Added whitelist for uploadable files.
Added greyscale mdlogo to git and set it as the default logo.
This commit is contained in:
@ -12,17 +12,17 @@
|
||||
|
||||
require_once __DIR__ . "/inc/functions.php";
|
||||
|
||||
ensureEnvironment(); // Ensure existence of system files.
|
||||
$translations = loadLanguage(); // Load translations.
|
||||
ensureBackendEnv(); // Ensure session is started etc.
|
||||
$pages = loadPages(); // Load overview of pages.
|
||||
ensureEnvironment(); // Ensure existence of system files.
|
||||
$translations = loadLanguage($settings['defaultLang']); // Load translations.
|
||||
ensureBackendEnv(); // Ensure session is started etc.
|
||||
$pages = loadPages(); // Load overview of pages.
|
||||
|
||||
/*
|
||||
* Load data.
|
||||
*/
|
||||
|
||||
// Check for vars.
|
||||
loadHttpToGlobals(["subject", "task"]);
|
||||
loadHttpToGlobals(["subject", "task", "backTo"]);
|
||||
if (!isset($task)) $task = "list";
|
||||
|
||||
define("fileDir", __DIR__ . "/../files");
|
||||
@ -36,23 +36,53 @@ if ($task == "list") {
|
||||
}
|
||||
else if ($task == "upload") {
|
||||
|
||||
// TODO: Add whitelist for extensions.
|
||||
$allowedFiletypes = [
|
||||
"image/png",
|
||||
"image/jpeg",
|
||||
];
|
||||
|
||||
$uploaddir = fileDir . '/';
|
||||
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
|
||||
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
|
||||
|
||||
if (filesize($_FILES['userfile']['tmp_name']) > 300000) {
|
||||
// Whitelist of allowed types.
|
||||
if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
|
||||
printErrorPage($translations['filetypeNotWhitelisted']);
|
||||
return;
|
||||
}
|
||||
|
||||
if (filesize($_FILES['file']['tmp_name']) > 300000) {
|
||||
printErrorPage($translations['fileTooLarge']);
|
||||
return;
|
||||
}
|
||||
|
||||
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
|
||||
echo "Datei ist valide und wurde erfolgreich hochgeladen.\n";
|
||||
if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
|
||||
printErrorPage($translations['fileUploadError']);
|
||||
return;
|
||||
}
|
||||
else {
|
||||
echo "Möglicherweise eine Dateiupload-Attacke!\n";
|
||||
|
||||
$_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
|
||||
|
||||
// Refer back
|
||||
if (isset($backTo)) header('Location: ' . $backTo);
|
||||
else header('Location: ./');
|
||||
return;
|
||||
|
||||
}
|
||||
else if ($task == "delete") {
|
||||
|
||||
if (!is_file(fileDir . "/$subject")) {
|
||||
printErrorPage($translations['fileDoesNotExist']); return;
|
||||
}
|
||||
|
||||
unlink(fileDir . "/$subject");
|
||||
|
||||
$_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
|
||||
|
||||
// Refer back
|
||||
if (isset($backTo)) header('Location: ' . $backTo);
|
||||
else header('Location: ./');
|
||||
return;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user