X-Git-Url: https://git.p6c8.net/jirafeau_project.git/blobdiff_plain/b402561271f0de4f4c12fc8f8c7d51d12e0a3e5c..ebcb7402a9776c5881fbba4d1d60ad50e41a097d:/lib/functions.php diff --git a/lib/functions.php b/lib/functions.php index 7d15e1b..b590e2b 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -25,9 +25,16 @@ */ function s2p($s) { + $block_size = 8; $p = ''; for ($i = 0; $i < strlen($s); $i++) { - $p .= $s{$i} . '/'; + $p .= $s{$i}; + if (($i + 1) % $block_size == 0) { + $p .= '/'; + } + } + if (strlen($s) % $block_size != 0) { + $p .= '/'; } return $p; } @@ -204,7 +211,7 @@ function jirafeau_ini_to_bytes($value) function jirafeau_get_max_upload_size_bytes() { return min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); + jirafeau_ini_to_bytes(ini_get('upload_max_filesize'))); } /** @@ -213,9 +220,7 @@ function jirafeau_get_max_upload_size_bytes() */ function jirafeau_get_max_upload_size() { - return jirafeau_human_size( - min(jirafeau_ini_to_bytes(ini_get('post_max_size')), - jirafeau_ini_to_bytes(ini_get('upload_max_filesize')))); + return jirafeau_human_size(jirafeau_get_max_upload_size_bytes()); } /** @@ -374,7 +379,7 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $ip, $crypt, $l return (array( 'error' => array('has_error' => true, - 'why' => t('Internal error during file creation.')), + 'why' => t('INTERNAL_ERROR_DEL')), 'link' =>'', 'delete_link' => '')); } @@ -500,20 +505,17 @@ function check_errors($cfg) exit; } - /* check if the destination dirs are writable */ - $writable = is_writable(VAR_FILES) && is_writable(VAR_LINKS); - /* Checking for errors. */ if (!is_writable(VAR_FILES)) { - add_error(t('The file directory is not writable!'), VAR_FILES); + add_error(t('FILE_DIR_W'), VAR_FILES); } if (!is_writable(VAR_LINKS)) { - add_error(t('The link directory is not writable!'), VAR_LINKS); + add_error(t('LINK_DIR_W'), VAR_LINKS); } if (!is_writable(VAR_ASYNC)) { - add_error(t('The async directory is not writable!'), VAR_ASYNC); + add_error(t('ASYNC_DIR_W'), VAR_ASYNC); } } @@ -553,28 +555,28 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) { echo '
'; if (!empty($name)) { - echo t('Filename') . ": $name "; + echo t('FILENAME') . ": " . jirafeau_escape($name); } if (!empty($file_hash)) { - echo t('file') . ": $file_hash "; + echo t('FILE') . ": " . jirafeau_escape($file_hash); } if (!empty($link_hash)) { - echo t('link') . ": $link_hash "; + echo t('LINK') . ": " . jirafeau_escape($link_hash); } if (empty($name) && empty($file_hash) && empty($link_hash)) { - echo t('List all files'); + echo t('LS_FILES'); } echo ''; - echo ''; + echo '
'; echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; - echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; echo ''; /* Get all links files. */ @@ -597,7 +599,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) } /* Filter. */ - if (!empty($name) && !preg_match("/$name/i", htmlspecialchars($l['file_name']))) { + if (!empty($name) && !@preg_match("/$name/i", jirafeau_escape($l['file_name']))) { continue; } if (!empty($file_hash) && $file_hash != $l['md5']) { @@ -609,10 +611,10 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) /* Print link informations. */ echo ''; echo ''; - echo ''; + echo ''; echo ''; echo ''; echo ''; echo ''; @@ -1069,19 +1074,14 @@ function jirafeau_challenge_upload_password($cfg, $password) } /** - * Test if visitor's IP is authorized to upload. + * Test if the given IP is whitelisted by the given list. * * @param $allowedIpList array of allowed IPs * @param $challengedIp IP to be challenged * @return true if IP is authorized, false otherwise. */ -function jirafeau_challenge_upload_ip($allowedIpList, $challengedIp) +function jirafeau_challenge_ip($allowedIpList, $challengedIp) { - // skip if list is empty = all IPs allowed - if (count($allowedIpList) == 0) { - return true; - } - // test given IP against each allowed IP foreach ($allowedIpList as $i) { if ($i == $challengedIp) { return true; @@ -1097,6 +1097,42 @@ function jirafeau_challenge_upload_ip($allowedIpList, $challengedIp) return false; } +/** + * Check if Jirafeau has a restriction on the IP address for uploading. + * @return true if uploading is IP restricted, false otherwise. + */ +function jirafeau_upload_has_ip_restriction($cfg) { + return count($cfg['upload_ip']) > 0; +} + +/** + * Test if visitor's IP is authorized to upload at all. + * + * @param $cfg configuration + * @param $challengedIp IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_upload_ip($cfg, $challengedIp) +{ + // If no IP address have been listed, allow upload from any IP + if (!jirafeau_upload_has_ip_restriction($cfg)) { + return true; + } + return jirafeau_challenge_ip($cfg['upload_ip'], $challengedIp); +} + +/** + * Test if visitor's IP is authorized to upload without a password. + * + * @param $cfg configuration + * @param $challengedIp IP to be challenged + * @return true if IP is authorized, false otherwise. + */ +function jirafeau_challenge_upload_ip_without_password($cfg, $challengedIp) +{ + return jirafeau_challenge_ip($cfg['upload_ip_nopassword'], $challengedIp); +} + /** * Test if visitor's IP is authorized or password is supplied and authorized * @param $ip IP to be challenged @@ -1105,35 +1141,9 @@ function jirafeau_challenge_upload_ip($allowedIpList, $challengedIp) */ function jirafeau_challenge_upload ($cfg, $ip, $password) { - // Allow if no ip restrictaion and no password restriction - if ((count ($cfg['upload_ip']) == 0) and (count ($cfg['upload_password']) == 0)) { - return true; - } - - // Allow if ip is in array - foreach ($cfg['upload_ip'] as $i) { - if ($i == $ip) { - return true; - } - // CIDR test for IPv4 only. - if (strpos ($i, '/') !== false) - { - list ($subnet, $mask) = explode('/', $i); - if ((ip2long ($ip) & ~((1 << (32 - $mask)) - 1) ) == ip2long ($subnet)) { - return true; - } - } - } - if (!jirafeau_has_upload_password($cfg)) { - return false; - } - - foreach ($cfg['upload_password'] as $p) { - if ($password == $p) { - return true; - } - } - return false; + return jirafeau_challenge_upload_ip_without_password($cfg, $ip) || + (!jirafeau_has_upload_password($cfg) && !jirafeau_upload_has_ip_restriction($cfg)) || + (jirafeau_challenge_upload_password($cfg, $password) && jirafeau_challenge_upload_ip($cfg, $ip)); } /** Tell if we have some HTTP headers generated by a proxy */ @@ -1214,185 +1224,6 @@ function hex_to_base64($hex) return base64_encode($b); } -/** - * Read alias informations - * @return array containing informations. - */ -function jirafeau_get_alias($hash) -{ - $out = array(); - $link = VAR_ALIAS . s2p("$hash") . $hash; - - if (!file_exists($link)) { - return $out; - } - - $c = file($link); - $out['md5_password'] = trim($c[0]); - $out['ip'] = trim($c[1]); - $out['update_date'] = trim($c[2]); - $out['destination'] = trim($c[3], NL); - - return $out; -} - -/** Create an alias to a jirafeau's link. - * @param $alias alias name - * @param $destination reference of the destination - * @param $password password to protect alias - * @param $ip client's IP - * @return a string containing the edit code of the alias or the string "Error" - */ -function jirafeau_alias_create($alias, $destination, $password, $ip) -{ - /* Check that alias and password are long enough. */ - if (strlen($alias) < 8 || - strlen($alias) > 32 || - strlen($password) < 8 || - strlen($password) > 32) { - return 'Error'; - } - - /* Check that destination exists. */ - $l = jirafeau_get_link($destination); - if (!count($l)) { - return 'Error'; - } - - /* Check that alias does not already exists. */ - $alias = md5($alias); - $p = VAR_ALIAS . s2p($alias); - if (file_exists($p)) { - return 'Error'; - } - - /* Create alias folder. */ - @mkdir($p, 0755, true); - if (!file_exists($p)) { - return 'Error'; - } - - /* Generate password. */ - $md5_password = md5($password); - - /* Store informations. */ - $p .= $alias; - $handle = fopen($p, 'w'); - fwrite($handle, - $md5_password . NL . - $ip . NL . - time() . NL . - $destination . NL); - fclose($handle); - - return 'Ok'; -} - -/** Update an alias. - * @param $alias alias to update - * @param $destination reference of the new destination - * @param $password password to protect alias - * @param $new_password optional new password to protect alias - * @param $ip client's IP - * @return "Ok" or "Error" string - */ -function jirafeau_alias_update($alias, $destination, $password, - $new_password, $ip) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return 'Error'; - } - - /* Check that destination exists. */ - $l = jirafeau_get_link($a["destination"]); - if (!count($l)) { - return 'Error'; - } - - /* Check password. */ - if ($a["md5_password"] != md5($password)) { - return 'Error'; - } - - $p = $a['md5_password']; - if (strlen($new_password) >= 8 && - strlen($new_password) <= 32) { - $p = md5($new_password); - } elseif (strlen($new_password) > 0) { - return 'Error'; - } - - /* Rewrite informations. */ - $p = VAR_ALIAS . s2p($alias) . $alias; - $handle = fopen($p, 'w'); - fwrite($handle, - $p . NL . - $ip . NL . - time() . NL . - $destination . NL); - fclose($handle); - return 'Ok'; -} - -/** Get an alias. - * @param $alias alias to get - * @return alias destination or "Error" string - */ -function jirafeau_alias_get($alias) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return 'Error'; - } - - return $a['destination']; -} - -function jirafeau_clean_rm_alias($alias) -{ - $p = s2p("$alias"); - if (file_exists(VAR_ALIAS . $p . $alias)) { - unlink(VAR_ALIAS . $p . $alias); - } - $parse = VAR_ALIAS . $p; - $scan = array(); - while (file_exists($parse) - && ($scan = scandir($parse)) - && count($scan) == 2 // '.' and '..' folders => empty. - && basename($parse) != basename(VAR_ALIAS)) { - rmdir($parse); - $parse = substr($parse, 0, strlen($parse) - strlen(basename($parse)) - 1); - } -} - -/** Delete an alias. - * @param $alias alias to delete - * @param $password password to protect alias - * @return "Ok" or "Error" string - */ -function jirafeau_alias_delete($alias, $password) -{ - $alias = md5($alias); - /* Check that alias exits. */ - $a = jirafeau_get_alias($alias); - if (!count($a)) { - return "Error"; - } - - /* Check password. */ - if ($a["md5_password"] != md5($password)) { - return 'Error'; - } - - jirafeau_clean_rm_alias($alias); - return 'Ok'; -} - /** * Replace markers in templates. * @@ -1422,3 +1253,34 @@ function jirafeau_replace_markers($content, $htmllinebreaks = false) return $content; } + +function jirafeau_escape($string) +{ + return htmlspecialchars($string, ENT_QUOTES); +} + +function jirafeau_admin_session_start() +{ + $_SESSION['admin_auth'] = true; + $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true)); +} + +function jirafeau_admin_session_end() +{ + $_SESSION = array(); + session_destroy(); +} + +function jirafeau_admin_session_logged() +{ + return isset($_SESSION['admin_auth']) && + isset($_SESSION['admin_csrf']) && + isset($_POST['admin_csrf']) && + $_SESSION['admin_auth'] === true && + $_SESSION['admin_csrf'] === $_POST['admin_csrf']; +} + +function jirafeau_admin_csrf_field() +{ + return ""; +}
' . t('Filename') . '' . t('Type') . '' . t('Size') . '' . t('Expire') . '' . t('Onetime') . '' . t('Upload date') . '' . t('Origin') . '' . t('Action') . '' . t('FILENAME') . '' . t('TYPE') . '' . t('SIZE') . '' . t('EXPIRE') . '' . t('ONETIME') . '' . t('UPLOAD_DATE') . '' . t('ORIGIN') . '' . t('ACTION') . '
' . - '' . htmlspecialchars($l['file_name']) . ''; + '' . jirafeau_escape($l['file_name']) . ''; echo '' . $l['mime_type'] . '' . jirafeau_escape($l['mime_type']) . '' . jirafeau_human_size($l['file_size']) . '' . ($l['time'] == -1 ? '∞' : jirafeau_get_datetimefield($l['time'])) . ''; @@ -628,17 +630,20 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) '
' . '' . '' . - '' . + jirafeau_admin_csrf_field() . + '' . '
' . '
' . '' . '' . - '' . + jirafeau_admin_csrf_field() . + '' . '
' . '
' . '' . '' . - '' . + jirafeau_admin_csrf_field() . + '' . '
' . '