]> git.p6c8.net - jirafeau_project.git/blob - script.php
Fix input sanitize in scripting interface
[jirafeau_project.git] / script.php
1 <?php
2 /*
3 * Jirafeau, your web file repository
4 * Copyright (C) 2012 Jerome Jutteau <j.jutteau@gmail.com>
5 *
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Affero General Public License as
8 * published by the Free Software Foundation, either version 3 of the
9 * License, or (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Affero General Public License for more details.
15 *
16 * You should have received a copy of the GNU Affero General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21 * This file permits to easyly script file sending, receiving, deleting, ...
22 * If you don't want this feature, you can simply delete this file from your
23 * web directory.
24 */
25
26 define ('JIRAFEAU_ROOT', dirname (__FILE__) . '/');
27
28 require (JIRAFEAU_ROOT . 'lib/config.php');
29 require (JIRAFEAU_ROOT . 'lib/settings.php');
30 require (JIRAFEAU_ROOT . 'lib/functions.php');
31 require (JIRAFEAU_ROOT . 'lib/lang.php');
32
33 global $script_langages;
34 $script_langages = array ('bash' => 'Bash');
35
36 if ($_SERVER['REQUEST_METHOD'] == "GET" && count ($_GET) == 0)
37 {
38 require (JIRAFEAU_ROOT . 'lib/template/header.php');
39 check_errors ();
40 if (has_error ())
41 {
42 show_errors ();
43 require (JIRAFEAU_ROOT . 'lib/template/footer.php');
44 exit;
45 }
46 echo '<div class="info">';
47 echo '<h2>' . t('Welcome to Jirafeau\'s query interface') . '</h2>';
48 echo '<p>';
49 echo t('This interface permits to script your uploads and downloads.') .
50 ' ' . t('The instructions above show how to query this interface.');
51 echo '</p>';
52
53 echo '<h3>' . t('Get Jirafeau\'s version') . ':</h3>';
54 echo '<p>';
55 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php</i><br />';
56 echo '<br />';
57 echo t('Parameters') . ':<br />';
58 echo "<b>get_version=</b>1<i> (" . t('Required') . ")</i> <br />";
59 echo '</p>';
60 echo '<p>' . t('This will return brut text content.') . ' ' .
61 t('First line is the version number.') . '<br /></p>';
62 echo '<p>';
63 echo t('Example') . ": <a href=\"" . $web_root . "script.php?get_version=1\">" . $web_root . "script.php?get_version=1</a> ";
64 echo '</p>';
65
66 echo '<h3>' . t('Get server capacity') . ':</h3>';
67 echo '<p>';
68 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php</i><br />';
69 echo '<br />';
70 echo t('Parameters') . ':<br />';
71 echo "<b>get_capacity=</b>1<i> (" . t('Required') . ")</i> <br />";
72 echo '</p>';
73 echo '<p>' . t('This will return brut text content.') . ' ' .
74 t('First line is the server capacity (in Bytes).') . '<br /></p>';
75 echo '<p>';
76 echo t('Example') . ": <a href=\"" . $web_root . "script.php?get_capacity=1\">" . $web_root . "script.php?get_capacity=1</a> ";
77 echo '</p>';
78
79 echo '<h3>' . t('Upload a file') . ':</h3>';
80 echo '<p>';
81 echo t('Send a POST query to') . ': <i>' . $web_root . 'script.php</i><br />';
82 echo '<br />';
83 echo t('Parameters') . ':<br />';
84 echo "<b>file=</b>C:\\your\\file\\path<i> (" . t('Required') . ")</i> <br />";
85 echo "<b>time=</b>[minute|hour|day|week|month|none]<i> (" . t('Optional') . ', '. t('default: none') . ")</i> <br />";
86 echo "<b>password=</b>your_password<i> (" . t('Optional') . ")</i> <br />";
87 echo "<b>one_time_download=</b>1<i> (" . t('Optional') . ")</i> <br />";
88 echo '</p>';
89 echo '<p>' . t('This will return brut text content.') . ' ' .
90 t('First line is the download reference and the second line the delete code.') . '<br /></p>';
91
92 echo '<h3>' . t('Get a file') . ':</h3>';
93 echo '<p>';
94 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php</i><br />';
95 echo '<br />';
96 echo t('Parameters') . ':<br />';
97 echo "<b>h=</b>your_download_reference<i> (" . t('Required') . ")</i> <br />";
98 echo '</p>';
99 echo '<p>';
100 echo t('If a password has been set, send a POST request with it.');
101 echo '<br />';
102 echo t('Parameters') . ':<br />';
103 echo "<b>password=</b>your_password<i> (" . t('Optional') . ")</i> <br />";
104 echo '</p>';
105 echo '<p>';
106 echo t('Example') . ": <a href=\"" . $web_root . "script.php?h=30ngy0hsDcpfrF8zR7x9iU\">" . $web_root . "script.php?h=30ngy0hsDcpfrF8zR7x9iU</a> ";
107 echo '</p>';
108
109 echo '<h3>' . t('Delete a file') . ':</h3>';
110 echo '<p>';
111 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php</i><br />';
112 echo '<br />';
113 echo t('Parameters') . ':<br />';
114 echo "<b>h=</b>your_download_reference<i> (" . t('Required') . ")</i> <br />";
115 echo "<b>d=</b>yout_delete_code<i> (" . t('Required') . ")</i> <br />";
116 echo '</p>';
117 echo '<p>' . t('This will return "Ok" if succeded, "Error" otherwhise.') . '<br /></p>';
118 echo '<p>';
119 echo t('Example') . ": <a href=\"" . $web_root . "script.php?h=30ngy0hsDcpfrF8zR7x9iU&amp;d=0d210a952\">" . $web_root . "script.php?h=30ngy0hsDcpfrF8zR7x9iU&amp;d=0d210a952</a> ";
120 echo '</p>';
121
122 echo '<h3>' . t('Get a generated scripts') . ':</h3>';
123 echo '<p>';
124 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php</i><br />';
125 echo '<br />';
126 echo t('Parameters') . ':<br />';
127 echo "<b>lang=</b>[";
128 foreach ($script_langages as $lang => $name)
129 echo $lang;
130 echo "]<i> (" . t('Required') . ")</i> <br />";
131 echo '</p>';
132 echo '<p>' . t('This will return brut text content of the code.') . '<br /></p>';
133 echo '<p>';
134 echo t('Example') . ": <br />";
135 foreach ($script_langages as $lang => $name)
136 echo "$name: <a href=\"" . $web_root . "script.php?lang=$lang\">" . $web_root . "script.php?lang=$lang</a> ";
137 echo '</p>';
138
139 echo '<h3>' . t('Initalize a asynchronous transfert') . ':</h3>';
140 echo '<p>';
141 echo t('The goal is to permit to transfert big file, chunk by chunk.') . ' ';
142 echo t('Chunks of data must be sent in order.');
143 echo '</p>';
144 echo '<p>';
145 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php?init_async</i><br />';
146 echo '<br />';
147 echo t('Parameters') . ':<br />';
148 echo "<b>filename=</b>file_name.ext<i> (" . t('Required') . ")</i> <br />";
149 echo "<b>type=</b>MIME_TYPE<i> (" . t('Optional') . ")</i> <br />";
150 echo "<b>time=</b>[minute|hour|day|week|month|none]<i> (" . t('Optional') . ', '. t('default: none') . ")</i> <br />";
151 echo "<b>password=</b>your_password<i> (" . t('Optional') . ")</i> <br />";
152 echo "<b>one_time_download=</b>1<i> (" . t('Optional') . ")</i> <br />";
153 echo '</p>';
154 echo '<p>' . t('This will return brut text content.') . ' ' .
155 t('First line is the asynchronous transfert reference and the second line the code to use in the next operation.') . '<br /></p>';
156
157 echo '<h3>' . t('Push data during asynchronous transfert') . ':</h3>';
158 echo '<p>';
159 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php?push_async</i><br />';
160 echo '<br />';
161 echo t('Parameters') . ':<br />';
162 echo "<b>ref=</b>async_reference<i> (" . t('Required') . ")</i> <br />";
163 echo "<b>data=</b>data_chunk<i> (" . t('Required') . ")</i> <br />";
164 echo "<b>code=</b>last_provided_code<i> (" . t('Required') . ")</i> <br />";
165 echo '</p>';
166 echo '<p>' . t('This will return brut text content.') . ' ' .
167 t('Returns the next code to use.') . '<br /></p>';
168
169 echo '<h3>' . t('Finalize asynchronous transfert') . ':</h3>';
170 echo '<p>';
171 echo t('Send a GET query to') . ': <i>' . $web_root . 'script.php?end_async</i><br />';
172 echo '<br />';
173 echo t('Parameters') . ':<br />';
174 echo "<b>ref=</b>async_reference<i> (" . t('Required') . ")</i> <br />";
175 echo "<b>code=</b>last_provided_code<i> (" . t('Required') . ")</i> <br />";
176 echo '</p>';
177 echo '<p>' . t('This will return brut text content.') . ' ' .
178 t('First line is the download reference and the second line the delete code.') . '<br /></p>';
179
180 echo '</div><br />';
181 require (JIRAFEAU_ROOT . 'lib/template/footer.php');
182 exit;
183 }
184
185 /* Lets use interface now. */
186 header('Content-Type: text; charset=utf-8');
187
188 /* Upload file */
189 if (isset ($_FILES['file']) && is_writable (VAR_FILES)
190 && is_writable (VAR_LINKS))
191 {
192 $key = '';
193 if (isset ($_POST['key']))
194 $key = $_POST['key'];
195
196 $time = time ();
197 if (!isset ($_POST['time']))
198 $time = JIRAFEAU_INFINITY;
199 else
200 switch ($_POST['time'])
201 {
202 case 'minute':
203 $time += JIRAFEAU_MINUTE;
204 break;
205 case 'hour':
206 $time += JIRAFEAU_HOUR;
207 break;
208 case 'day':
209 $time += JIRAFEAU_DAY;
210 break;
211 case 'week':
212 $time += JIRAFEAU_WEEK;
213 break;
214 case 'month':
215 $time += JIRAFEAU_MONTH;
216 break;
217 default:
218 $time = JIRAFEAU_INFINITY;
219 break;
220 }
221 $res = jirafeau_upload ($_FILES['file'],
222 isset ($_POST['one_time_download']),
223 $key, $time, $_SERVER['REMOTE_ADDR']);
224
225 if (empty($res) || $res['error']['has_error'])
226 {
227 echo "Error";
228 exit;
229 }
230 /* Print direct link. */
231 echo $res['link'];
232 echo NL;
233 /* Print delete link. */
234 echo $res['delete_link'];
235 }
236 elseif (isset ($_GET['h']))
237 {
238 $link_name = $_GET['h'];
239 $key = '';
240 if (isset ($_POST['key']))
241 $key = $_POST['key'];
242 $d = '';
243 if (isset ($_GET['d']))
244 $d = $_GET['d'];
245
246 if (!preg_match ('/[0-9a-zA-Z_-]{22}$/', $link_name))
247 {
248 echo "Error";
249 exit;
250 }
251
252 $link = jirafeau_get_link ($link_name);
253 if (count ($link) == 0)
254 {
255 echo "Error";
256 exit;
257 }
258 if (strlen ($d) > 0 && $d == $link['link_code'])
259 {
260 jirafeau_delete_link ($link_name);
261 echo "Ok";
262 exit;
263 }
264 if ($link['time'] != JIRAFEAU_INFINITY && time () > $link['time'])
265 {
266 jirafeau_delete_link ($link_name);
267 echo "Error";
268 exit;
269 }
270 if (strlen ($link['key']) > 0 && md5 ($key) != $link['key'])
271 {
272 echo "Error";
273 exit;
274 }
275 $p = s2p ($link['md5']);
276 if (!file_exists (VAR_FILES . $p . $link['md5']))
277 {
278 echo "Error";
279 exit;
280 }
281
282 /* Read file. */
283 header ('Content-Length: ' . $link['file_size']);
284 header ('Content-Type: ' . $link['mime_type']);
285 header ('Content-Disposition: attachment; filename="' .
286 $link['file_name'] . '"');
287
288 $r = fopen (VAR_FILES . $p . $link['md5'], 'r');
289 while (!feof ($r))
290 {
291 print fread ($r, 1024);
292 ob_flush();
293 }
294 fclose ($r);
295
296 if ($link['onetime'] == 'O')
297 jirafeau_delete_link ($link_name);
298 exit;
299 }
300 elseif (isset ($_GET['get_capacity']))
301 {
302 echo min (jirafeau_ini_to_bytes (ini_get ('post_max_size')),
303 jirafeau_ini_to_bytes (ini_get ('upload_max_filesize')));
304 }
305 elseif (isset ($_GET['get_version']))
306 {
307 echo JIRAFEAU_VERSION;
308 }
309 elseif (isset ($_GET['lang']))
310 {
311 $l=$_GET['lang'];
312 if ($l == "bash")
313 {
314 ?>
315 #!/bin/bash
316
317 # This script has been auto-generated by Jirafeau but you can still edit
318 # options below.
319
320 # Config
321 proxy='' # ex: proxy='proxysever.test.com:3128' or set JIRAFEAU_PROXY global variable
322 url='<?php echo $cfg['web_root'] . 'script.php'; ?>' # or set JIRAFEAU_URL ex: url='http://mysite/jirafeau/script.php'
323 time='none' # minute, hour, day, week, month or none. Or set JIRAFEAU_TIME.
324 one_time='' # ex: one_time="1" or set JIRAFEAU_ONE_TIME.
325 curl='' # curl path to download or set JIRAFEAU_CURL_PATH.
326 # End of config
327
328 if [ -n "$JIRAFEAU_PROXY" ]; then
329 proxy="$JIRAFEAU_PROXY"
330 fi
331
332 if [ -n "$JIRAFEAU_URL" ]; then
333 url="$JIRAFEAU_URL"
334 fi
335
336 if [ -z "$url" ]; then
337 echo "Please set url in script parameters or export JIRAFEAU_URL"
338 fi
339
340 if [ -n "$JIRAFEAU_TIME" ]; then
341 time="$JIRAFEAU_TIME"
342 fi
343
344 if [ -n "$JIRAFEAU_ONE_TIME" ]; then
345 one_time='1'
346 fi
347
348 if [ -z "$curl" ]; then
349 curl="$JIRAFEAU_CURL_PATH"
350 fi
351
352 if [ -z "$curl" ] && [ -e "/usr/bin/curl" ]; then
353 curl="/usr/bin/curl"
354 fi
355
356 if [ -z "$curl" ] && [ -e "/bin/curl.exe" ]; then
357 curl="/bin/curl.exe"
358 fi
359
360 if [ -z "$curl" ]; then
361 echo "Please set your curl binary path (by editing this script or export JIRAFEAU_CURL_PATH global variable)."
362 exit
363 fi
364
365 if [ -z "$2" ]; then
366 echo "man:"
367 echo " $0 send PATH [PASSWORD]"
368 echo " $0 get URL [PASSWORD]"
369 echo " $0 delete URL"
370 echo ""
371 echo "Global variables to export:"
372 echo " JIRAFEAU_PROXY : example: proxysever.test.com:3128"
373 echo " JIRAFEAU_URL : example: http://mysite/jirafeau/script.php"
374 echo " JIRAFEAU_TIME : minute, hour, day, week, month or none"
375 echo " JIRAFEAU_ONE_TIME : set anything or set empty"
376 echo " JIRAFEAU_CURL : path to your curl binary"
377
378 exit 0
379 fi
380
381 if [ -n "$proxy" ]; then
382 proxy="-x $proxy"
383 fi
384
385 options=''
386 if [ -n "$one_time" ]; then
387 options="$options -F one_time_download=1"
388 fi
389
390 password=''
391 if [ -n "$3" ]; then
392 password="$3"
393 options="$options -F key=$password"
394 fi
395
396 if [ "$1" == "send" ]; then
397 if [ ! -f "$2" ]; then
398 echo "File \"$2\" does not exists."
399 exit
400 fi
401
402 # Ret result
403 res=$($curl -X POST --http1.0 $proxy $options \
404 -F "time=$time" \
405 -F "file=@$2" \
406 $url)
407
408 if [[ "$res" == "Error" ]]; then
409 echo "Error while uploading."
410 exit
411 fi
412
413 # Not using head or tail to minimise command dependencies
414 code=$(cnt=0; echo "$res" | while read l; do
415 if [[ "$cnt" == "0" ]]; then
416 echo "$l"
417 fi
418 cnt=$(( cnt + 1 ))
419 done)
420 del_code=$(cnt=0; echo "$res" | while read l; do
421 if [[ "$cnt" == "1" ]]; then
422 echo "$l"
423 fi
424 cnt=$(( cnt + 1 ))
425 done)
426 echo "${url}?h=$code"
427 echo "${url}?h=$code&d=$del_code"
428 elif [ "$1" == "get" ]; then
429 if [ -z "$password" ]; then
430 $curl $proxy -OJ "$2"
431 else
432 $curl $proxy -OJ -X POST -F key=$password "$2"
433 fi
434 elif [ "$1" == "delete" ]; then
435 $curl $proxy "$2"
436 fi
437 <?php
438 }
439 else
440 {
441 echo "Error";
442 exit;
443 }
444 }
445 /* Initialize an asynchronous upload. */
446 elseif (isset ($_GET['init_async']))
447 {
448 if (!isset ($_POST['filename']))
449 {
450 echo "Error";
451 exit;
452 }
453
454 $type = '';
455 if (isset ($_POST['type']))
456 $type = $_POST['type'];
457
458 $key = '';
459 if (isset ($_POST['password']))
460 $key = $_POST['password'];
461
462 $time = time ();
463 if (!isset ($_POST['time']))
464 $time = JIRAFEAU_INFINITY;
465 else
466 switch ($_POST['time'])
467 {
468 case 'minute':
469 $time += JIRAFEAU_MINUTE;
470 break;
471 case 'hour':
472 $time += JIRAFEAU_HOUR;
473 break;
474 case 'day':
475 $time += JIRAFEAU_DAY;
476 break;
477 case 'week':
478 $time += JIRAFEAU_WEEK;
479 break;
480 case 'month':
481 $time += JIRAFEAU_MONTH;
482 break;
483 default:
484 $time = JIRAFEAU_INFINITY;
485 break;
486 }
487 echo jirafeau_async_init ($_POST['filename'],
488 $type,
489 isset ($_POST['one_time_download']),
490 $key,
491 $time,
492 $_SERVER['REMOTE_ADDR']);
493 }
494 /* Continue an asynchronous upload. */
495 elseif (isset ($_GET['push_async']))
496 {
497 if ((!isset ($_POST['ref']))
498 || (!isset ($_FILES['data']))
499 || (!isset ($_POST['code'])))
500 echo "Error";
501 else
502 echo jirafeau_async_push ($_POST['ref'], $_FILES['data'], $_POST['code']);
503 }
504 /* Finalize an asynchronous upload. */
505 elseif (isset ($_GET['end_async']))
506 {
507 if (!isset ($_POST['ref'])
508 || !isset ($_POST['code']))
509 echo "Error";
510 else
511 echo jirafeau_async_end ($_POST['ref'], $_POST['code']);
512 }
513 else
514 echo "Error";
515 exit;
516 ?>

patrick-canterino.de