1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
<?php
/*
Jappix - An open social platform
This is the Jappix Out of Band file send script
-------------------------------------------------
License: AGPL
Author: Valérian Saliou
*/
// PHP base
define('JAPPIX_BASE', '..');
// Get the needed files
require_once('./functions.php');
require_once('./read-main.php');
require_once('./read-hosts.php');
// Prepare application
enableErrorSink();
hideErrors();
compressThis();
// Not allowed for a special node
if(isStatic()) {
exit;
}
// Action on an existing file
if(isset($_GET['id']) && !empty($_GET['id'])) {
$file_id = $_GET['id'];
$file_path = JAPPIX_BASE.'/tmp/send/'.$file_id;
// Get file name
if(isset($_GET['name']) && !empty($_GET['name'])) {
$file_name = $_GET['name'];
} else {
$file_name = $file_id;
}
// Hack?
if(!isSafe($file_id)) {
header('Status: 406 Not Acceptable', true, 406);
exit('HTTP/1.1 406 Not Acceptable');
}
// File does not exist
if(!file_exists($file_path)) {
header('Status: 404 Not Found', true, 404);
exit('HTTP/1.1 404 Not Found');
}
// Remove a file
if(isset($_GET['action']) && ($_GET['action'] == 'remove')) {
header('Status: 204 No Content', true, 204);
unlink($file_path);
exit('File Removed.');
}
// Receive a file
header("Content-disposition: attachment; filename=\"$file_name\"");
header("Content-Type: application/force-download");
header("Content-Length: ".filesize($file_path));
header("Pragma: no-cache");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile($file_path);
unlink($file_path);
}
// Send a file
else if((isset($_FILES['file']) && !empty($_FILES['file'])) && (isset($_POST['id']) && !empty($_POST['id'])) && (isset($_POST['location']) && !empty($_POST['location']))) {
header('Content-Type: text/xml; charset=utf-8');
// Get the file name
$tmp_filename = $_FILES['file']['tmp_name'];
$filename = $_FILES['file']['name'];
// Get the location
if(HOST_UPLOAD) {
$location = HOST_UPLOAD.'/';
} else {
$location = $_POST['location'];
}
// Get the file new name
$ext = getFileExt($filename);
$new_name = preg_replace('/(^)(.+)(\.)(.+)($)/i', '$2', $filename);
// Define some vars
$name = sha1(time().$filename);
$path = JAPPIX_BASE.'/tmp/send/'.$name.'.'.$ext;
// Forbidden file?
if(!isSafeAllowed($filename) || !isSafeAllowed($name.'.'.$ext)) {
exit(
'<jappix xmlns=\'jappix:file:send\'>
<error>forbidden-type</error>
<id>'.htmlspecialchars($_POST['id']).'</id>
</jappix>'
);
}
// File upload error?
if(!is_uploaded_file($tmp_filename) || !move_uploaded_file($tmp_filename, $path)) {
exit(
'<jappix xmlns=\'jappix:file:send\'>
<error>move-error</error>
<id>'.htmlspecialchars($_POST['id']).'</id>
</jappix>'
);
}
// Return the path to the file
exit(
'<jappix xmlns=\'jappix:file:send\'>
<url>'.htmlspecialchars($location.'server/send.php?id='.urlencode($name).'.'.urlencode($ext).'&name='.urlencode($filename)).'</url>
<desc>'.htmlspecialchars($new_name).'</desc>
<id>'.htmlspecialchars($_POST['id']).'</id>
</jappix>'
);
}
// Error?
else {
header('Status: 400 Bad Request', true, 400);
exit('HTTP/1.1 400 Bad Request');
}
?>
|
