X-Git-Url: https://git.p6c8.net/jirafeau.git/blobdiff_plain/cd09b476cbbfa8f90f0f86e67da5414d21c8ad10..a74a310d8f32a604b6f48f46e96edd34ffa5eab4:/lib/functions.php?ds=sidebyside diff --git a/lib/functions.php b/lib/functions.php index bac444b..01d0638 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -120,6 +120,21 @@ function jirafeau_human_size($octets) return round($o, 1) . $u[$p]; } +// Convert UTC timestamp to a datetime field +function jirafeau_get_datetimefield($timestamp) +{ + $content = '<span class="datetime" data-datetime="' . strftime('%Y-%m-%d %H:%M', $timestamp) . '">' + . strftime('%Y-%m-%d %H:%M', $timestamp) . ' (GMT)</span>'; + return $content; +} + +function jirafeau_fatal_error($errorText, $cfg = array()) +{ + echo '<div class="error"><h2>Error</h2><p>' . $errorText . '</p></div>'; + require(JIRAFEAU_ROOT . 'lib/template/footer.php'); + exit; +} + function jirafeau_clean_rm_link($link) { $p = s2p("$link"); @@ -189,7 +204,7 @@ function jirafeau_ini_to_bytes($value) function jirafeau_get_max_upload_size_bytes() { return min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); + jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); } /** @@ -198,9 +213,7 @@ function jirafeau_get_max_upload_size_bytes() */ function jirafeau_get_max_upload_size() { - return jirafeau_human_size( - min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize')))); + return jirafeau_human_size(jirafeau_get_max_upload_size_bytes()); } /** @@ -359,7 +372,7 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $ip, $crypt, $l return (array( 'error' => array('has_error' => true, - 'why' => t('Internal error during file creation.')), + 'why' => t('INTERNAL_ERROR_DEL')), 'link' =>'', 'delete_link' => '')); } @@ -498,7 +511,7 @@ function check_errors($cfg) } if (!is_writable(VAR_ASYNC)) { - add_error(t('The async directory is not writable!'), VAR_ASYNC); + add_error(t('ASYNC_DIR_W'), VAR_ASYNC); } } @@ -538,28 +551,28 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) { echo '<fieldset><legend>'; if (!empty($name)) { - echo t('Filename') . ": $name "; + echo t('FILENAME') . ": " . jirafeau_escape($name); } if (!empty($file_hash)) { - echo t('file') . ": $file_hash "; + echo t('FILE') . ": " . jirafeau_escape($file_hash); } if (!empty($link_hash)) { - echo t('link') . ": $link_hash "; + echo t('LINK') . ": " . jirafeau_escape($link_hash); } if (empty($name) && empty($file_hash) && empty($link_hash)) { - echo t('List all files'); + echo t('LS_FILES'); } echo '</legend>'; echo '<table>'; echo '<tr>'; - echo '<td>' . t('Filename') . '</td>'; - echo '<td>' . t('Type') . '</td>'; - echo '<td>' . t('Size') . '</td>'; - echo '<td>' . t('Expire') . '</td>'; - echo '<td>' . t('Onetime') . '</td>'; - echo '<td>' . t('Upload date') . '</td>'; - echo '<td>' . t('Origin') . '</td>'; - echo '<td>' . t('Action') . '</td>'; + echo '<td>' . t('FILENAME') . '</td>'; + echo '<td>' . t('TYPE') . '</td>'; + echo '<td>' . t('SIZE') . '</td>'; + echo '<td>' . t('EXPIRE') . '</td>'; + echo '<td>' . t('ONETIME') . '</td>'; + echo '<td>' . t('UPLOAD_DATE') . '</td>'; + echo '<td>' . t('ORIGIN') . '</td>'; + echo '<td>' . t('ACTION') . '</td>'; echo '</tr>'; /* Get all links files. */ @@ -582,7 +595,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) } /* Filter. */ - if (!empty($name) && !preg_match("/$name/i", htmlspecialchars($l['file_name']))) { + if (!empty($name) && !@preg_match("/$name/i", jirafeau_escape($l['file_name']))) { continue; } if (!empty($file_hash) && $file_hash != $l['md5']) { @@ -594,13 +607,12 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) /* Print link informations. */ echo '<tr>'; echo '<td>' . - '<strong><a id="upload_link" href="' . JIRAFEAU_ABSPREFIX . 'f.php?h='. htmlspecialchars($node) .'" title="' . - t('Download page') . '">' . htmlspecialchars($l['file_name']) . '</a></strong>'; + '<strong><a id="upload_link" href="f.php?h='. jirafeau_escape($node) .'" title="' . + t('DL_PAGE') . '">' . jirafeau_escape($l['file_name']) . '</a></strong>'; echo '</td>'; - echo '<td>' . $l['mime_type'] . '</td>'; + echo '<td>' . jirafeau_escape($l['mime_type']) . '</td>'; echo '<td>' . jirafeau_human_size($l['file_size']) . '</td>'; - echo '<td>' . ($l['time'] == -1 ? '' : strftime('%c', $l['time'])) . - '</td>'; + echo '<td>' . ($l['time'] == -1 ? 'â' : jirafeau_get_datetimefield($l['time'])) . '</td>'; echo '<td>'; if ($l['onetime'] == 'O') { echo 'Y'; @@ -608,23 +620,26 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) echo 'N'; } echo '</td>'; - echo '<td>' . strftime('%c', $l['upload_date']) . '</td>'; + echo '<td>' . jirafeau_get_datetimefield($l['upload_date']) . '</td>'; echo '<td>' . $l['ip'] . '</td>'; echo '<td>' . '<form method="post">' . '<input type = "hidden" name = "action" value = "download"/>' . '<input type = "hidden" name = "link" value = "' . $node . '"/>' . - '<input type = "submit" value = "' . t('Download') . '" />' . + jirafeau_admin_csrf_field() . + '<input type = "submit" value = "' . t('DL') . '" />' . '</form>' . '<form method="post">' . '<input type = "hidden" name = "action" value = "delete_link"/>' . '<input type = "hidden" name = "link" value = "' . $node . '"/>' . - '<input type = "submit" value = "' . t('Del link') . '" />' . + jirafeau_admin_csrf_field() . + '<input type = "submit" value = "' . t('DEL_LINK') . '" />' . '</form>' . '<form method="post">' . '<input type = "hidden" name = "action" value = "delete_file"/>' . '<input type = "hidden" name = "md5" value = "' . $l['md5'] . '"/>' . - '<input type = "submit" value = "' . t('Del file and links') . '" />' . + jirafeau_admin_csrf_field() . + '<input type = "submit" value = "' . t('DEL_FILE_LINKS') . '" />' . '</form>' . '</td>'; echo '</tr>'; @@ -1056,22 +1071,26 @@ function jirafeau_challenge_upload_password($cfg, $password) /** * Test if visitor's IP is authorized to upload. - * @param $ip IP to be challenged + * + * @param $allowedIpList array of allowed IPs + * @param $challengedIp IP to be challenged * @return true if IP is authorized, false otherwise. */ -function jirafeau_challenge_upload_ip($cfg, $ip) +function jirafeau_challenge_upload_ip($allowedIpList, $challengedIp) { - if (count($cfg['upload_ip']) == 0) { + // skip if list is empty = all IPs allowed + if (count($allowedIpList) == 0) { return true; } - foreach ($cfg['upload_ip'] as $i) { - if ($i == $ip) { + // test given IP against each allowed IP + foreach ($allowedIpList as $i) { + if ($i == $challengedIp) { return true; } // CIDR test for IPv4 only. if (strpos($i, '/') !== false) { list($subnet, $mask) = explode('/', $i); - if ((ip2long($ip) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) { + if ((ip2long($challengedIp) & ~((1 << (32 - $mask)) - 1)) == ip2long($subnet)) { return true; } } @@ -1109,7 +1128,7 @@ function jirafeau_challenge_upload ($cfg, $ip, $password) if (!jirafeau_has_upload_password($cfg)) { return false; } - + foreach ($cfg['upload_password'] as $p) { if ($password == $p) { return true; @@ -1196,185 +1215,6 @@ function hex_to_base64($hex) return base64_encode($b); } -/** - * Read alias informations - * @return array containing informations. - */ -function jirafeau_get_alias($hash) -{ - $out = array(); - $link = VAR_ALIAS . s2p("$hash") . $hash; - - if (!file_exists($link)) { - return $out; - } - - $c = file($link); - $out['md5_password'] = trim($c[0]); - $out['ip'] = trim($c[1]); - $out['update_date'] = trim($c[2]); - $out['destination'] = trim($c[3], NL); - - return $out; -} - -/** Create an alias to a jirafeau's link. - * @param $alias alias name - * @param $destination reference of the destination - * @param $password password to protect alias - * @param $ip client's IP - * @return a string containing the edit code of the alias or the string "Error" - */ -function jirafeau_alias_create($alias, $destination, $password, $ip) -{ - /* Check that alias and password are long enough. */ - if (strlen($alias) < 8 || - strlen($alias) > 32 || - strlen($password) < 8 || - strlen($password) > 32) { - return 'Error'; - } - - /* Check that destination exists. */ - $l = jirafeau_get_link($destination); - if (!count($l)) { - return 'Error'; - } - - /* Check that alias does not already exists. */ - $alias = md5($alias); - $p = VAR_ALIAS . s2p($alias); - if (file_exists($p)) { - return 'Error'; - } - - /* Create alias folder. */ - @mkdir($p, 0755, true); - if (!file_exists($p)) { - return 'Error'; - } - - /* Generate password. */ - $md5_password = md5($password); - - /* Store informations. */ - $p .= $alias; - $handle = fopen($p, 'w'); - fwrite($handle, - $md5_password . NL . - $ip . NL . - time() . NL . - $destination . NL); - fclose($handle); - - return 'Ok'; -} - -/** Update an alias. - * @param $alias alias to update - * @param $destination reference of the new destination - * @param $password password to protect alias - * @param $new_password optional new password to protect alias - * @param $ip client's IP - * @return "Ok" or "Error" string - */ -function jirafeau_alias_update($alias, $destination, $password, - $new_password, $ip) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return 'Error'; - } - - /* Check that destination exists. */ - $l = jirafeau_get_link($a["destination"]); - if (!count($l)) { - return 'Error'; - } - - /* Check password. */ - if ($a["md5_password"] != md5($password)) { - return 'Error'; - } - - $p = $a['md5_password']; - if (strlen($new_password) >= 8 && - strlen($new_password) <= 32) { - $p = md5($new_password); - } elseif (strlen($new_password) > 0) { - return 'Error'; - } - - /* Rewrite informations. */ - $p = VAR_ALIAS . s2p($alias) . $alias; - $handle = fopen($p, 'w'); - fwrite($handle, - $p . NL . - $ip . NL . - time() . NL . - $destination . NL); - fclose($handle); - return 'Ok'; -} - -/** Get an alias. - * @param $alias alias to get - * @return alias destination or "Error" string - */ -function jirafeau_alias_get($alias) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return 'Error'; - } - - return $a['destination']; -} - -function jirafeau_clean_rm_alias($alias) -{ - $p = s2p("$alias"); - if (file_exists(VAR_ALIAS . $p . $alias)) { - unlink(VAR_ALIAS . $p . $alias); - } - $parse = VAR_ALIAS . $p; - $scan = array(); - while (file_exists($parse) - && ($scan = scandir($parse)) - && count($scan) == 2 // '.' and '..' folders => empty. - && basename($parse) != basename(VAR_ALIAS)) { - rmdir($parse); - $parse = substr($parse, 0, strlen($parse) - strlen(basename($parse)) - 1); - } -} - -/** Delete an alias. - * @param $alias alias to delete - * @param $password password to protect alias - * @return "Ok" or "Error" string - */ -function jirafeau_alias_delete($alias, $password) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return "Error"; - } - - /* Check password. */ - if ($a["md5_password"] != md5($password)) { - return 'Error'; - } - - jirafeau_clean_rm_alias($alias); - return 'Ok'; -} - /** * Replace markers in templates. * @@ -1404,3 +1244,34 @@ function jirafeau_replace_markers($content, $htmllinebreaks = false) return $content; } + +function jirafeau_escape($string) +{ + return htmlspecialchars($string, ENT_QUOTES); +} + +function jirafeau_admin_session_start() +{ + $_SESSION['admin_auth'] = true; + $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true)); +} + +function jirafeau_admin_session_end() +{ + $_SESSION = array(); + session_destroy(); +} + +function jirafeau_admin_session_logged() +{ + return isset($_SESSION['admin_auth']) && + isset($_SESSION['admin_csrf']) && + isset($_POST['admin_csrf']) && + $_SESSION['admin_auth'] === true && + $_SESSION['admin_csrf'] === $_POST['admin_csrf']; +} + +function jirafeau_admin_csrf_field() +{ + return "<input type='hidden' name='admin_csrf' value='". $_SESSION['admin_csrf'] . "'/>"; +}