X-Git-Url: https://git.p6c8.net/jirafeau_project.git/blobdiff_plain/2dc4984ad57dfcb0ded829bfc9d45493484fe6e3..f07477cb289eb839af7255b25188765d5e49ad94:/lib/functions.php?ds=sidebyside diff --git a/lib/functions.php b/lib/functions.php index eaedfac..2817aa1 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -204,7 +204,7 @@ function jirafeau_ini_to_bytes($value) function jirafeau_get_max_upload_size_bytes() { return min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); + jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); } /** @@ -213,9 +213,7 @@ function jirafeau_get_max_upload_size_bytes() */ function jirafeau_get_max_upload_size() { - return jirafeau_human_size( - min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize')))); + return jirafeau_human_size(jirafeau_get_max_upload_size_bytes()); } /** @@ -500,16 +498,13 @@ function check_errors($cfg) exit; } - /* check if the destination dirs are writable */ - $writable = is_writable(VAR_FILES) && is_writable(VAR_LINKS); - /* Checking for errors. */ if (!is_writable(VAR_FILES)) { - add_error(t('The file directory is not writable!'), VAR_FILES); + add_error(t('FILE_DIR_W'), VAR_FILES); } if (!is_writable(VAR_LINKS)) { - add_error(t('The link directory is not writable!'), VAR_LINKS); + add_error(t('LINK_DIR_W'), VAR_LINKS); } if (!is_writable(VAR_ASYNC)) { @@ -553,13 +548,13 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) { echo '
'; if (!empty($name)) { - echo t('FILENAME') . ": $name "; + echo t('FILENAME') . ": " . jirafeau_escape($name); } if (!empty($file_hash)) { - echo t('FILE') . ": $file_hash "; + echo t('FILE') . ": " . jirafeau_escape($file_hash); } if (!empty($link_hash)) { - echo t('LINK') . ": $link_hash "; + echo t('LINK') . ": " . jirafeau_escape($link_hash); } if (empty($name) && empty($file_hash) && empty($link_hash)) { echo t('LS_FILES'); @@ -597,7 +592,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) } /* Filter. */ - if (!empty($name) && !preg_match("/$name/i", htmlspecialchars($l['file_name']))) { + if (!empty($name) && !@preg_match("/$name/i", jirafeau_escape($l['file_name']))) { continue; } if (!empty($file_hash) && $file_hash != $l['md5']) { @@ -609,10 +604,10 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) /* Print link informations. */ echo ''; echo '' . - '' . htmlspecialchars($l['file_name']) . ''; + '' . jirafeau_escape($l['file_name']) . ''; echo ''; - echo '' . $l['mime_type'] . ''; + echo '' . jirafeau_escape($l['mime_type']) . ''; echo '' . jirafeau_human_size($l['file_size']) . ''; echo '' . ($l['time'] == -1 ? '∞' : jirafeau_get_datetimefield($l['time'])) . ''; echo ''; @@ -628,16 +623,19 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) '
' . '' . '' . + jirafeau_admin_csrf_field() . '' . '
' . '
' . '' . '' . + jirafeau_admin_csrf_field() . '' . '
' . '
' . '' . '' . + jirafeau_admin_csrf_field() . '' . '
' . ''; @@ -1110,6 +1108,21 @@ function jirafeau_challenge_upload ($cfg, $ip, $password) return true; } + // Allow if ip is in array (no password) + foreach ($cfg['upload_ip_nopassword'] as $i) { + if ($i == $ip) { + return true; + } + // CIDR test for IPv4 only. + if (strpos ($i, '/') !== false) + { + list ($subnet, $mask) = explode('/', $i); + if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) { + return true; + } + } + } + // Allow if ip is in array foreach ($cfg['upload_ip'] as $i) { if ($i == $ip) { @@ -1243,3 +1256,34 @@ function jirafeau_replace_markers($content, $htmllinebreaks = false) return $content; } + +function jirafeau_escape($string) +{ + return htmlspecialchars($string, ENT_QUOTES); +} + +function jirafeau_admin_session_start() +{ + $_SESSION['admin_auth'] = true; + $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true)); +} + +function jirafeau_admin_session_end() +{ + $_SESSION = array(); + session_destroy(); +} + +function jirafeau_admin_session_logged() +{ + return isset($_SESSION['admin_auth']) && + isset($_SESSION['admin_csrf']) && + isset($_POST['admin_csrf']) && + $_SESSION['admin_auth'] === true && + $_SESSION['admin_csrf'] === $_POST['admin_csrf']; +} + +function jirafeau_admin_csrf_field() +{ + return ""; +}