diff --git a/sqlite_schema.sql b/sqlite_schema.sql index 6338b51..db3b7ee 100644 --- a/sqlite_schema.sql +++ b/sqlite_schema.sql @@ -8,5 +8,6 @@ CREATE TABLE `files` ( , `filename` varchar(30) default NULL , `size` integer default NULL , `date` integer default NULL +, `ip` char(15) default NULL ); END TRANSACTION; diff --git a/static/php/includes/settings.inc.php b/static/php/includes/settings.inc.php index 5f0013e..e8445d0 100644 --- a/static/php/includes/settings.inc.php +++ b/static/php/includes/settings.inc.php @@ -12,7 +12,7 @@ * * @see http://php.net/manual/en/ref.pdo-mysql.connection.php PHP manual for * PDO_MYSQL DSN. - * @param string POMF_DB_CONN DSN:host|unix_socket=hostname|path;dbname=database + * @param string UGUU_DB_CONN DSN:host|unix_socket=hostname|path;dbname=database */ define('UGUU_DB_CONN', 'sqlite:/path/to/db/uguu.sq3'); @@ -20,11 +20,14 @@ define('UGUU_DB_CONN', 'sqlite:/path/to/db/uguu.sq3'); * PDO database login credentials */ -/* @param string POMF_DB_NAME Database username */ +/* @param string UGUU_DB_NAME Database username */ define('UGUU_DB_USER', 'NULL'); -/* @param string POMF_DB_PASS Database password */ +/* @param string UGUU_DB_PASS Database password */ define('UGUU_DB_PASS', 'NULL'); +/** Log IP of uploads */ +define('LOG_IP', 'no'); + /* * File system location where to store uploaded files * @@ -39,14 +42,14 @@ define('UGUU_FILES_ROOT', '/path/to/file/'); * exist under a randomly generated filename, so we count tries and keep trying. * If this value is exceeded, we give up trying to generate a new filename. * - * @param int POMF_FILES_RETRIES Number of attempts to retry + * @param int UGUU_FILES_RETRIES Number of attempts to retry */ define('UGUU_FILES_RETRIES', 15); /* * The length of generated filename (without file extension) * - * @param int POMF_FILES_LENGTH Number of random alphabetical ASCII characters + * @param int UGUU_FILES_LENGTH Number of random alphabetical ASCII characters * to use */ define('UGUU_FILES_LENGTH', 8); @@ -54,9 +57,9 @@ define('UGUU_FILES_LENGTH', 8); /* * URI to prepend to links for uploaded files * - * @param string POMF_URL URI with trailing delimiter + * @param string UGUU_URL URI with trailing delimiter */ -define('UGUU_URL', 'https://a.uguu.se/'); +define('UGUU_URL', 'https://url.to.subdomain.where.files.will.be.served.com'); /* * URI for filename generation diff --git a/static/php/upload.php b/static/php/upload.php index d1a4d4c..1be73db 100644 --- a/static/php/upload.php +++ b/static/php/upload.php @@ -1,15 +1,20 @@ name, PATHINFO_EXTENSION); //Get mime @@ -37,7 +42,8 @@ function generateName($file) do { // Iterate until we reach the maximum number of retries if ($tries-- === 0) { - throw new Exception( + http_response_code(500); + throw new Exception( 'Gave up trying to find an unused name', 500 ); // HTTP status code "500 Internal Server Error" @@ -54,17 +60,29 @@ function generateName($file) $name .= '.'.$ext; } - //Check if mime is blacklisted - if (in_array($type_mime, unserialize(CONFIG_BLOCKED_MIME))) { - http_response_code(415); - throw new Exception('Filetype not allowed!'); + //Check if mime is blacklisted + if (in_array($type_mime, unserialize(CONFIG_BLOCKED_MIME))) { + http_response_code(415); + throw new Exception ('Extension type not allowed.'); exit(0); - } + } + //Check if EXT is blacklisted if (in_array($ext, unserialize(CONFIG_BLOCKED_EXTENSIONS))) { + http_response_code(415); + throw new Exception ('Extension type not allowed.'); + exit(0); + } + + // Check blacklist DB + $q = $db->prepare('SELECT hash, COUNT(*) AS count FROM blacklistedfiles WHERE hash = (:hash)'); + $q->bindValue(':hash', $file->getSha1(), PDO::PARAM_STR); + $q->execute(); + $result = $q->fetch(); + if ($result['count'] > 0) { http_response_code(415); - throw new Exception('Filetype not allowed!'); + throw new UploadException(UPLOAD_ERR_BLACKLISTED); exit(0); } @@ -74,10 +92,9 @@ function generateName($file) $q->execute(); $result = $q->fetchColumn(); // If it does, generate a new name - } while ($result > 0); - - return $name; -} + } while ($result > 0); + return $name; + } /** * Handles the uploading and db entry for a file. @@ -100,13 +117,16 @@ function uploadFile($file) // Generate a name for the file $newname = generateName($file); + // Get IP + $ip = $_SERVER['REMOTE_ADDR']; + // Store the file's full file path in memory - $uploadFile = UGUU_FILES_ROOT.$newname; + $uploadFile = POMF_FILES_ROOT . $newname; // Attempt to move it to the static directory if (!move_uploaded_file($file->tempfile, $uploadFile)) { - http_response_code(500); - throw new Exception( + http_response_code(500); + throw new Exception( 'Failed to move file to destination', 500 ); // HTTP status code "500 Internal Server Error" @@ -114,40 +134,48 @@ function uploadFile($file) // Need to change permissions for the new file to make it world readable if (!chmod($uploadFile, 0644)) { - http_response_code(500); - throw new Exception( + http_response_code(500); + throw new Exception( 'Failed to change file permissions', 500 ); // HTTP status code "500 Internal Server Error" } // Add it to the database - $q = $db->prepare('INSERT INTO files (hash, originalname, filename, size, date) VALUES (:hash, :orig, :name, :size, :date)'); - + if(LOG_IP == 'yes'){ + $q = $db->prepare('INSERT INTO files (hash, originalname, filename, size, date, ip) VALUES (:hash, :orig, :name, :size, :date, :ip)'); + }else{ + $q = $db->prepare('INSERT INTO files (hash, originalname, filename, size, date) VALUES (:hash, :orig, :name, :size, :date)'); + } // Common parameters binding $q->bindValue(':hash', $file->getSha1(), PDO::PARAM_STR); $q->bindValue(':orig', strip_tags($file->name), PDO::PARAM_STR); $q->bindValue(':name', $newname, PDO::PARAM_STR); $q->bindValue(':size', $file->size, PDO::PARAM_INT); $q->bindValue(':date', time(), PDO::PARAM_INT); + if(LOG_IP == 'yes'){ + $q->bindValue(':ip', $ip, PDO::PARAM_STR); + } $q->execute(); - return [ + return array( 'hash' => $file->getSha1(), 'name' => $file->name, - 'url' => UGUU_URL.rawurlencode($newname), + 'url' => POMF_URL.rawurlencode($newname), 'size' => $file->size, - ]; + ); } /** * Reorder files array by file. * + * @param $_FILES + * * @return array */ function diverseArray($files) { - $result = []; + $result = array(); foreach ($files as $key1 => $value1) { foreach ($value1 as $key2 => $value2) { @@ -161,11 +189,13 @@ function diverseArray($files) /** * Reorganize the $_FILES array into something saner. * + * @param $_FILES + * * @return array */ function refiles($files) { - $result = []; + $result = array(); $files = diverseArray($files); foreach ($files as $file) {