Added whitelist for uploadable files.

Added greyscale mdlogo to git and set it as the default logo.
This commit is contained in:
Joshua Ramon Enslin 2018-06-18 21:42:14 +02:00 committed by Stefan Rohde-Enslin
parent 0eab8391dd
commit 768c0998aa
6 changed files with 103 additions and 24 deletions

BIN
appFiles/mdlogo.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

View File

@ -13,7 +13,7 @@
require_once __DIR__ . "/inc/functions.php"; require_once __DIR__ . "/inc/functions.php";
ensureEnvironment(); // Ensure existence of system files. ensureEnvironment(); // Ensure existence of system files.
$translations = loadLanguage(); // Load translations. $translations = loadLanguage($settings['defaultLang']); // Load translations.
ensureBackendEnv(); // Ensure session is started etc. ensureBackendEnv(); // Ensure session is started etc.
$pages = loadPages(); // Load overview of pages. $pages = loadPages(); // Load overview of pages.
@ -22,7 +22,7 @@ $pages = loadPages(); // Load overview of pages.
*/ */
// Check for vars. // Check for vars.
loadHttpToGlobals(["subject", "task"]); loadHttpToGlobals(["subject", "task", "backTo"]);
if (!isset($task)) $task = "list"; if (!isset($task)) $task = "list";
define("fileDir", __DIR__ . "/../files"); define("fileDir", __DIR__ . "/../files");
@ -36,22 +36,52 @@ if ($task == "list") {
} }
else if ($task == "upload") { else if ($task == "upload") {
// TODO: Add whitelist for extensions. $allowedFiletypes = [
"image/png",
"image/jpeg",
];
$uploaddir = fileDir . '/'; $uploaddir = fileDir . '/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']); $uploadfile = $uploaddir . basename($_FILES['file']['name']);
if (filesize($_FILES['userfile']['tmp_name']) > 300000) { // Whitelist of allowed types.
if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
printErrorPage($translations['filetypeNotWhitelisted']);
return;
}
if (filesize($_FILES['file']['tmp_name']) > 300000) {
printErrorPage($translations['fileTooLarge']); printErrorPage($translations['fileTooLarge']);
return; return;
} }
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
echo "Datei ist valide und wurde erfolgreich hochgeladen.\n"; printErrorPage($translations['fileUploadError']);
return;
} }
else {
echo "Möglicherweise eine Dateiupload-Attacke!\n"; $_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
// Refer back
if (isset($backTo)) header('Location: ' . $backTo);
else header('Location: ./');
return;
} }
else if ($task == "delete") {
if (!is_file(fileDir . "/$subject")) {
printErrorPage($translations['fileDoesNotExist']); return;
}
unlink(fileDir . "/$subject");
$_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
// Refer back
if (isset($backTo)) header('Location: ' . $backTo);
else header('Location: ./');
return;
} }

View File

@ -209,6 +209,11 @@ document.addEventListener("DOMContentLoaded", function() {
uploadSize.name = "MAX_FILE_SIZE"; uploadSize.name = "MAX_FILE_SIZE";
uploadSize.value = "300000"; uploadSize.value = "300000";
let uploadBackTo = document.createElement("input");
uploadBackTo.type = "hidden";
uploadBackTo.name = "backTo";
uploadBackTo.value = location.href;
let uploadTask = document.createElement("input"); let uploadTask = document.createElement("input");
uploadTask.type = "hidden"; uploadTask.type = "hidden";
uploadTask.name = "task"; uploadTask.name = "task";
@ -226,16 +231,24 @@ document.addEventListener("DOMContentLoaded", function() {
uploadForm.appendChild(uploadLabel); uploadForm.appendChild(uploadLabel);
uploadForm.appendChild(uploadSize); uploadForm.appendChild(uploadSize);
uploadForm.appendChild(uploadTask); uploadForm.appendChild(uploadTask);
uploadForm.appendChild(uploadBackTo);
uploadForm.appendChild(uploadInput); uploadForm.appendChild(uploadInput);
uploadForm.appendChild(uploadButton); uploadForm.appendChild(uploadButton);
overlay.appendChild(uploadForm); overlay.appendChild(uploadForm);
document.getElementsByTagName("body")[0].appendChild(overlay);
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
if (e.keyCode != 27) return; /**
removeElement(overlay); * Function for generating file list.
}); *
* @param {function} callback Function to call on clicking on a file name.
*
* @return {DOMElement}
*/
function generateFileList(callback) {
let fileList = document.createElement("table");
fileList.classList.add("fileList");
queryPage( queryPage(
encodeURI('./files.php'), encodeURI('./files.php'),
@ -243,11 +256,39 @@ document.addEventListener("DOMContentLoaded", function() {
let allFiles = JSON.parse(request.response); let allFiles = JSON.parse(request.response);
for (let i = 0, max = allFiles.length; i < max; i++) { for (let i = 0, max = allFiles.length; i < max; i++) {
console.log(allFiles[i]);
let fileLine = document.createElement("tr");
let fileLineName = document.createElement("td"); // Add TD for displaying file name and main action
fileLineName.textContent = allFiles[i]; // Display file name
fileLineName.addEventListener('click', function(e) {
callback("../files/" + allFiles[i]);
});
fileLine.appendChild(fileLineName);
let fileLineDelete = document.createElement("td"); // Add TD for deleting file
let fileLineDeleteLink = document.createElement("a"); // Add a.
fileLineDeleteLink.textContent = "\u2326"; // Delete Symbole
fileLineDeleteLink.href = "files.php?task=delete&subject=" + encodeURI(allFiles[i]) + "&backTo=" + encodeURI(location.href);
fileLineDelete.appendChild(fileLineDeleteLink);
fileLine.appendChild(fileLineDelete);
fileList.appendChild(fileLine);
} }
}); });
return fileList;
}
overlay.appendChild(generateFileList(function(value) { location.href = value; }));
document.getElementsByTagName("body")[0].appendChild(overlay);
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
if (e.keyCode != 27) return;
removeElement(overlay);
});
}); });
})(); })();

View File

@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>Auf dieser Seite können Sie statische Sei
$translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.'; $translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
$translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.'; $translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
$translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.'; $translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
$translations['deletedFile'] = 'Datei wurde gelöscht';
$translations['uploadedFile'] = 'Datei wurde heraufgeladen';
$translations['fileUploadError'] = 'Ein Fehler ist aufgetreten';
$translations['filetypeNotWhitelisted'] = 'Dateityp ist nicht erlaubt';
?> ?>

View File

@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>On this page, you can add or edit static p
$translations['requiredValueMissing'] = 'A required value is missing.'; $translations['requiredValueMissing'] = 'A required value is missing.';
$translations['passwordsDoNotMatch'] = 'The passwords do not match.'; $translations['passwordsDoNotMatch'] = 'The passwords do not match.';
$translations['passwordTooShort'] = 'The password is too short.'; $translations['passwordTooShort'] = 'The password is too short.';
$translations['deletedFile'] = 'Deleted file';
$translations['uploadedFile'] = 'Uploaded file';
$translations['fileUploadError'] = 'Error uploading file';
$translations['filetypeNotWhitelisted'] = 'Filetype is not in whitelist';
?> ?>

View File

@ -71,7 +71,7 @@ function ensureEnvironment() {
[ [
"startPage" => "1", "startPage" => "1",
"pageTitle" => "md:cms", "pageTitle" => "md:cms",
"logo" => "", "logo" => "/appFiles/mdlogo.png",
"url" => "", "url" => "",
"css" => "default", "css" => "default",
"defaultLang" => "en", "defaultLang" => "en",