diff --git a/modules/feature-upload.php b/modules/feature-upload.php index 0568ad6..313c028 100644 --- a/modules/feature-upload.php +++ b/modules/feature-upload.php @@ -23,6 +23,7 @@ register_module([ * @apiParam {string} name The name of the file to upload. * @apiParam {string} description A description of the file. * @apiParam {file} file The file to upload. + * @apiParam {boolean} avatar Whether this upload should be uploaded as the current user's avatar. If specified, any filenames provided will be ignored. * * @apiUse UserNotLoggedInError * @apiError UploadsDisabledError Uploads are currently disabled in the wiki's settings. @@ -43,6 +44,8 @@ register_module([ add_action("upload", function() { global $settings, $env, $pageindex, $paths; + $is_avatar = !empty($_POST["avatar"]) || !empty($_GET["avatar"]); + switch($_SERVER["REQUEST_METHOD"]) { case "GET": @@ -54,8 +57,22 @@ register_module([ exit(page_renderer::render("Upload Error - $settings->sitename", "

You are not currently logged in, so you can't upload anything.

Try logging in first.

")); + if($is_avatar) { + exit(page_renderer::render("Upload avatar - $settings->sitenamae", "

Upload avatar

+

Select an image below, and then press upload. $settings->sitename currently supports the following file types (though not all of them may be suitable for an avatar): " . implode(", ", $settings->upload_allowed_file_types) . "

+
+ + +
+ +

$settings->editing_message

+ + +
")); + } + exit(page_renderer::render("Upload - $settings->sitename", "

Upload file

-

Select an image below, and then type a name for it in the box. This server currently supports uploads up to " . human_filesize(get_max_upload_size()) . " in size.

+

Select an image or file below, and then type a name for it in the box. This server currently supports uploads up to " . human_filesize(get_max_upload_size()) . " in size.

$settings->sitename currently supports uploading of the following file types: " . implode(", ", $settings->upload_allowed_file_types) . ".

@@ -85,7 +102,8 @@ register_module([ // Make sure uploads are enabled if(!$settings->upload_enabled) { - unlink($_FILES["file"]["tmp_name"]); + if(!empty($_FILES["file"])) + unlink($_FILES["file"]["tmp_name"]); http_response_code(412); exit(page_renderer::render("Upload failed - $settings->sitename", "

Your upload couldn't be processed because uploads are currently disabled on $settings->sitename. Go back to the main page.

")); } @@ -93,14 +111,15 @@ register_module([ // Make sure that the user is logged in if(!$env->is_logged_in) { - unlink($_FILES["file"]["tmp_name"]); + if(!empty($_FILES["file"])) + unlink($_FILES["file"]["tmp_name"]); http_response_code(401); exit(page_renderer::render("Upload failed - $settings->sitename", "

Your upload couldn't be processed because you are not logged in.

Try logging in first.")); } // Calculate the target name, removing any characters we // are unsure about. - $target_name = makepathsafe($_POST["name"]); + $target_name = makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar"); $temp_filename = $_FILES["file"]["tmp_name"]; $mimechecker = finfo_open(FILEINFO_MIME_TYPE); @@ -116,6 +135,11 @@ register_module([ } // Perform appropriate checks based on the *real* filetype + if($is_avatar && substr($mime_type, 0, strpos($mime_type, "/")) !== "image") { + http_response_code(415); + exit(page_renderer::render_main("Error uploading avatar - $settings->sitename", "

That file appears to be unsuitable as an avatar, as $settings->sitename has detected it to be of type $mime_type, which doesn't appear to be an image. Please try uploading a different file to use as your avatar.

")); + } + switch(substr($mime_type, 0, strpos($mime_type, "/"))) { case "image": @@ -140,17 +164,18 @@ register_module([ if(isset($settings->mime_mappings_overrides->$mime_type)) $file_extension = $settings->mime_mappings_overrides->$mime_type; - if(in_array($file_extension, [ "php", ".htaccess", "asp" ])) + if(in_array($file_extension, [ "php", ".htaccess", "asp", "aspx" ])) { http_response_code(415); exit(page_renderer::render("Upload Error - $settings->sitename", "

The file you uploaded appears to be dangerous and has been discarded. Please contact $settings->sitename's administrator for assistance.

Additional information: The file uploaded appeared to be of type $mime_type, which mapped onto the extension $file_extension. This file extension has the potential to be executed accidentally by the web server.

")); } + // Rewrite the name to include the _actual_ file extension we've cleverly calculated :D $new_filename = "$paths->upload_file_prefix$target_name.$file_extension"; $new_description_filename = "$new_filename.md"; - if(isset($pageindex->$new_filename)) + if(isset($pageindex->$new_filename) && !$is_avatar) exit(page_renderer::render("Upload Error - $settings->sitename", "

A page or file has already been uploaded with the name '$new_filename'. Try deleting it first. If you do not have permission to delete things, try contacting one of the moderators.

")); if(!file_exists($env->storage_prefix . "Files"))