Fix check for upload size

2020-11-08 14:30:14 +01:00 · 2020-11-08 14:30:14 +01:00 · a8cb46848b
commit a8cb46848b
parent 8347a8a77b
3 changed files with 11 additions and 3 deletions
--- a/inc/constants.php
+++ b/inc/constants.php
@ -8,6 +8,8 @@
 */
 declare(strict_types = 1);

+const CACHE_DIR_PERMS = 0775;
+
 const TL_FILE_DIRS = [
    __DIR__ . "/../l10n/musdb/",
    __DIR__ . "/../l10n/importer/",
--- a/public/index6.php
+++ b/public/index6.php
@ -27,7 +27,7 @@ if (empty($filename = trim($_GET['fnam'], " ,./"))) {
 $csv_datei = MD_STD::realpath(__DIR__ . '/../csv/' . $filename);

 if (is_dir(__DIR__ . "/../xml")) rrmdir(__DIR__ . '/../xml');
-mkdir(__DIR__ . "/../xml", 0755);
+mkdir(__DIR__ . "/../xml", CACHE_DIR_PERMS);

 if (!($fp = fopen($csv_datei, 'r'))) {
    throw new MDmainEntityNotExistentException("Failed opening file");
--- a/public/upload.php
+++ b/public/upload.php
@ -2,8 +2,14 @@
 declare(strict_types = 1);
 require_once __DIR__ . "/../functions/functions.php";

-$target = __DIR__ . "/../csv/" . basename($_FILES['uploaded']['name']);
+if (empty($_FILES)) {
+    throw new MDFileDoesNotExist("No file uploaded");
+}
+
 $targetpart = basename($_FILES['uploaded']['name']);
+$target = __DIR__ . "/../csv/" . $targetpart;
+
+// TODO: File name needs to be sanitized, or tmp name used

 if (session_status() != PHP_SESSION_ACTIVE) {
    session_start();
@ -14,7 +20,7 @@ if (validateAntiCsrfToken() === false) {
 }

 //This is our size condition
-if ($uploaded_size > 40000000) {
+if ($_FILES['uploaded']['size'] > 40000000) {
    echo "Your file is too large.<br>";
    return;
 }