 | preg_grep( |
||
| - | 84 | "/$_GET[o]/", |
||
| - | 85 | scandir($STORE_FOLDER) |
||
| - | 86 | ) |
||
| - | 87 | ); |
||
| - | 88 | |
||
| - | 89 | if (!isset($file) or empty($file)) |
||
| - | 90 | return; |
||
| - | 91 | |
||
| - | 92 | ### Open MIME info database and send the content type. |
||
| - | 93 | $finfo = finfo_open(FILEINFO_MIME_TYPE); |
||
| - | 94 | if (!$finfo) { |
||
| - | 95 | http_response_code(500); |
||
| - | 96 | return; |
||
| - | 97 | } |
||
| - | 98 | |
||
| - | 99 | header('Content-type: '.finfo_file($finfo, $STORE_FOLDER.'/'.$file)); |
||
| - | 100 | finfo_close($finfo); |
||
| - | 101 | |
||
| - | 102 | ### Send the file along with the inline content disposition. |
||
| - | 103 | header('Content-length: '.(int)get_file_size($STORE_FOLDER.'/'.$file)); |
||
| - | 104 | header('Content-Disposition: inline; filename="' . basename($STORE_FOLDER.'/'.$file) . '"'); |
||