prosody-modules: mod_http_upload_external/share.php annotate

annotate mod_http_upload_external/share.php @ 2977:7036e82f83f5

mod_http_upload_external: share.php example: Add CSP headers

author	Matthew Wild <mwild1@gmail.com>
date	Mon, 02 Apr 2018 10:52:32 +0100
parents	67d6510c5f49
children	9480ca61294d

rev	line source
2333 f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	1 <?php
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	2
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	3 /*
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	4 PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	5
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	6 Tested with Apache 2.2+ and PHP 5.3+
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	7
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	8 ** Why this script?
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	9
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	10 This script only allows uploads that have been authorized by mod_http_upload_external. It
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	11 attempts to make the upload/download as safe as possible, considering that there are many
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	12 security concerns involved with allowing arbitrary file upload/download on a web server.
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	13
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	14 With that said, I do not consider myself a PHP developer, and at the time of writing, this
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	15 code has had no external review. Use it at your own risk. I make no claims that this code
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	16 is secure.
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	17
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	18 ** How to use?
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	19
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	20 Drop this file somewhere it will be served by your web server. Edit the config options below.
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	21
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	22 In Prosody set:
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	23
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	24 http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	25 http_upload_external_secret = "this is your secret string"
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	26
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	27 ** License
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	28
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	29 (C) 2016 Matthew Wild <mwild1@gmail.com>
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	30
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	31 Permission is hereby granted, free of charge, to any person obtaining a copy of this software
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	32 and associated documentation files (the "Software"), to deal in the Software without restriction,
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	33 including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	34 and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	35 subject to the following conditions:
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	36
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	37 The above copyright notice and this permission notice shall be included in all copies or substantial
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	38 portions of the Software.
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	39
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	40 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	41 BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	42 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	43 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	44 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	45
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	46 */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	47
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	48 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	49 /* CONFIGURATION OPTIONS */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	50 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	51
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	52 /* Change this to a directory that is writable by your web server, but is outside your web root */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	53 $CONFIG_STORE_DIR = '/tmp';
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	54
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	55 /* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	56 $CONFIG_SECRET = 'this is your secret string';
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	57
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	58 /* For people who need options to tweak that they don't understand... here you are */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	59 $CONFIG_CHUNK_SIZE = 4096;
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	60
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	61 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	62 /* END OF CONFIGURATION */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	63 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	64
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	65 /* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	66
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	67 $upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	68 $store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	69
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	70 $request_method = $_SERVER['REQUEST_METHOD'];
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	71
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') {
2972 67d6510c5f49 mod_http_upload_external: Use a more widespread method to obtain Content-Length (thanks Yves) Emmanuel Gil Peyrot <linkmauve@linkmauve.fr> parents: 2333 diff changeset	73 $upload_file_size = $_SERVER['HTTP_CONTENT_LENGTH'];
2333 f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	74 $upload_token = $_GET['v'];
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	75
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	77 if($upload_token !== $calculated_token) {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	78 header('HTTP/1.0 403 Forbidden');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	79 exit;
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	80 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	81
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	82 /* Open a file for writing */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	83 $store_file = fopen($store_file_name, 'x');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	84
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	85 if($store_file === FALSE) {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	86 header('HTTP/1.0 409 Conflict');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	87 exit;
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	88 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	89
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	90 /* PUT data comes in on the stdin stream */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	91 $incoming_data = fopen('php://input', 'r');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	92
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	93 /* Read the data a chunk at a time and write to the file */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	94 while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	95 fwrite($store_file, $data);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	96 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	97
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	98 /* Close the streams */
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	99 fclose($incoming_data);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	100 fclose($store_file);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	101 } else if($request_method === 'GET' \|\| $request_method === 'HEAD') {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	102 // Send file (using X-Sendfile would be nice here...)
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	103 if(file_exists($store_file_name)) {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	104 header('Content-Disposition: attachment');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	105 header('Content-Type: application/octet-stream');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	106 header('Content-Length: '.filesize($store_file_name));
2977 7036e82f83f5 mod_http_upload_external: share.php example: Add CSP headers Matthew Wild <mwild1@gmail.com> parents: 2972 diff changeset	107 header('Content-Security-Policy: "default-src \'none\'"');
7036e82f83f5 mod_http_upload_external: share.php example: Add CSP headers Matthew Wild <mwild1@gmail.com> parents: 2972 diff changeset	108 header('X-Content-Security-Policy: "default-src \'none\'"');
7036e82f83f5 mod_http_upload_external: share.php example: Add CSP headers Matthew Wild <mwild1@gmail.com> parents: 2972 diff changeset	109 header('X-WebKit-CSP: "default-src 'none'"');
2333 f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	110 if($request_method !== 'HEAD') {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	111 readfile($store_file_name);
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	112 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	113 } else {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	114 header('HTTP/1.0 404 Not Found');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	115 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	116 } else {
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	117 header('HTTP/1.0 400 Bad Request');
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	118 }
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	119
f86478a02b25 mod_http_upload_external: Add share.php example implementation Matthew Wild <mwild1@gmail.com> parents: diff changeset	120 exit;

Mercurial > prosody-modules

annotate mod_http_upload_external/share.php @ 2977:7036e82f83f5