Comparison

mod_http_upload_external/share_v2.php @ 2978:ac99a04231b1

mod_http_upload_external: Add newer 'v2' protocol (and share_v2.php) which supports content-type preservation
author Matthew Wild <mwild1@gmail.com>
date Mon, 02 Apr 2018 10:57:17 +0100
child 3161:887a8100343a
comparison
equal deleted inserted replaced
2977:7036e82f83f5 2978:ac99a04231b1
1 <?php
2
3 /*
4 PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external
5
6 Tested with Apache 2.2+ and PHP 5.3+
7
8 ** Why this script?
9
10 This script only allows uploads that have been authorized by mod_http_upload_external. It
11 attempts to make the upload/download as safe as possible, considering that there are *many*
12 security concerns involved with allowing arbitrary file upload/download on a web server.
13
14 With that said, I do not consider myself a PHP developer, and at the time of writing, this
15 code has had no external review. Use it at your own risk. I make no claims that this code
16 is secure.
17
18 ** How to use?
19
20 Drop this file somewhere it will be served by your web server. Edit the config options below.
21
22 In Prosody set:
23
24 http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
25 http_upload_external_secret = "this is your secret string"
26 http_upload_external_protocol = "v2";
27
28 ** License
29
30 (C) 2016 Matthew Wild <mwild1@gmail.com>
31
32 Permission is hereby granted, free of charge, to any person obtaining a copy of this software
33 and associated documentation files (the "Software"), to deal in the Software without restriction,
34 including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
35 and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
36 subject to the following conditions:
37
38 The above copyright notice and this permission notice shall be included in all copies or substantial
39 portions of the Software.
40
41 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
42 BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
43 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
44 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
45 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
46
47 */
48
49 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
50 /* CONFIGURATION OPTIONS */
51 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
52
53 /* Change this to a directory that is writable by your web server, but is outside your web root */
54 $CONFIG_STORE_DIR = '/tmp';
55
56 /* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */
57 $CONFIG_SECRET = 'this is your secret string';
58
59 /* For people who need options to tweak that they don't understand... here you are */
60 $CONFIG_CHUNK_SIZE = 4096;
61
62 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
63 /* END OF CONFIGURATION */
64 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
65
66 /* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */
67
68 $upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
69 $store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name);
70
71 $request_method = $_SERVER['REQUEST_METHOD'];
72
73 if(array_key_exists('v2', $_GET) === TRUE && $request_method === 'PUT') {
74 $upload_file_size = $_SERVER['HTTP_CONTENT_LENGTH'];
75 $upload_token = $_SERVER['HTTP_UPLOAD_SIGNATURE'];
76
77 if(array_key_exists('HTTP_CONTENT_TYPE', $_SERVER) === TRUE) {
78 $upload_file_type = $_SERVER['HTTP_CONTENT_TYPE'];
79 } else {
80 $upload_file_type = 'application/octet-stream';
81 }
82
83 // Imagine being able to store the file data in the content-type!
84 if(strlen($upload_file_type) > 255) {
85 header('HTTP/1.0 400 Bad Request');
86 exit;
87 }
88
89 $calculated_token = hash_hmac('sha256', "$upload_file_name\0$upload_file_size\0$upload_file_type", $CONFIG_SECRET);
90 if(function_exists('hash_equals') {
91 if(hash_equals($calculated_token, $upload_token) !== TRUE) {
92 header('HTTP/1.0 403 Forbidden');
93 exit;
94 }
95 }
96 else {
97 if($upload_token !== $calculated_token) {
98 header('HTTP/1.0 403 Forbidden');
99 exit;
100 }
101 }
102 /* Open a file for writing */
103 $store_file = fopen($store_file_name, 'x');
104
105 if($store_file === FALSE) {
106 header('HTTP/1.0 409 Conflict');
107 exit;
108 }
109
110 /* PUT data comes in on the stdin stream */
111 $incoming_data = fopen('php://input', 'r');
112
113 /* Read the data a chunk at a time and write to the file */
114 while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) {
115 fwrite($store_file, $data);
116 }
117
118 /* Close the streams */
119 fclose($incoming_data);
120 fclose($store_file);
121 file_put_contents($store_file_name.'-type', $upload_file_type);
122 } else if($request_method === 'GET' || $request_method === 'HEAD') {
123 // Send file (using X-Sendfile would be nice here...)
124 if(file_exists($store_file_name)) {
125 $mime_type = file_get_contents($store_file_name.'-type');
126 if($mime_type === FALSE) {
127 $mime_type = 'application/octet-stream';
128 }
129 header('Content-Disposition: attachment');
130 header('Content-Type: '.$mime_type);
131 header('Content-Length: '.filesize($store_file_name));
132 header('Content-Security-Policy: "default-src \'none\'"');
133 header('X-Content-Security-Policy: "default-src \'none\'"');
134 header('X-WebKit-CSP: "default-src 'none'"');
135 if($request_method !== 'HEAD') {
136 readfile($store_file_name);
137 }
138 } else {
139 header('HTTP/1.0 404 Not Found');
140 }
141 } else {
142 header('HTTP/1.0 400 Bad Request');
143 }
144
145 exit;