X-Git-Url: https://git.p6c8.net/jirafeau_mojo42.git/blobdiff_plain/e4f9c92ff84f6146aaf1244147082efd57e289f6..90195988bd71e583c6721aa41446e48c301a79ea:/lib/functions.php?ds=inline diff --git a/lib/functions.php b/lib/functions.php index b26d7b4..0f42e21 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -2,7 +2,7 @@ /* * Jirafeau, your web file repository * Copyright (C) 2008 Julien "axolotl" BERNARD <axolotl@magieeternelle.org> - * Copyright (C) 2012 Jerome Jutteau <j.jutteau@gmail.com> + * Copyright (C) 2015 Jerome Jutteau <j.jutteau@gmail.com> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as @@ -98,6 +98,9 @@ function is_ssl() { return true; } elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) { return true; + } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { + if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') + return true; } return false; } @@ -443,7 +446,7 @@ jirafeau_upload ($file, $one_time_download, $key, $time, $ip, $crypt, $link_name } /** - * tells if a mime-type is viewable in a browser + * Tells if a mime-type is viewable in a browser * @param $mime the mime type * @returns a boolean telling if a mime type is viewable */ @@ -453,7 +456,7 @@ jirafeau_is_viewable ($mime) if (!empty ($mime)) { /* Actually, verify if mime-type is an image or a text. */ - $viewable = array ('image', 'text'); + $viewable = array ('image', 'text', 'video', 'audio'); $decomposed = explode ('/', $mime); return in_array ($decomposed[0], $viewable); } @@ -611,7 +614,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) continue; /* Filter. */ - if (!empty ($name) && !preg_match ("/$name/i", $l['file_name'])) + if (!empty ($name) && !preg_match ("/$name/i", htmlspecialchars($l['file_name']))) continue; if (!empty ($file_hash) && $file_hash != $l['md5']) continue; @@ -623,7 +626,7 @@ jirafeau_admin_list ($name, $file_hash, $link_hash) '<form action = "admin.php" method = "post">' . '<input type = "hidden" name = "action" value = "download"/>' . '<input type = "hidden" name = "link" value = "' . $node . '"/>' . - '<input type = "submit" value = "' . $l['file_name'] . '" />' . + '<input type = "submit" value = "' . htmlspecialchars($l['file_name']) . '" />' . '</form>'; echo '</td>'; echo '<td>' . $l['mime_type'] . '</td>'; @@ -841,10 +844,11 @@ jirafeau_async_init ($filename, $type, $one_time, $key, $time, $ip) * @param $ref asynchronous upload reference * @param $file piece of data * @param $code client code for this operation + * @param $max_file_size maximum allowed file size * @return a string containing a next code to use or the string "Error" */ function -jirafeau_async_push ($ref, $data, $code) +jirafeau_async_push ($ref, $data, $code, $max_file_size) { /* Get async infos. */ $a = jirafeau_get_async_ref ($ref); @@ -858,9 +862,21 @@ jirafeau_async_push ($ref, $data, $code) $p = s2p ($ref); + /* File path. */ + $r_path = $data['tmp_name']; + $w_path = VAR_ASYNC . $p . $ref . '_data'; + + /* Check that file size is not above upload limit. */ + if ($max_file_size > 0 && + filesize ($r_path) + filesize ($w_path) > $max_file_size * 1024 * 1024) + { + jirafeau_async_delete ($ref); + return "Error"; + } + /* Concatenate data. */ - $r = fopen ($data['tmp_name'], 'r'); - $w = fopen (VAR_ASYNC . $p . $ref . '_data', 'a'); + $r = fopen ($r_path, 'r'); + $w = fopen ($w_path, 'a'); while (!feof ($r)) { if (fwrite ($w, fread ($r, 1024)) === false) @@ -873,7 +889,7 @@ jirafeau_async_push ($ref, $data, $code) } fclose ($r); fclose ($w); - unlink ($data['tmp_name']); + unlink ($r_path); /* Update async file. */ $code = jirafeau_gen_random (4); @@ -891,7 +907,7 @@ jirafeau_async_push ($ref, $data, $code) * @param $ref asynchronous upload reference * @param $code client code for this operation * @param $crypt boolean asking to crypt or not - * @param $link_name_length link name lenght + * @param $link_name_length link name length * @return a string containing the download reference followed by a delete code or the string "Error" */ function @@ -1068,3 +1084,64 @@ function jirafeau_challenge_upload_password ($cfg, $password) return false; } +/** + * Test if visitor's IP is authorized to upload. + * @param $ip IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_upload_ip ($cfg, $ip) +{ + if (count ($cfg['upload_ip']) == 0) + return true; + forEach ($cfg['upload_ip'] as $i) + { + if ($i == $ip) + return true; + // CIDR test for IPv4 only. + if (strpos ($i, '/') !== false) + { + list ($subnet, $mask) = explode('/', $i); + if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) + return true; + } + } + return false; +} + +/** + * Get the ip address of the client from REMOTE_ADDR + * or from HTTP_X_FORWARDED_FOR if behind a proxy + * @returns an the client ip address + */ +function get_ip_address($cfg) { + if (count ($cfg['proxy_ip']) == 0 || + empty ($_SERVER['HTTP_X_FORWARDED_FOR'])) + return $_SERVER['REMOTE_ADDR']; + + $iplist = explode (',', $_SERVER['HTTP_X_FORWARDED_FOR']); + if (count ($iplist) == 0) + return $_SERVER['REMOTE_ADDR']; + + foreach ($cfg['proxy_ip'] as $proxy_ip) + { + if ($_SERVER['REMOTE_ADDR'] != $proxy_ip) + continue; + + // Take the last IP (the one which has been set by our proxy). + $ip = end($iplist); + $ip = preg_replace ('/\s+/', '', $ip); + return $ip; + } + return $_SERVER['REMOTE_ADDR']; +} + +/** + * Convert hexadecimal string to base64 + */ +function hex_to_base64($hex) +{ + $b = ''; + foreach (str_split ($hex, 2) as $pair) + $b .= chr (hexdec ($pair)); + return base64_encode ($b); +}