Software /
code /
prosody-modules
Comparison
mod_http_upload_external/share_v2.php @ 2978:ac99a04231b1
mod_http_upload_external: Add newer 'v2' protocol (and share_v2.php) which supports content-type preservation
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Mon, 02 Apr 2018 10:57:17 +0100 |
child | 3161:887a8100343a |
comparison
equal
deleted
inserted
replaced
2977:7036e82f83f5 | 2978:ac99a04231b1 |
---|---|
1 <?php | |
2 | |
3 /* | |
4 PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external | |
5 | |
6 Tested with Apache 2.2+ and PHP 5.3+ | |
7 | |
8 ** Why this script? | |
9 | |
10 This script only allows uploads that have been authorized by mod_http_upload_external. It | |
11 attempts to make the upload/download as safe as possible, considering that there are *many* | |
12 security concerns involved with allowing arbitrary file upload/download on a web server. | |
13 | |
14 With that said, I do not consider myself a PHP developer, and at the time of writing, this | |
15 code has had no external review. Use it at your own risk. I make no claims that this code | |
16 is secure. | |
17 | |
18 ** How to use? | |
19 | |
20 Drop this file somewhere it will be served by your web server. Edit the config options below. | |
21 | |
22 In Prosody set: | |
23 | |
24 http_upload_external_base_url = "https://your.example.com/path/to/share.php/" | |
25 http_upload_external_secret = "this is your secret string" | |
26 http_upload_external_protocol = "v2"; | |
27 | |
28 ** License | |
29 | |
30 (C) 2016 Matthew Wild <mwild1@gmail.com> | |
31 | |
32 Permission is hereby granted, free of charge, to any person obtaining a copy of this software | |
33 and associated documentation files (the "Software"), to deal in the Software without restriction, | |
34 including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, | |
35 and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, | |
36 subject to the following conditions: | |
37 | |
38 The above copyright notice and this permission notice shall be included in all copies or substantial | |
39 portions of the Software. | |
40 | |
41 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING | |
42 BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | |
43 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, | |
44 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
45 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
46 | |
47 */ | |
48 | |
49 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
50 /* CONFIGURATION OPTIONS */ | |
51 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
52 | |
53 /* Change this to a directory that is writable by your web server, but is outside your web root */ | |
54 $CONFIG_STORE_DIR = '/tmp'; | |
55 | |
56 /* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */ | |
57 $CONFIG_SECRET = 'this is your secret string'; | |
58 | |
59 /* For people who need options to tweak that they don't understand... here you are */ | |
60 $CONFIG_CHUNK_SIZE = 4096; | |
61 | |
62 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
63 /* END OF CONFIGURATION */ | |
64 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
65 | |
66 /* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */ | |
67 | |
68 $upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1); | |
69 $store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name); | |
70 | |
71 $request_method = $_SERVER['REQUEST_METHOD']; | |
72 | |
73 if(array_key_exists('v2', $_GET) === TRUE && $request_method === 'PUT') { | |
74 $upload_file_size = $_SERVER['HTTP_CONTENT_LENGTH']; | |
75 $upload_token = $_SERVER['HTTP_UPLOAD_SIGNATURE']; | |
76 | |
77 if(array_key_exists('HTTP_CONTENT_TYPE', $_SERVER) === TRUE) { | |
78 $upload_file_type = $_SERVER['HTTP_CONTENT_TYPE']; | |
79 } else { | |
80 $upload_file_type = 'application/octet-stream'; | |
81 } | |
82 | |
83 // Imagine being able to store the file data in the content-type! | |
84 if(strlen($upload_file_type) > 255) { | |
85 header('HTTP/1.0 400 Bad Request'); | |
86 exit; | |
87 } | |
88 | |
89 $calculated_token = hash_hmac('sha256', "$upload_file_name\0$upload_file_size\0$upload_file_type", $CONFIG_SECRET); | |
90 if(function_exists('hash_equals') { | |
91 if(hash_equals($calculated_token, $upload_token) !== TRUE) { | |
92 header('HTTP/1.0 403 Forbidden'); | |
93 exit; | |
94 } | |
95 } | |
96 else { | |
97 if($upload_token !== $calculated_token) { | |
98 header('HTTP/1.0 403 Forbidden'); | |
99 exit; | |
100 } | |
101 } | |
102 /* Open a file for writing */ | |
103 $store_file = fopen($store_file_name, 'x'); | |
104 | |
105 if($store_file === FALSE) { | |
106 header('HTTP/1.0 409 Conflict'); | |
107 exit; | |
108 } | |
109 | |
110 /* PUT data comes in on the stdin stream */ | |
111 $incoming_data = fopen('php://input', 'r'); | |
112 | |
113 /* Read the data a chunk at a time and write to the file */ | |
114 while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) { | |
115 fwrite($store_file, $data); | |
116 } | |
117 | |
118 /* Close the streams */ | |
119 fclose($incoming_data); | |
120 fclose($store_file); | |
121 file_put_contents($store_file_name.'-type', $upload_file_type); | |
122 } else if($request_method === 'GET' || $request_method === 'HEAD') { | |
123 // Send file (using X-Sendfile would be nice here...) | |
124 if(file_exists($store_file_name)) { | |
125 $mime_type = file_get_contents($store_file_name.'-type'); | |
126 if($mime_type === FALSE) { | |
127 $mime_type = 'application/octet-stream'; | |
128 } | |
129 header('Content-Disposition: attachment'); | |
130 header('Content-Type: '.$mime_type); | |
131 header('Content-Length: '.filesize($store_file_name)); | |
132 header('Content-Security-Policy: "default-src \'none\'"'); | |
133 header('X-Content-Security-Policy: "default-src \'none\'"'); | |
134 header('X-WebKit-CSP: "default-src 'none'"'); | |
135 if($request_method !== 'HEAD') { | |
136 readfile($store_file_name); | |
137 } | |
138 } else { | |
139 header('HTTP/1.0 404 Not Found'); | |
140 } | |
141 } else { | |
142 header('HTTP/1.0 400 Bad Request'); | |
143 } | |
144 | |
145 exit; |