]> git.p6c8.net - jirafeau_mojo42.git/blob - index.php
[BUGFIX] Add CSRF protection for admin
[jirafeau_mojo42.git] / index.php
1 <?php
2 /*
3 * Jirafeau, your web file repository
4 * Copyright (C) 2013
5 * Jerome Jutteau <j.jutteau@gmail.com>
6 * Jimmy Beauvois <jimmy.beauvois@gmail.com>
7 *
8 * This program is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU Affero General Public License as
10 * published by the Free Software Foundation, either version 3 of the
11 * License, or (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU Affero General Public License for more details.
17 *
18 * You should have received a copy of the GNU Affero General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>.
20 */
21 session_start();
22 define('JIRAFEAU_ROOT', dirname(__FILE__) . '/');
23
24 require(JIRAFEAU_ROOT . 'lib/settings.php');
25 require(JIRAFEAU_ROOT . 'lib/functions.php');
26 require(JIRAFEAU_ROOT . 'lib/lang.php');
27
28 check_errors($cfg);
29 if (has_error()) {
30 show_errors();
31 require(JIRAFEAU_ROOT . 'lib/template/footer.php');
32 exit;
33 }
34
35 require(JIRAFEAU_ROOT . 'lib/template/header.php');
36
37 /* Check if user is allowed to upload. */
38 // First check: Challenge by IP
39 if (true === jirafeau_challenge_upload_ip($cfg['upload_ip'], get_ip_address($cfg))) {
40 // Is an upload password required?
41 if (jirafeau_has_upload_password($cfg)) {
42 // Logout action
43 if (isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) {
44 session_unset();
45 }
46
47 // Challenge by password
48 // …save successful logins in session
49 if (isset($_POST['upload_password'])) {
50 if (jirafeau_challenge_upload_password($cfg, $_POST['upload_password'])) {
51 $_SESSION['upload_auth'] = true;
52 $_SESSION['user_upload_password'] = $_POST['upload_password'];
53 } else {
54 $_SESSION['admin_auth'] = false;
55 jirafeau_fatal_error(t('BAD_PSW'), $cfg);
56 }
57 }
58
59 // Show login form if user session is not authorized yet
60 if (true === empty($_SESSION['upload_auth'])) {
61 ?>
62 <form method="post" class="form login">
63 <fieldset>
64 <table>
65 <tr>
66 <td class = "label"><label for = "enter_password">
67 <?php echo t('UP_PSW') . ':'; ?></label>
68 </td>
69 </tr><tr>
70 <td class = "field"><input type = "password"
71 name = "upload_password" id = "upload_password"
72 size = "40" />
73 </td>
74 </tr>
75 <tr class = "nav">
76 <td class = "nav next">
77 <input type = "submit" name = "key" value =
78 "<?php echo t('LOGIN'); ?>" />
79 </td>
80 </tr>
81 </table>
82 </fieldset>
83 </form>
84 <?php
85 require(JIRAFEAU_ROOT.'lib/template/footer.php');
86 exit;
87 }
88 }
89 }
90 else {
91 jirafeau_fatal_error(t('ACCESS_KO'), $cfg);
92 }
93
94 ?>
95 <div id="upload_finished">
96 <p><?php echo t('FILE_UP') ?></p>
97
98 <div id="upload_finished_download_page">
99 <p>
100 <a id="upload_link" href=""><?php echo t('DL_PAGE') ?></a>
101 <a id="upload_link_email" href=""><img id="upload_image_email"/></a>
102 </p><p>
103 <code id=upload_link_text></code>
104 <button id="upload_link_button"></button>
105 </p>
106 </div>
107
108 <?php if ($cfg['preview'] == true) {
109 ?>
110 <div id="upload_finished_preview">
111 <p>
112 <a id="preview_link" href=""><?php echo t('VIEW_LINK') ?></a>
113 </p><p>
114 <code id=preview_link_text></code>
115 <button id="preview_link_button"></button>
116 </p>
117 </div>
118 <?php
119 } ?>
120
121 <div id="upload_direct_download">
122 <p>
123 <a id="direct_link" href=""><?php echo t('DIRECT_DL') ?></a>
124 </p><p>
125 <code id=direct_link_text></code>
126 <button id="direct_link_button"></button>
127 </p>
128 </div>
129
130 <div id="upload_delete">
131 <p>
132 <a id="delete_link" href=""><?php echo t('DELETE_LINK') ?></a>
133 </p><p>
134 <code id=delete_link_text></code>
135 <button id="delete_link_button"></button>
136 </p>
137 </div>
138
139 <div id="upload_validity">
140 <p><?php echo t('VALID_UNTIL'); ?>:</p>
141 <p id="date"></p>
142 </div>
143 </div>
144
145 <div id="uploading">
146 <p>
147 <?php echo t('UP'); ?>
148 <div id="uploaded_percentage"></div>
149 <div id="uploaded_speed"></div>
150 <div id="uploaded_time"></div>
151 </p>
152 </div>
153
154 <div id="error_pop" class="error">
155 </div>
156
157 <div id="upload">
158 <fieldset>
159 <legend>
160 <?php echo t('SEL_FILE'); ?>
161 </legend>
162 <p>
163 <input type="file" id="file_select" size="30"
164 onchange="control_selected_file_size(<?php echo $cfg['maximal_upload_size'] ?>, '<?php echo t('2_BIG') . ', ' . t('FILE_LIM') . " " . $cfg['maximal_upload_size'] . " MB"; ?>')"/>
165 </p>
166
167 <div id="options">
168 <table id="option_table">
169 <tr>
170 <td><?php echo t('ONE_TIME_DL'); ?>:</td>
171 <td><input type="checkbox" id="one_time_download" /></td>
172 </tr>
173 <tr>
174 <td><label for="input_key"><?php echo t('PSW') . ':'; ?></label></td>
175 <td><input type="text" name="key" id="input_key" /></td>
176 </tr>
177 <tr>
178 <td><label for="select_time"><?php echo t('TIME_LIM') . ':'; ?></label></td>
179 <td><select name="time" id="select_time">
180 <?php
181 $expirationTimeOptions = array(
182 array(
183 'value' => 'minute',
184 'label' => '1_MIN'
185 ),
186 array(
187 'value' => 'hour',
188 'label' => '1_H'
189 ),
190 array(
191 'value' => 'day',
192 'label' => '1_D'
193 ),
194 array(
195 'value' => 'week',
196 'label' => '1_W'
197 ),
198 array(
199 'value' => 'month',
200 'label' => '1_M'
201 ),
202 array(
203 'value' => 'quarter',
204 'label' => '1_Q'
205 ),
206 array(
207 'value' => 'year',
208 'label' => '1_Y'
209 ),
210 array(
211 'value' => 'none',
212 'label' => 'NONE'
213 )
214 );
215 foreach ($expirationTimeOptions as $expirationTimeOption) {
216 $selected = ($expirationTimeOption['value'] === $cfg['availability_default'])? 'selected="selected"' : '';
217 if (true === $cfg['availabilities'][$expirationTimeOption['value']]) {
218 echo '<option value="' . $expirationTimeOption['value'] . '" ' .
219 $selected . '>' . t($expirationTimeOption['label']) . '</option>';
220 }
221 }
222 ?>
223 </select></td>
224 </tr>
225
226 <?php
227 if ($cfg['maximal_upload_size'] > 0) {
228 echo '<p class="config">' . t('FILE_LIM');
229 echo " " . $cfg['maximal_upload_size'] . " MB</p>";
230 }
231 ?>
232
233 <p id="max_file_size" class="config"></p>
234 <p>
235 <?php
236 if (jirafeau_has_upload_password($cfg) && $_SESSION['upload_auth']) {
237 ?>
238 <input type="hidden" id="upload_password" name="upload_password" value="<?php echo $_SESSION['user_upload_password'] ?>"/>
239 <?php
240
241 } else {
242 ?>
243 <input type="hidden" id="upload_password" name="upload_password" value=""/>
244 <?php
245
246 }
247 ?>
248 <input type="submit" id="send" value="<?php echo t('SEND'); ?>"
249 onclick="
250 document.getElementById('upload').style.display = 'none';
251 document.getElementById('uploading').style.display = '';
252 upload (<?php echo jirafeau_get_max_upload_size_bytes(); ?>);
253 "/>
254 </p>
255 </table>
256 </div> </fieldset>
257
258 <?php
259 if (jirafeau_has_upload_password($cfg)) {
260 ?>
261 <form method="post" class="form logout">
262 <input type = "hidden" name = "action" value = "logout"/>
263 <input type = "submit" value = "<?php echo t('LOGOUT'); ?>" />
264 </form>
265 <?php
266
267 }
268 ?>
269
270 </div>
271
272 <script type="text/javascript" lang="Javascript">
273 // @license magnet:?xt=urn:btih:0b31508aeb0634b347b8270c7bee4d411b5d4109&dn=agpl-3.0.txt GPL-v3-or-Later
274 document.getElementById('error_pop').style.display = 'none';
275 document.getElementById('uploading').style.display = 'none';
276 document.getElementById('upload_finished').style.display = 'none';
277 document.getElementById('options').style.display = 'none';
278 document.getElementById('send').style.display = 'none';
279 if (!check_html5_file_api ())
280 document.getElementById('max_file_size').innerHTML = '<?php
281 echo t('NO_BROWSER_SUPPORT') . jirafeau_get_max_upload_size();
282 ?>';
283
284 addCopyListener('upload_link_button', 'upload_link');
285 addCopyListener('preview_link_button', 'preview_link');
286 addCopyListener('direct_link_button', 'direct_link');
287 addCopyListener('delete_link_button', 'delete_link');
288 // @license-end
289 </script>
290 <?php require(JIRAFEAU_ROOT . 'lib/template/footer.php'); ?>

patrick-canterino.de