mirror of
https://github.com/kennethreitz-archive/php-swfuploader-notify.git
synced 2026-06-05 23:50:19 +00:00
Kenneth Reitz
182 lines
6.0 KiB
PHP
182 lines
6.0 KiB
PHP
<?php
|
|
/* This is an upload script for SWFUpload that attempts to properly handle uploaded files
|
|
in a secure way. */
|
|
|
|
// Mail Settings. Easy, eh?
|
|
$to = 'name@domain.com';
|
|
$subject = 'File Uploaded to Web Site Name';
|
|
$from = 'From: User Name <cheese@cheese.com>';
|
|
|
|
// Allowed file extensions
|
|
$extension_whitelist = array("jpg", "gif", "png", "zip", "pdf", "psd");
|
|
|
|
|
|
// ***** You shouldn't have to edit anything Below this line *****
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Code for Session Cookie workaround
|
|
if (isset($_POST["PHPSESSID"])) {
|
|
session_id($_POST["PHPSESSID"]);
|
|
} else if (isset($_GET["PHPSESSID"])) {
|
|
session_id($_GET["PHPSESSID"]);
|
|
}
|
|
|
|
session_start();
|
|
|
|
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
|
|
$POST_MAX_SIZE = ini_get('post_max_size');
|
|
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
|
|
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
|
|
|
|
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
|
|
header("HTTP/1.1 500 Internal Server Error");
|
|
echo "POST exceeded maximum allowed size.";
|
|
exit(0);
|
|
}
|
|
|
|
// Settings
|
|
$save_path = getcwd() . "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
|
|
$upload_name = "Filedata";
|
|
$max_file_size_in_bytes = 2147483647; // 2GB in bytes
|
|
|
|
$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
|
|
|
|
// Other variables
|
|
$MAX_FILENAME_LENGTH = 260;
|
|
$file_name = "";
|
|
$file_extension = "";
|
|
$uploadErrors = array(
|
|
0=>"There is no error, the file uploaded with success",
|
|
1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
|
|
2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
|
|
3=>"The uploaded file was only partially uploaded",
|
|
4=>"No file was uploaded",
|
|
6=>"Missing a temporary folder"
|
|
);
|
|
|
|
|
|
// Validate the upload
|
|
if (!isset($_FILES[$upload_name])) {
|
|
HandleError("No upload found in \$_FILES for " . $upload_name);
|
|
exit(0);
|
|
} else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) {
|
|
HandleError($uploadErrors[$_FILES[$upload_name]["error"]]);
|
|
exit(0);
|
|
} else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) {
|
|
HandleError("Upload failed is_uploaded_file test.");
|
|
exit(0);
|
|
} else if (!isset($_FILES[$upload_name]['name'])) {
|
|
HandleError("File has no name.");
|
|
exit(0);
|
|
}
|
|
|
|
// Validate the file size (Warning: the largest files supported by this code is 2GB)
|
|
$file_size = @filesize($_FILES[$upload_name]["tmp_name"]);
|
|
if (!$file_size || $file_size > $max_file_size_in_bytes) {
|
|
HandleError("File exceeds the maximum allowed size");
|
|
exit(0);
|
|
}
|
|
|
|
if ($file_size <= 0) {
|
|
HandleError("File size outside allowed lower bound");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
// Validate file name (for our purposes we'll just remove invalid characters)
|
|
$file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', "", basename($_FILES[$upload_name]['name']));
|
|
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
|
|
HandleError("Invalid file name");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
// Validate that we won't over-write an existing file
|
|
if (file_exists($save_path . $file_name)) {
|
|
HandleError("File with this name already exists");
|
|
exit(0);
|
|
}
|
|
|
|
// Validate file extension
|
|
$path_info = pathinfo($_FILES[$upload_name]['name']);
|
|
$file_extension = $path_info["extension"];
|
|
$is_valid_extension = false;
|
|
foreach ($extension_whitelist as $extension) {
|
|
if ($file_extension == $extension) {
|
|
$is_valid_extension = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!$is_valid_extension) {
|
|
HandleError("Invalid file extension");
|
|
exit(0);
|
|
}
|
|
|
|
// Validate file contents (extension and mime-type can't be trusted)
|
|
/*
|
|
Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
|
|
See the comments on this page: http://us2.php.net/fileinfo
|
|
|
|
Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
|
|
which describes how a PHP script can be embedded within a GIF image file.
|
|
|
|
Therefore, no sample code will be provided here. Research the issue, decide how much security is
|
|
needed, and implement a solution that meets the needs.
|
|
*/
|
|
|
|
|
|
// Process the file
|
|
/*
|
|
At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
|
|
could be done such as creating an entry in a database or generating a thumbnail.
|
|
|
|
Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
|
|
been saved.
|
|
*/
|
|
if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) {
|
|
HandleError("File could not be saved.");
|
|
exit(0);
|
|
}
|
|
|
|
// Email it up!
|
|
$pageURL = 'http';
|
|
if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
|
|
$pageURL .= "://";
|
|
if ($_SERVER["SERVER_PORT"] != "80") {
|
|
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
|
|
} else {
|
|
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
|
|
}
|
|
$url = str_replace('upload.php', 'uploads/', $pageURL);
|
|
|
|
|
|
$body = "A file has been uploaded. \n \n Here's a link: \n \n $url".rawurlencode($file_name);
|
|
// .$url
|
|
|
|
mail($to, $subject, $body, $from);
|
|
|
|
|
|
// Return output to the browser (only supported by SWFUpload for Flash Player 9)
|
|
|
|
echo "File Received";
|
|
|
|
exit(0);
|
|
|
|
|
|
/* Handles the error output. This function was written for SWFUpload for Flash Player 8 which
|
|
cannot return data to the server, so it just returns a 500 error. For Flash Player 9 you will
|
|
want to change this to return the server data you want to indicate an error and then use SWFUpload's
|
|
uploadSuccess to check the server_data for your error indicator. */
|
|
function HandleError($message) {
|
|
header("HTTP/1.1 500 Internal Server Error");
|
|
echo $message;
|
|
}
|
|
?>
|