scratch – Rev 85
?pathlinks?
<?php
###########################################################################
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
###########################################################################
require_once('php/pseudocrypt.php');
require_once('php/functions.php');
require_once('vendor/mustangostang/spyc/Spyc.php');
### Load configuration.
$config = spyc_load_file('config.yaml');
### If no file has been specified for download then return.
if (!isset($_GET['hash']) or empty($_GET['hash'])) {
http_response_code(404);
die('File not found.');
}
### If no timestamp has been provided then return.
if (!isset($_GET['timestamp']) or empty($_GET['timestamp'])) {
http_response_code(403);
die('Forbidden.');
}
### Find the requested file.
$file = array_shift(
preg_grep(
"/".$_GET['hash']."/",
scandir($config['STORE_FOLDER'])
)
);
if (!isset($file) or empty($file)) {
http_response_code(404);
die('File not found.');
}
### Check the path for path traversals.
$fileExtension = pathinfo($file, PATHINFO_EXTENSION);
#### If the extension is not allowed then return.
if (!isset($fileExtension) ||
!in_array(strtoupper($fileExtension),
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) {
http_response_code(403);
die('File extension not allowed.');
}
#### Build the user path.
$userPath = join(
DIRECTORY_SEPARATOR,
array(
$config['STORE_FOLDER'],
$file
)
);
#### Check for path traversals
$pathPart = pathinfo($userPath);
if (strcasecmp(
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) {
http_response_code(500);
die('Internal server error.');
}
#### Check if the file exists.
if (!file_exists($userPath)) {
http_response_code(404);
die('File not found.');
}
### Check if the timestamp matches.
if (filemtime($userPath) != $_GET['timestamp']) {
http_response_code(403);
die('Forbidden.');
}
unlink($userPath);