Added whitelist for uploadable files.
Added greyscale mdlogo to git and set it as the default logo.
This commit is contained in:
parent
0eab8391dd
commit
768c0998aa
BIN
appFiles/mdlogo.png
Normal file
BIN
appFiles/mdlogo.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.4 KiB |
|
@ -12,17 +12,17 @@
|
|||
|
||||
require_once __DIR__ . "/inc/functions.php";
|
||||
|
||||
ensureEnvironment(); // Ensure existence of system files.
|
||||
$translations = loadLanguage(); // Load translations.
|
||||
ensureBackendEnv(); // Ensure session is started etc.
|
||||
$pages = loadPages(); // Load overview of pages.
|
||||
ensureEnvironment(); // Ensure existence of system files.
|
||||
$translations = loadLanguage($settings['defaultLang']); // Load translations.
|
||||
ensureBackendEnv(); // Ensure session is started etc.
|
||||
$pages = loadPages(); // Load overview of pages.
|
||||
|
||||
/*
|
||||
* Load data.
|
||||
*/
|
||||
|
||||
// Check for vars.
|
||||
loadHttpToGlobals(["subject", "task"]);
|
||||
loadHttpToGlobals(["subject", "task", "backTo"]);
|
||||
if (!isset($task)) $task = "list";
|
||||
|
||||
define("fileDir", __DIR__ . "/../files");
|
||||
|
@ -36,23 +36,53 @@ if ($task == "list") {
|
|||
}
|
||||
else if ($task == "upload") {
|
||||
|
||||
// TODO: Add whitelist for extensions.
|
||||
$allowedFiletypes = [
|
||||
"image/png",
|
||||
"image/jpeg",
|
||||
];
|
||||
|
||||
$uploaddir = fileDir . '/';
|
||||
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
|
||||
$uploadfile = $uploaddir . basename($_FILES['file']['name']);
|
||||
|
||||
if (filesize($_FILES['userfile']['tmp_name']) > 300000) {
|
||||
// Whitelist of allowed types.
|
||||
if (!in_array($_FILES['file']['type'], $allowedFiletypes)) {
|
||||
printErrorPage($translations['filetypeNotWhitelisted']);
|
||||
return;
|
||||
}
|
||||
|
||||
if (filesize($_FILES['file']['tmp_name']) > 300000) {
|
||||
printErrorPage($translations['fileTooLarge']);
|
||||
return;
|
||||
}
|
||||
|
||||
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
|
||||
echo "Datei ist valide und wurde erfolgreich hochgeladen.\n";
|
||||
if (!(move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))) {
|
||||
printErrorPage($translations['fileUploadError']);
|
||||
return;
|
||||
}
|
||||
else {
|
||||
echo "Möglicherweise eine Dateiupload-Attacke!\n";
|
||||
|
||||
$_SESSION["editHistory"] = ["changesStored", $translations['uploadedFile']];
|
||||
|
||||
// Refer back
|
||||
if (isset($backTo)) header('Location: ' . $backTo);
|
||||
else header('Location: ./');
|
||||
return;
|
||||
|
||||
}
|
||||
else if ($task == "delete") {
|
||||
|
||||
if (!is_file(fileDir . "/$subject")) {
|
||||
printErrorPage($translations['fileDoesNotExist']); return;
|
||||
}
|
||||
|
||||
unlink(fileDir . "/$subject");
|
||||
|
||||
$_SESSION["editHistory"] = ["changesDeleted", $translations['deletedFile'] . " $subject"];
|
||||
|
||||
// Refer back
|
||||
if (isset($backTo)) header('Location: ' . $backTo);
|
||||
else header('Location: ./');
|
||||
return;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -209,6 +209,11 @@ document.addEventListener("DOMContentLoaded", function() {
|
|||
uploadSize.name = "MAX_FILE_SIZE";
|
||||
uploadSize.value = "300000";
|
||||
|
||||
let uploadBackTo = document.createElement("input");
|
||||
uploadBackTo.type = "hidden";
|
||||
uploadBackTo.name = "backTo";
|
||||
uploadBackTo.value = location.href;
|
||||
|
||||
let uploadTask = document.createElement("input");
|
||||
uploadTask.type = "hidden";
|
||||
uploadTask.name = "task";
|
||||
|
@ -226,10 +231,57 @@ document.addEventListener("DOMContentLoaded", function() {
|
|||
uploadForm.appendChild(uploadLabel);
|
||||
uploadForm.appendChild(uploadSize);
|
||||
uploadForm.appendChild(uploadTask);
|
||||
uploadForm.appendChild(uploadBackTo);
|
||||
uploadForm.appendChild(uploadInput);
|
||||
uploadForm.appendChild(uploadButton);
|
||||
|
||||
overlay.appendChild(uploadForm);
|
||||
|
||||
|
||||
/**
|
||||
* Function for generating file list.
|
||||
*
|
||||
* @param {function} callback Function to call on clicking on a file name.
|
||||
*
|
||||
* @return {DOMElement}
|
||||
*/
|
||||
function generateFileList(callback) {
|
||||
|
||||
let fileList = document.createElement("table");
|
||||
fileList.classList.add("fileList");
|
||||
|
||||
queryPage(
|
||||
encodeURI('./files.php'),
|
||||
function (request) {
|
||||
let allFiles = JSON.parse(request.response);
|
||||
|
||||
for (let i = 0, max = allFiles.length; i < max; i++) {
|
||||
|
||||
let fileLine = document.createElement("tr");
|
||||
|
||||
let fileLineName = document.createElement("td"); // Add TD for displaying file name and main action
|
||||
fileLineName.textContent = allFiles[i]; // Display file name
|
||||
fileLineName.addEventListener('click', function(e) {
|
||||
callback("../files/" + allFiles[i]);
|
||||
});
|
||||
fileLine.appendChild(fileLineName);
|
||||
|
||||
let fileLineDelete = document.createElement("td"); // Add TD for deleting file
|
||||
let fileLineDeleteLink = document.createElement("a"); // Add a.
|
||||
fileLineDeleteLink.textContent = "\u2326"; // Delete Symbole
|
||||
fileLineDeleteLink.href = "files.php?task=delete&subject=" + encodeURI(allFiles[i]) + "&backTo=" + encodeURI(location.href);
|
||||
fileLineDelete.appendChild(fileLineDeleteLink);
|
||||
fileLine.appendChild(fileLineDelete);
|
||||
|
||||
fileList.appendChild(fileLine);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
return fileList;
|
||||
}
|
||||
|
||||
overlay.appendChild(generateFileList(function(value) { location.href = value; }));
|
||||
document.getElementsByTagName("body")[0].appendChild(overlay);
|
||||
|
||||
document.getElementsByTagName("body")[0].addEventListener('keydown', async function(e) {
|
||||
|
@ -237,17 +289,6 @@ document.addEventListener("DOMContentLoaded", function() {
|
|||
removeElement(overlay);
|
||||
});
|
||||
|
||||
queryPage(
|
||||
encodeURI('./files.php'),
|
||||
function (request) {
|
||||
let allFiles = JSON.parse(request.response);
|
||||
|
||||
for (let i = 0, max = allFiles.length; i < max; i++) {
|
||||
console.log(allFiles[i]);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
})();
|
||||
|
|
|
@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>Auf dieser Seite können Sie statische Sei
|
|||
$translations['requiredValueMissing'] = 'Ein obligatorischer Wert fehlt.';
|
||||
$translations['passwordsDoNotMatch'] = 'Die Passwörter stimmen nicht überein.';
|
||||
$translations['passwordTooShort'] = 'Das eingegebene Passwort ist zu kurz.';
|
||||
$translations['deletedFile'] = 'Datei wurde gelöscht';
|
||||
$translations['uploadedFile'] = 'Datei wurde heraufgeladen';
|
||||
$translations['fileUploadError'] = 'Ein Fehler ist aufgetreten';
|
||||
$translations['filetypeNotWhitelisted'] = 'Dateityp ist nicht erlaubt';
|
||||
?>
|
|
@ -122,4 +122,8 @@ $translations['helpSinglePage'] = '<p>On this page, you can add or edit static p
|
|||
$translations['requiredValueMissing'] = 'A required value is missing.';
|
||||
$translations['passwordsDoNotMatch'] = 'The passwords do not match.';
|
||||
$translations['passwordTooShort'] = 'The password is too short.';
|
||||
$translations['deletedFile'] = 'Deleted file';
|
||||
$translations['uploadedFile'] = 'Uploaded file';
|
||||
$translations['fileUploadError'] = 'Error uploading file';
|
||||
$translations['filetypeNotWhitelisted'] = 'Filetype is not in whitelist';
|
||||
?>
|
|
@ -71,7 +71,7 @@ function ensureEnvironment() {
|
|||
[
|
||||
"startPage" => "1",
|
||||
"pageTitle" => "md:cms",
|
||||
"logo" => "",
|
||||
"logo" => "/appFiles/mdlogo.png",
|
||||
"url" => "",
|
||||
"css" => "default",
|
||||
"defaultLang" => "en",
|
||||
|
|
Reference in New Issue
Block a user