scratch – Rev 16
?pathlinks?
<?php
###########################################################################
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
###########################################################################
require_once('inc/pseudocrypt.php');
require_once('inc/functions.php');
require_once('config.php');
#### Retrieve uploaded file.
if (!empty($_FILES['file']) and
is_uploaded_file($_FILES['file']['tmp_name'])) {
# Regular multipart/form-data upload.
$name = $_FILES['file']['name'];
$data = file_get_contents($_FILES['file']['tmp_name']);
} else {
# Raw POST data.
$name = urldecode(@$_SERVER['HTTP_X_FILE_NAME']);
$data = file_get_contents("php://input");
}
#### Grab the file extension.
$fileExtension = pathinfo($name, PATHINFO_EXTENSION);
#### If the extension is not allowed then change it to a text extension.
if (!isset($fileExtension) ||
!in_array(strtoupper($fileExtension),
array_map('strtoupper', $ALLOWED_FILE_EXTENSIONS)))
$fileExtension = 'txt';
#### Hash filename.
$file = strtolower(
PseudoCrypt::hash(
preg_replace(
'/\D/',
'',
hash(
'sha512',
$name
)
)
). '.'.
$fileExtension
);
#### Build the user path.
$userPath = join(
DIRECTORY_SEPARATOR,
array(
$STORE_FOLDER,
$file
)
);
#### Check for path traversals
$pathPart = pathinfo($userPath);
if (strcasecmp(realpath($pathPart['dirname']), realpath($STORE_FOLDER)) != 0)
return;
#### Store the file.
atomized_put_contents($userPath, $data);
### Return the URL to the file.
header('Content-Type: text/plain; charset=utf-8');
echo sprintf('%s/%s', trim($URL_PATH, '/'), $file);