winzer/elwig-www
2
0
Fork 0
Code Issues Pull Requests Activity

www: Improve error handling for file uploads

Browse Source
This commit is contained in:
Lorenz Stechauner
2025-02-20 15:23:47 +01:00
parent 0ce071c256
commit a93afcdf97
2 changed files with 42 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
www/clients.php
View File

@ -150,7 +150,7 @@ foreach ($clients as $c) {
header("Location: $c/"); header("Location: $c/");
header('Content-Length: 23'); header('Content-Length: 23');
exit("308 Permanent Redirect\n"); exit("308 Permanent Redirect\n");
} elseif ($path === "/$c/") { } else if ($path === "/$c/") {
if ($_SERVER['REQUEST_METHOD'] !== 'GET') { if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
header("Status: 405"); header("Status: 405");
header("Allow: GET"); header("Allow: GET");
@ -195,7 +195,7 @@ foreach ($clients as $c) {
header('Status: 400'); header('Status: 400');
header('Content-Length: 16'); header('Content-Length: 16');
exit("400 Bad Request\n"); exit("400 Bad Request\n");
} elseif ($_SERVER['REQUEST_METHOD'] === 'GET') { } else if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$size = filesize($path); $size = filesize($path);
if ($size === false) { if ($size === false) {
header('Status: 404'); header('Status: 404');
@ -207,22 +207,31 @@ foreach ($clients as $c) {
header("Content-Disposition: attachment; filename=\"$file\""); header("Content-Disposition: attachment; filename=\"$file\"");
header("Content-Length: $size"); header("Content-Length: $size");
readfile($path); readfile($path);
} elseif ($_SERVER['REQUEST_METHOD'] === 'PUT') { } else if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
$putdata = fopen('php://input', 'r'); $upload = fopen("php://input", "r");
$fp = fopen($path, 'wb'); $fp = fopen("/tmp/upload-$file", "wb+");
if ($fp === false) { if (!$upload || !$fp) {
header("Status: 500"); fclose($fp);
header("Content-Length: 26"); fclose($upload);
header('Status: 500');
header('Content-Length: 26');
exit("500 Internal Server Error\n"); exit("500 Internal Server Error\n");
} }
while ($data = fread($putdata, 4096))
fwrite($fp, $data); while ($data = fread($upload, 4096)) fwrite($fp, $data);
fclose($fp); fclose($fp);
fclose($putdata); fclose($upload);
if (!rename("/tmp/upload-$file", $path)) {
header('Status: 500');
header('Content-Length: 26');
exit("500 Internal Server Error\n");
}
header("Status: 201"); header("Status: 201");
header('Content-Length: 12'); header('Content-Length: 12');
exit("201 Created\n"); exit("201 Created\n");
} elseif ($_SERVER['REQUEST_METHOD'] === 'DELETE') { } else if ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
if ($file === '*') { if ($file === '*') {
foreach (scandir(".data/clients/$c/") as $f) { foreach (scandir(".data/clients/$c/") as $f) {
if (str_starts_with($f, ".") || str_ends_with($f, ".php") || str_ends_with($f, ".inc")) continue; if (str_starts_with($f, ".") || str_ends_with($f, ".php") || str_ends_with($f, ".inc")) continue;

24
www/files/index.php
View File

@ -5,22 +5,40 @@ require "../.php/auth.inc";
if ($_SERVER['REQUEST_METHOD'] === 'PUT') { if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
authenticate(); authenticate();
header('Content-Type: text/plain; charset=UTF-8');
$name = substr($_SERVER['PATH_INFO'], 1); $name = substr($_SERVER['PATH_INFO'], 1);
if (str_contains($name, "..") || str_contains($name, "/")) { if (str_contains($name, "..") || str_contains($name, "/")) {
header('Status: 403'); header('Status: 403');
header('Content-Type: text/plain; charset=UTF-8');
header('Content-Length: 14'); header('Content-Length: 14');
exit("403 Forbidden\n"); exit("403 Forbidden\n");
} else if (!isset($_SERVER['HTTP_CONTENT_LENGTH'])) {
header('Status: 411');
header('Content-Length: 20');
exit("411 Length Required\n");
} }
$upload = fopen("php://input", "r"); $upload = fopen("php://input", "r");
$fp = fopen($name, "wb+"); $fp = fopen("/tmp/upload-$name", "wb+");
if (!$upload || !$fp) {
fclose($fp);
fclose($upload);
header('Status: 500');
header('Content-Length: 26');
exit("500 Internal Server Error\n");
}
while ($data = fread($upload, 4096)) fwrite($fp, $data); while ($data = fread($upload, 4096)) fwrite($fp, $data);
fclose($fp); fclose($fp);
fclose($upload); fclose($upload);
if (!rename("/tmp/upload-$name", $name)) {
header('Status: 500');
header('Content-Length: 26');
exit("500 Internal Server Error\n");
}
header('Status: 201'); header('Status: 201');
header('Content-Type: text/plain; charset=UTF-8');
header('Content-Length: 12'); header('Content-Length: 12');
exit("201 Created\n"); exit("201 Created\n");
} else if ($_SERVER['REQUEST_METHOD'] !== 'GET' && $_SERVER['REQUEST_METHOD'] !== 'HEAD') { } else if ($_SERVER['REQUEST_METHOD'] !== 'GET' && $_SERVER['REQUEST_METHOD'] !== 'HEAD') {