Added whitelist for uploadable files.
Added greyscale mdlogo to git and set it as the default logo.
This commit is contained in:
parent
0eab8391dd
commit
768c0998aa
BIN
appFiles/mdlogo.png
Normal file
BIN
appFiles/mdlogo.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.4 KiB |
|
@ -12,17 +12,17 @@
|
||||||
|
|
||||||
require_once __DIR__ . "/inc/functions.php";
|
require_once __DIR__ . "/inc/functions.php";
|
||||||
|
|
||||||
ensureEnvironment(); // Ensure existence of system files.
|
ensureEnvironment(); // Ensure existence of system files.
|
||||||
$translations = loadLanguage(); // Load translations.
|
$translations = loadLanguage($settings['defaultLang']); // Load translations.
|
||||||
ensureBackendEnv(); // Ensure session is started etc.
|
ensureBackendEnv(); // Ensure session is started etc.
|
||||||
$pages = loadPages(); // Load overview of pages.
|
$pages = loadPages(); // Load overview of pages.
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Load data.
|
* Load data.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// Check for vars.
|
// Check for vars.
|
||||||
loadHttpToGlobals(["subject", "task"]);
|
loadHttpToGlobals(["subject", "task", "backTo"]);
|
||||||
if (!isset($task)) $task = "list";
|
if (!isset($task)) $task = "list";
|
||||||
|
|
||||||
define("fileDir", __DIR__ . "/../files");
|
define("fileDir", __DIR__ . "/../files");
|
||||||
|
@ -36,23 +36,53 @@ if ($task == "list") {
|
||||||
}
|
}
|
||||||
else if ($task == "upload") {
|
else if ($task == "upload") {
|
||||||
|
|
||||||
// TODO: Add whitelist for extensions.
|
$allowedFiletypes = [
|
||||||
|
"image/png",
|
||||||
|
"image/jpeg",
|
||||||
|
];
|
||||||
|
|
||||||
$uploaddir = fileDir . '/';
|
$uploaddir = fileDir . '/';
|
||||||
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
|
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
|
||||||
|
|
||||||
if (filesize($_FILES['userfile']['tmp_name']) > 300000) {
|
// Whitelist of allowed types.
|
||||||
|
if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
|
||||||
|
printErrorPage($translations['filetypeNotWhitelisted']);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (filesize($_FILES['file']['tmp_name']) > 300000) {
|
||||||
printErrorPage($translations['fileTooLarge']);
|
printErrorPage($translations['fileTooLarge']);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
|
if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
|
||||||
echo "Datei ist valide und wurde erfolgreich hochgeladen.\n";
|
printErrorPage($translations['fileUploadError']);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
echo "Möglicherweise eine Dateiupload-Attacke!\n";
|
$_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
|
||||||
|
|
||||||
|
// Refer back
|
||||||
|
if (isset($backTo)) header('Location: ' . $backTo);
|
||||||
|
else header('Location: ./');
|
||||||
|
return;
|
||||||
|
|
||||||
|
}
|
||||||
|
else if ($task == "delete") {
|
||||||
|
|
||||||
|
if (!is_file(fileDir . "/$subject")) {
|
||||||
|
printErrorPage($translations['fileDoesNotExist']); return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
unlink(fileDir . "/$subject");
|
||||||
|
|
||||||
|
$_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
|
||||||
|
|
||||||
|
// Refer back
|
||||||
|
if (isset($backTo)) header('Location: ' . $backTo);
|
||||||
|
else header('Location: ./');
|
||||||
|
return;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -209,6 +209,11 @@ document.addEventListener("DOMContentLoaded", function() {
|
||||||
uploadSize.name = "MAX_FILE_SIZE";
|
uploadSize.name = "MAX_FILE_SIZE";
|
||||||
uploadSize.value = "300000";
|
uploadSize.value = "300000";
|
||||||
|
|
||||||
|
let uploadBackTo = document.createElement("input");
|
||||||
|
uploadBackTo.type = "hidden";
|
||||||
|
uploadBackTo.name = "backTo";
|
||||||
|
uploadBackTo.value = location.href;
|
||||||
|
|
||||||
let uploadTask = document.createElement("input");
|
let uploadTask = document.createElement("input");
|
||||||
uploadTask.type = "hidden";
|
uploadTask.type = "hidden";
|
||||||
uploadTask.name = "task";
|
uploadTask.name = "task";
|
||||||
|
@ -226,10 +231,57 @@ document.addEventListener("DOMContentLoaded", function() {
|
||||||
uploadForm.appendChild(uploadLabel);
|
uploadForm.appendChild(uploadLabel);
|
||||||
uploadForm.appendChild(uploadSize);
|
uploadForm.appendChild(uploadSize);
|
||||||
uploadForm.appendChild(uploadTask);
|
uploadForm.appendChild(uploadTask);
|
||||||
|
uploadForm.appendChild(uploadBackTo);
|
||||||
uploadForm.appendChild(uploadInput);
|
uploadForm.appendChild(uploadInput);
|
||||||
uploadForm.appendChild(uploadButton);
|
uploadForm.appendChild(uploadButton);
|
||||||
|
|
||||||
overlay.appendChild(uploadForm);
|
overlay.appendChild(uploadForm);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Function for generating file list.
|
||||||
|
*
|
||||||
|
* @param {function} callback Function to call on clicking on a file name.
|
||||||
|
*
|
||||||
|
* @return {DOMElement}
|
||||||
|
*/
|
||||||
|
function generateFileList(callback) {
|
||||||
|
|
||||||
|
let fileList = document.createElement("table");
|
||||||
|
fileList.classList.add("fileList");
|
||||||
|
|
||||||
|
queryPage(
|
||||||
|
encodeURI('./files.php'),
|
||||||
|
function (request) {
|
||||||
|
let allFiles = JSON.parse(request.response);
|
||||||
|
|
||||||
|
for (let i = 0, max = allFiles.length; i < max; i++) {
|
||||||
|
|
||||||
|
let fileLine = document.createElement("tr");
|
||||||
|
|
||||||
|
let fileLineName = document.createElement("td"); // Add TD for displaying file name and main action
|
||||||
|
fileLineName.textContent = allFiles[i]; // Display file name
|
||||||
|
fileLineName.addEventListener('click', function(e) {
|
||||||
|
callback("../files/" + allFiles[i]);
|
||||||
|
});
|
||||||
|
fileLine.appendChild(fileLineName);
|
||||||
|
|
||||||
|
let fileLineDelete = document.createElement("td"); // Add TD for deleting file
|
||||||
|
let fileLineDeleteLink = document.createElement("a"); // Add a.
|
||||||
|
fileLineDeleteLink.textContent = "\u2326"; // Delete Symbole
|
||||||
|
fileLineDeleteLink.href = "files.php?task=delete&subject=" + encodeURI(allFiles[i]) + "&backTo=" + encodeURI(location.href);
|
||||||
|
fileLineDelete.appendChild(fileLineDeleteLink);
|
||||||
|
fileLine.appendChild(fileLineDelete);
|
||||||
|
|
||||||
|
fileList.appendChild(fileLine);
|
||||||
|
}
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
|
return fileList;
|
||||||
|
}
|
||||||
|
|
||||||
|
overlay.appendChild(generateFileList(function(value) { location.href = value; }));
|
||||||
document.getElementsByTagName("body")[0].appendChild(overlay);
|
document.getElementsByTagName("body")[0].appendChild(overlay);
|
||||||
|
|
||||||
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
|
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
|
||||||
|
@ -237,17 +289,6 @@ document.addEventListener("DOMContentLoaded", function() {
|
||||||
removeElement(overlay);
|
removeElement(overlay);
|
||||||
});
|
});
|
||||||
|
|
||||||
queryPage(
|
|
||||||
encodeURI('./files.php'),
|
|
||||||
function (request) {
|
|
||||||
let allFiles = JSON.parse(request.response);
|
|
||||||
|
|
||||||
for (let i = 0, max = allFiles.length; i < max; i++) {
|
|
||||||
console.log(allFiles[i]);
|
|
||||||
}
|
|
||||||
|
|
||||||
});
|
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
})();
|
})();
|
||||||
|
|
|
@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>Auf dieser Seite können Sie statische Sei
|
||||||
$translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
|
$translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
|
||||||
$translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
|
$translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
|
||||||
$translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
|
$translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
|
||||||
|
$translations['deletedFile'] = 'Datei wurde gelöscht';
|
||||||
|
$translations['uploadedFile'] = 'Datei wurde heraufgeladen';
|
||||||
|
$translations['fileUploadError'] = 'Ein Fehler ist aufgetreten';
|
||||||
|
$translations['filetypeNotWhitelisted'] = 'Dateityp ist nicht erlaubt';
|
||||||
?>
|
?>
|
|
@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>On this page, you can add or edit static p
|
||||||
$translations['requiredValueMissing'] = 'A required value is missing.';
|
$translations['requiredValueMissing'] = 'A required value is missing.';
|
||||||
$translations['passwordsDoNotMatch'] = 'The passwords do not match.';
|
$translations['passwordsDoNotMatch'] = 'The passwords do not match.';
|
||||||
$translations['passwordTooShort'] = 'The password is too short.';
|
$translations['passwordTooShort'] = 'The password is too short.';
|
||||||
|
$translations['deletedFile'] = 'Deleted file';
|
||||||
|
$translations['uploadedFile'] = 'Uploaded file';
|
||||||
|
$translations['fileUploadError'] = 'Error uploading file';
|
||||||
|
$translations['filetypeNotWhitelisted'] = 'Filetype is not in whitelist';
|
||||||
?>
|
?>
|
|
@ -71,7 +71,7 @@ function ensureEnvironment() {
|
||||||
[
|
[
|
||||||
"startPage" => "1",
|
"startPage" => "1",
|
||||||
"pageTitle" => "md:cms",
|
"pageTitle" => "md:cms",
|
||||||
"logo" => "",
|
"logo" => "/appFiles/mdlogo.png",
|
||||||
"url" => "",
|
"url" => "",
|
||||||
"css" => "default",
|
"css" => "default",
|
||||||
"defaultLang" => "en",
|
"defaultLang" => "en",
|
||||||
|
|
Reference in New Issue
Block a user