diff --git a/modules/feature-upload.php b/modules/feature-upload.php index 0606e6f..f299cb6 100644 --- a/modules/feature-upload.php +++ b/modules/feature-upload.php @@ -15,8 +15,10 @@ register_module([ case "GET": // Send upload page - if($settings->allow_uploads) - exit(page_renderer::render("Upload - $settings->sitename", "
+ if($settings->upload_enabled && $env->is_logged_in) + exit(page_renderer::render("Upload - $settings->sitename", "

Select an image below, and then type a name for it in the box. This server currently supports uploads up to " . get_max_upload_size() . " in size.

+

$settings->sitename currently supports uploading of the following file types: " . implode(", ", $settings->upload_allowed_file_types) . ".

+
@@ -26,15 +28,41 @@ register_module([
")); else - exit(page_renderer::render("Error - Upload - $settings->sitename", "

$settings->sitename does not currently have uploads enabled. Go back.

")); + exit(page_renderer::render("Error - Upload - $settings->sitename", "

$settings->sitename does not currently have uploads enabled, or you do not currently have permission to upload files because you are not logged in. Go back.

")); break; - case "PUT": case "POST": // Recieve file + if(!$settings->allow_uploads) + { + unlink($_FILES["file"]["tmp_name"]); + http_response_code(412); + exit(page_renderer::render("Upload failed - $settings->sitename", "

Your upload couldn't be processed because uploads are currently disabled on $settings->sitename. Go back to the main page.

")); + } + if(!$env->is_logged_in) + { + unlink($_FILES["file"]["tmp_name"]); + http_response_code(401); + exit(page_renderer::render("Upload failed - $settings->sitename", "

Your upload couldn't be processed because you are not logged in.

Try logging in first.")); + } + + // Calculate the target filename, removing any characters we + // are unsure about. + $target_filename = preg_replace("/[^a-z0-9\-_]/i", "", $_POST["filename"]); + + $extra_data = []; + $imagesize = getimagesize($_FILES["file"]["tmp_name"], $extra_data); + echo("Raw file information: "); + var_dump($_FILES); + echo("Image sizing information: "); + var_dump($imagesize); + echo("Extra embedded information: "); + var_dump($extra_data); + + unlink($_FILES["file"]["tmp_name"]); break; } @@ -63,7 +91,7 @@ register_module([ //// http://stackoverflow.com/a/25370978/1460422 // Returns a file size limit in bytes based on the PHP upload_max_filesize // and post_max_size -function file_upload_max_size() +function get_max_upload_size() { static $max_size = -1; if ($max_size < 0) { diff --git a/settings.fragment.php b/settings.fragment.php index ebf6f31..981e7c6 100644 --- a/settings.fragment.php +++ b/settings.fragment.php @@ -171,6 +171,18 @@ $settings->footer_message = "All content is under editing_message = "By submitting your edit, you are agreeing to release your changes under this license. Also note that if you don't want your work to be edited by other users of this site, please don't submit it here!"; +// Whether to allow image uploads to the server. Currently disabled temporarily +// for security reasons while I finish writing the file uploader. +$settings->upload_enabled = true; + +// An array of mime types that are allowed to be uploaded. +$settings->upload_allowed_types = [ + "image/jpeg", + "image/png", + "image/gif", + "image/webp" +]; + // A string of css to include. Will be included in the of every page // inside a