scratch – Rev 73
?pathlinks?
<?php
###########################################################################
## Copyright (C) Wizardry and Steamworks 2017 - License: GNU GPLv3 ##
###########################################################################
require_once('php/pseudocrypt.php');
require_once('php/functions.php');
require_once('vendor/mustangostang/spyc/Spyc.php');
### Load configuration.
$config = spyc_load_file('config.yaml');
### If no file has been specified for download then return.
if (!isset($_GET['o']) or empty($_GET['o'])) {
header('File not found.', true, 404);
return;
}
### Find the requested file.
$file = array_shift(
preg_grep(
"/$_GET[o]/",
scandir($config['STORE_FOLDER'])
)
);
if (!isset($file) or empty($file)) {
header('File not found.', true, 404);
return;
}
### Check the path for path traversals.
$fileExtension = pathinfo($file, PATHINFO_EXTENSION);
#### If the extension is not allowed then return.
if (!isset($fileExtension) ||
!in_array(strtoupper($fileExtension),
array_map('strtoupper', $config['ALLOWED_FILE_EXTENSIONS']))) {
header('File extension not allowed.', true, 403);
return;
}
#### Build the user path.
$userPath = join(
DIRECTORY_SEPARATOR,
array(
$config['STORE_FOLDER'],
$file
)
);
#### Check for path traversals
$pathPart = pathinfo($userPath);
if (strcasecmp(
realpath($pathPart['dirname']), realpath($config['STORE_FOLDER'])) != 0) {
header('Internal server error.', true, 500);
return;
}
if (!file_exists($userPath)) {
header('File not found.', true, 404);
return;
}
unlink($userPath);