Added whitelist for uploadable files.

Added greyscale mdlogo to git and set it as the default logo.

edit/files.php

@@ -13,7 +13,7 @@
 require_once __DIR__ . "/inc/functions.php";
 
 ensureEnvironment();                                    // Ensure existence of system files.
-$translations = loadLanguage(); // Load translations.
+$translations = loadLanguage($settings['defaultLang']); // Load translations.
 ensureBackendEnv();                                     // Ensure session is started etc.
 $pages = loadPages();                                   // Load overview of pages.
 
@@ -22,7 +22,7 @@ $pages = loadPages();           // Load overview of pages.
  */
 
 // Check for vars.
-loadHttpToGlobals(["subject", "task"]);
+loadHttpToGlobals(["subject", "task", "backTo"]);
 if (!isset($task)) $task = "list";
 
 define("fileDir", __DIR__ . "/../files");
@@ -36,23 +36,53 @@ if ($task == "list") {
 }
 else if ($task == "upload") {
 
-    // TODO: Add whitelist for extensions.
+    $allowedFiletypes = [
+        "image/png",
+        "image/jpeg",
+    ];
 
     $uploaddir = fileDir . '/';
-    $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
+    $uploadfile = $uploaddir . basename($_FILES['file']['name']);
 
-    if (filesize($_FILES['userfile']['tmp_name']) > 300000) {
+    // Whitelist of allowed types.
+    if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
+        printErrorPage($translations['filetypeNotWhitelisted']);
+        return;
+    }
+
+    if (filesize($_FILES['file']['tmp_name']) > 300000) {
         printErrorPage($translations['fileTooLarge']);
         return;
     }
 
-    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
-        echo "Datei ist valide und wurde erfolgreich hochgeladen.\n";
+    if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
+        printErrorPage($translations['fileUploadError']);
+        return;
     }
-    else {
-        echo "Möglicherweise eine Dateiupload-Attacke!\n";
+
+    $_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
+
+    // Refer back
+    if (isset($backTo)) header('Location: ' . $backTo);
+    else header('Location: ./');
+    return;
+
+}
+else if ($task == "delete") {
+
+    if (!is_file(fileDir . "/$subject")) {
+        printErrorPage($translations['fileDoesNotExist']); return;
     }
 
+    unlink(fileDir . "/$subject");
+
+    $_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
+
+    // Refer back
+    if (isset($backTo)) header('Location: ' . $backTo);
+    else header('Location: ./');
+    return;
+
 }
 
 

edit/js/main.js

@@ -209,6 +209,11 @@ document.addEventListener("DOMContentLoaded", function() {
             uploadSize.name = "MAX_FILE_SIZE";
             uploadSize.value = "300000";
 
+            let uploadBackTo = document.createElement("input");
+            uploadBackTo.type = "hidden";
+            uploadBackTo.name = "backTo";
+            uploadBackTo.value = location.href;
+
             let uploadTask = document.createElement("input");
             uploadTask.type = "hidden";
             uploadTask.name = "task";
@@ -226,16 +231,24 @@ document.addEventListener("DOMContentLoaded", function() {
             uploadForm.appendChild(uploadLabel);
             uploadForm.appendChild(uploadSize);
             uploadForm.appendChild(uploadTask);
+            uploadForm.appendChild(uploadBackTo);
             uploadForm.appendChild(uploadInput);
             uploadForm.appendChild(uploadButton);
 
             overlay.appendChild(uploadForm);
-            document.getElementsByTagName("body")[0].appendChild(overlay);
 
-            document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
-                if (e.keyCode != 27) return;
-                removeElement(overlay);
-            });
+
+            /**
+             * Function for generating file list.
+             *
+             * @param {function} callback Function to call on clicking on a file name.
+             *
+             * @return {DOMElement}
+             */
+            function generateFileList(callback) {
+
+                let fileList = document.createElement("table");
+                fileList.classList.add("fileList");
 
                 queryPage(
                     encodeURI('./files.php'),
@@ -243,11 +256,39 @@ document.addEventListener("DOMContentLoaded", function() {
                         let allFiles = JSON.parse(request.response);
 
                         for (let i = 0, max = allFiles.length; i < max; i++) {
-                        console.log(allFiles[i]);
+
+                            let fileLine = document.createElement("tr");
+
+                            let fileLineName = document.createElement("td");    // Add TD for displaying file name and main action
+                            fileLineName.textContent = allFiles[i];             // Display file name
+                            fileLineName.addEventListener('click', function(e) {
+                                callback("../files/" + allFiles[i]);
+                            });
+                            fileLine.appendChild(fileLineName);
+
+                            let fileLineDelete = document.createElement("td");    // Add TD for deleting file
+                            let fileLineDeleteLink = document.createElement("a"); // Add a.
+                            fileLineDeleteLink.textContent = "\u2326";            // Delete Symbole
+                            fileLineDeleteLink.href = "files.php?task=delete&subject=" + encodeURI(allFiles[i]) + "&backTo=" + encodeURI(location.href);
+                            fileLineDelete.appendChild(fileLineDeleteLink);
+                            fileLine.appendChild(fileLineDelete);
+
+                            fileList.appendChild(fileLine);
                         }
 
                     });
 
+                return fileList;
+            }
+
+            overlay.appendChild(generateFileList(function(value) { location.href = value; }));
+            document.getElementsByTagName("body")[0].appendChild(overlay);
+
+            document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
+                if (e.keyCode != 27) return;
+                removeElement(overlay);
+            });
+
         });
 
     })();

edit/translations/de.php

@@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>Auf dieser Seite können Sie statische Sei
 $translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
 $translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
 $translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
+$translations['deletedFile'] = 'Datei wurde gelöscht';
+$translations['uploadedFile'] = 'Datei wurde heraufgeladen';
+$translations['fileUploadError'] = 'Ein Fehler ist aufgetreten';
+$translations['filetypeNotWhitelisted'] = 'Dateityp ist nicht erlaubt';
 ?>

edit/translations/en.php

@@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>On this page, you can add or edit static p
 $translations['requiredValueMissing'] = 'A required value is missing.';
 $translations['passwordsDoNotMatch'] = 'The passwords do not match.';
 $translations['passwordTooShort'] = 'The password is too short.';
+$translations['deletedFile'] = 'Deleted file';
+$translations['uploadedFile'] = 'Uploaded file';
+$translations['fileUploadError'] = 'Error uploading file';
+$translations['filetypeNotWhitelisted'] = 'Filetype is not in whitelist';
 ?>

inc/functions.php

@@ -71,7 +71,7 @@ function ensureEnvironment() {
         [
             "startPage"             => "1",
             "pageTitle"             => "md:cms",
-            "logo"                  => "",
+            "logo"                  => "/appFiles/mdlogo.png",
             "url"                   => "",
             "css"                   => "default",
             "defaultLang"           => "en",