archive/oddmuse
2
0
Fork 0
forked from github/kensanata.oddmuse
Code Pull Requests Activity
Files
namespaces-fastcgi
oddmuse/modules/upload.pl
Alex Schroeder 9a93601a03 upload.pl: fix meta.t complaint
2016-08-08 11:30:27 +02:00

91 lines
2.9 KiB
Perl
Raw Permalink Blame History

#!/usr/bin/perl
# Copyright (C) 2014 Alex-Daniel Jakimenko <alex.jakimenko@gmail.com>
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later
# version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, see <http://www.gnu.org/licenses/>.
use strict;
use v5.10;
use CGI;
#use CGI::Carp qw ( fatalsToBrowser );
use File::Basename;
AddModuleDescription('upload.pl');
$CGI::POST_MAX = 1024 * 100000;
my $filenameWhitelist = 'a-zA-Z0-9_.-';
my @additionalChars = ('A'..'Z', 'a'..'z', '0'..'9');
my $urlStart = 'http://files.YOURDOMAIN.org/'; # CHANGE THIS
my $uploadDir = '../upload/';
my $logFile = '../upload.log';
my %keys = qw(justletmeupload you); # CHANGE THIS
sub squeak {
say shift;
die;
}
my $q = new CGI;
print $q->header();
if (not exists $keys{$q->param("key")}) {
squeak 'Error: Not authorized to upload';
}
if (not $q->param("fileToUpload0")) {
squeak 'Error: There was a problem uploading your file (try a smaller file)';
}
for (my $i=0; $q->param("fileToUpload$i"); $i++) {
if ($i >= 100) { # Uploading more than 100 files? What?
squeak 'Error: Cannot upload more than 100 files at once';
}
my $curFilename = substr $q->param("fileToUpload$i"), -100;
my($name, $path, $extension) = fileparse($curFilename, '\..*');
$name =~ tr/ /_/;
$name =~ s/[^$filenameWhitelist]//g;
$extension =~ tr/ /_/;
$extension =~ s/[^$filenameWhitelist]//g;
$curFilename = $name . $extension;
while (IsFile("$uploadDir/$curFilename")) { # keep adding random characters until we get unique filename
squeak 'Error: Cannot save file with such filename' if length $curFilename >= 150; # cannot find available filename after so many attempts
$name .= $additionalChars[rand @additionalChars];
$curFilename = $name . $extension;
}
if ($curFilename =~ /^([$filenameWhitelist]+)$/) { # filename is already safe, but we have to untaint it
$curFilename = $1;
} else {
squeak 'Error: Filename contains invalid characters'; # this should not happen
}
open(my $LOGFILE, '>>', encode_utf8($logFile)) or squeak "$!";
print $LOGFILE $q->param("key") . ' ' . $ENV{REMOTE_ADDR} . ' ' . $curFilename . "\n";
close $LOGFILE;
my $uploadFileHandle = $q->upload("fileToUpload$i");
open(my $UPLOADFILE, '>', encode_utf8("$uploadDir/$curFilename")) or squeak "$!";
binmode $UPLOADFILE;
while (<$uploadFileHandle>) {
print $UPLOADFILE;
}
close $UPLOADFILE;
if ($q->param("nameOnly")) {
print "$curFilename\n";
} else {
print "$urlStart$curFilename\n";
}
}
View Git Blame Copy Permalink