Added whitelist for uploadable files.

Added greyscale mdlogo to git and set it as the default logo.
This commit is contained in:
Joshua Ramon Enslin 2018-06-18 21:42:14 +02:00 committed by Stefan Rohde-Enslin
parent 0eab8391dd
commit 768c0998aa
6 changed files with 103 additions and 24 deletions

BIN
appFiles/mdlogo.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

View File

@ -12,17 +12,17 @@
require_once __DIR__ . "/inc/functions.php";
ensureEnvironment(); // Ensure existence of system files.
$translations = loadLanguage(); // Load translations.
ensureBackendEnv(); // Ensure session is started etc.
$pages = loadPages(); // Load overview of pages.
ensureEnvironment(); // Ensure existence of system files.
$translations = loadLanguage($settings['defaultLang']); // Load translations.
ensureBackendEnv(); // Ensure session is started etc.
$pages = loadPages(); // Load overview of pages.
/*
* Load data.
*/
// Check for vars.
loadHttpToGlobals(["subject", "task"]);
loadHttpToGlobals(["subject", "task", "backTo"]);
if (!isset($task)) $task = "list";
define("fileDir", __DIR__ . "/../files");
@ -36,23 +36,53 @@ if ($task == "list") {
}
else if ($task == "upload") {
// TODO: Add whitelist for extensions.
$allowedFiletypes = [
"image/png",
"image/jpeg",
];
$uploaddir = fileDir . '/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
if (filesize($_FILES['userfile']['tmp_name']) > 300000) {
// Whitelist of allowed types.
if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
printErrorPage($translations['filetypeNotWhitelisted']);
return;
}
if (filesize($_FILES['file']['tmp_name']) > 300000) {
printErrorPage($translations['fileTooLarge']);
return;
}
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "Datei ist valide und wurde erfolgreich hochgeladen.\n";
if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
printErrorPage($translations['fileUploadError']);
return;
}
else {
echo "Möglicherweise eine Dateiupload-Attacke!\n";
$_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
// Refer back
if (isset($backTo)) header('Location: ' . $backTo);
else header('Location: ./');
return;
}
else if ($task == "delete") {
if (!is_file(fileDir . "/$subject")) {
printErrorPage($translations['fileDoesNotExist']); return;
}
unlink(fileDir . "/$subject");
$_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
// Refer back
if (isset($backTo)) header('Location: ' . $backTo);
else header('Location: ./');
return;
}

View File

@ -209,6 +209,11 @@ document.addEventListener("DOMContentLoaded", function() {
uploadSize.name = "MAX_FILE_SIZE";
uploadSize.value = "300000";
let uploadBackTo = document.createElement("input");
uploadBackTo.type = "hidden";
uploadBackTo.name = "backTo";
uploadBackTo.value = location.href;
let uploadTask = document.createElement("input");
uploadTask.type = "hidden";
uploadTask.name = "task";
@ -226,10 +231,57 @@ document.addEventListener("DOMContentLoaded", function() {
uploadForm.appendChild(uploadLabel);
uploadForm.appendChild(uploadSize);
uploadForm.appendChild(uploadTask);
uploadForm.appendChild(uploadBackTo);
uploadForm.appendChild(uploadInput);
uploadForm.appendChild(uploadButton);
overlay.appendChild(uploadForm);
/**
* Function for generating file list.
*
* @param {function} callback Function to call on clicking on a file name.
*
* @return {DOMElement}
*/
function generateFileList(callback) {
let fileList = document.createElement("table");
fileList.classList.add("fileList");
queryPage(
encodeURI('./files.php'),
function (request) {
let allFiles = JSON.parse(request.response);
for (let i = 0, max = allFiles.length; i < max; i++) {
let fileLine = document.createElement("tr");
let fileLineName = document.createElement("td"); // Add TD for displaying file name and main action
fileLineName.textContent = allFiles[i]; // Display file name
fileLineName.addEventListener('click', function(e) {
callback("../files/" + allFiles[i]);
});
fileLine.appendChild(fileLineName);
let fileLineDelete = document.createElement("td"); // Add TD for deleting file
let fileLineDeleteLink = document.createElement("a"); // Add a.
fileLineDeleteLink.textContent = "\u2326"; // Delete Symbole
fileLineDeleteLink.href = "files.php?task=delete&subject=" + encodeURI(allFiles[i]) + "&backTo=" + encodeURI(location.href);
fileLineDelete.appendChild(fileLineDeleteLink);
fileLine.appendChild(fileLineDelete);
fileList.appendChild(fileLine);
}
});
return fileList;
}
overlay.appendChild(generateFileList(function(value) { location.href = value; }));
document.getElementsByTagName("body")[0].appendChild(overlay);
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
@ -237,17 +289,6 @@ document.addEventListener("DOMContentLoaded", function() {
removeElement(overlay);
});
queryPage(
encodeURI('./files.php'),
function (request) {
let allFiles = JSON.parse(request.response);
for (let i = 0, max = allFiles.length; i < max; i++) {
console.log(allFiles[i]);
}
});
});
})();

View File

@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>Auf dieser Seite können Sie statische Sei
$translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
$translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
$translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
$translations['deletedFile'] = 'Datei wurde gelöscht';
$translations['uploadedFile'] = 'Datei wurde heraufgeladen';
$translations['fileUploadError'] = 'Ein Fehler ist aufgetreten';
$translations['filetypeNotWhitelisted'] = 'Dateityp ist nicht erlaubt';
?>

View File

@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>On this page, you can add or edit static p
$translations['requiredValueMissing'] = 'A required value is missing.';
$translations['passwordsDoNotMatch'] = 'The passwords do not match.';
$translations['passwordTooShort'] = 'The password is too short.';
$translations['deletedFile'] = 'Deleted file';
$translations['uploadedFile'] = 'Uploaded file';
$translations['fileUploadError'] = 'Error uploading file';
$translations['filetypeNotWhitelisted'] = 'Filetype is not in whitelist';
?>

View File

@ -71,7 +71,7 @@ function ensureEnvironment() {
[
"startPage" => "1",
"pageTitle" => "md:cms",
"logo" => "",
"logo" => "/appFiles/mdlogo.png",
"url" => "",
"css" => "default",
"defaultLang" => "en",