]> git.p6c8.net - jirafeau_mojo42.git/commitdiff
fix input validation on required/regex setting
authorgwunderlich <gwunderlich@cocus.com>
Fri, 2 Sep 2022 14:35:41 +0000 (16:35 +0200)
committerJérôme Jutteau <jerome@jutteau.fr>
Wed, 14 Dec 2022 09:06:46 +0000 (09:06 +0000)
index.php
script.php

index 24ce25c48237af1baed5e5a5c5fee38b8b5a97bc..ae8f11bb62c8f63ed26269e88db8db82f81f2774 100644 (file)
--- a/index.php
+++ b/index.php
@@ -177,7 +177,12 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) {
 </div>
 
 <div id="upload">
 </div>
 
 <div id="upload">
-<fieldset>
+<form id="upload-form" onsubmit="
+            event.preventDefault();
+            document.getElementById('upload').style.display = 'none';
+            document.getElementById('uploading').style.display = '';
+            upload (<?php echo jirafeau_get_max_upload_chunk_size_bytes($cfg['max_upload_chunk_size_bytes']); ?>);
+            "><fieldset>
     <legend>
     <?php echo t('SEL_FILE'); ?>
     </legend>
     <legend>
     <?php echo t('SEL_FILE'); ?>
     </legend>
@@ -279,15 +284,10 @@ if ($cfg['maximal_upload_size'] >= 1024) {
 
         <p id="max_file_size" class="config"></p>
     <p>
 
         <p id="max_file_size" class="config"></p>
     <p>
-    <input type="submit" id="send" value="<?php echo t('SEND'); ?>"
-    onclick="
-        document.getElementById('upload').style.display = 'none';
-        document.getElementById('uploading').style.display = '';
-        upload (<?php echo jirafeau_get_max_upload_chunk_size_bytes($cfg['max_upload_chunk_size_bytes']); ?>);
-    "/>
+    <input type="submit" id="send" value="<?php echo t('SEND'); ?>"/>
     </p>
         </table>
     </p>
         </table>
-    </div> </fieldset>
+    </div> </fieldset></form>
 
     <?php
     if (jirafeau_user_session_logged()) {
 
     <?php
     if (jirafeau_user_session_logged()) {
index 40d26eaf5148aa186052e2b0f9bd6b04974d76b5..600b1d5cc9f702955a9a1d558e27fc1ef3cf0612 100644 (file)
@@ -175,6 +175,15 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES)
     $key = '';
     if (isset($_POST['key'])) {
         $key = $_POST['key'];
     $key = '';
     if (isset($_POST['key'])) {
         $key = $_POST['key'];
+        if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex'){
+            if (!preg_match($cfg['download_password_policy_regex'], $key)){
+                echo 'Error 14: The download password is not complying to the security standards.';
+                exit;
+            }
+        }
+    }elseif ($cfg['download_password_requirement'] !== 'optional'){
+        echo 'Error 13: The parameter password is required.';
+        exit;
     }
     $d = '';
     if (isset($_GET['d'])) {
     }
     $d = '';
     if (isset($_GET['d'])) {
@@ -442,6 +451,15 @@ elseif (isset($_GET['init_async'])) {
     $key = '';
     if (isset($_POST['key'])) {
         $key = $_POST['key'];
     $key = '';
     if (isset($_POST['key'])) {
         $key = $_POST['key'];
+        if ($cfg['download_password_requirement'] !== 'generated' && $cfg['download_password_policy'] === 'regex'){
+            if (!preg_match($cfg['download_password_policy_regex'], $key)){
+                echo 'Error 14: The download password is not complying to the security standards.';
+                exit;
+            }
+        }
+    }elseif ($cfg['download_password_requirement'] !== 'optional'){
+        echo 'Error 13: The parameter password is required.';
+        exit;
     }
 
     // Check if one time download is enabled
     }
 
     // Check if one time download is enabled

patrick-canterino.de