Mercurial > prosody-modules
comparison mod_http_upload_external/share.php @ 2333:f86478a02b25
mod_http_upload_external: Add share.php example implementation
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 13 Oct 2016 18:58:34 +0100 |
| parents | |
| children | 67d6510c5f49 |
comparison
equal
deleted
inserted
replaced
| 2332:c2cf5b40b66d | 2333:f86478a02b25 |
|---|---|
| 1 <?php | |
| 2 | |
| 3 /* | |
| 4 PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external | |
| 5 | |
| 6 Tested with Apache 2.2+ and PHP 5.3+ | |
| 7 | |
| 8 ** Why this script? | |
| 9 | |
| 10 This script only allows uploads that have been authorized by mod_http_upload_external. It | |
| 11 attempts to make the upload/download as safe as possible, considering that there are *many* | |
| 12 security concerns involved with allowing arbitrary file upload/download on a web server. | |
| 13 | |
| 14 With that said, I do not consider myself a PHP developer, and at the time of writing, this | |
| 15 code has had no external review. Use it at your own risk. I make no claims that this code | |
| 16 is secure. | |
| 17 | |
| 18 ** How to use? | |
| 19 | |
| 20 Drop this file somewhere it will be served by your web server. Edit the config options below. | |
| 21 | |
| 22 In Prosody set: | |
| 23 | |
| 24 http_upload_external_base_url = "https://your.example.com/path/to/share.php/" | |
| 25 http_upload_external_secret = "this is your secret string" | |
| 26 | |
| 27 ** License | |
| 28 | |
| 29 (C) 2016 Matthew Wild <mwild1@gmail.com> | |
| 30 | |
| 31 Permission is hereby granted, free of charge, to any person obtaining a copy of this software | |
| 32 and associated documentation files (the "Software"), to deal in the Software without restriction, | |
| 33 including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, | |
| 34 and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, | |
| 35 subject to the following conditions: | |
| 36 | |
| 37 The above copyright notice and this permission notice shall be included in all copies or substantial | |
| 38 portions of the Software. | |
| 39 | |
| 40 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING | |
| 41 BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | |
| 42 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, | |
| 43 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
| 44 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
| 45 | |
| 46 */ | |
| 47 | |
| 48 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
| 49 /* CONFIGURATION OPTIONS */ | |
| 50 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
| 51 | |
| 52 /* Change this to a directory that is writable by your web server, but is outside your web root */ | |
| 53 $CONFIG_STORE_DIR = '/tmp'; | |
| 54 | |
| 55 /* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */ | |
| 56 $CONFIG_SECRET = 'this is your secret string'; | |
| 57 | |
| 58 /* For people who need options to tweak that they don't understand... here you are */ | |
| 59 $CONFIG_CHUNK_SIZE = 4096; | |
| 60 | |
| 61 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
| 62 /* END OF CONFIGURATION */ | |
| 63 /*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/ | |
| 64 | |
| 65 /* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */ | |
| 66 | |
| 67 $upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1); | |
| 68 $store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name); | |
| 69 | |
| 70 $request_method = $_SERVER['REQUEST_METHOD']; | |
| 71 | |
| 72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { | |
| 73 $headers = getallheaders(); | |
| 74 | |
| 75 $upload_file_size = $headers['Content-Length']; | |
| 76 $upload_token = $_GET['v']; | |
| 77 | |
| 78 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); | |
| 79 if($upload_token !== $calculated_token) { | |
| 80 header('HTTP/1.0 403 Forbidden'); | |
| 81 exit; | |
| 82 } | |
| 83 | |
| 84 /* Open a file for writing */ | |
| 85 $store_file = fopen($store_file_name, 'x'); | |
| 86 | |
| 87 if($store_file === FALSE) { | |
| 88 header('HTTP/1.0 409 Conflict'); | |
| 89 exit; | |
| 90 } | |
| 91 | |
| 92 /* PUT data comes in on the stdin stream */ | |
| 93 $incoming_data = fopen('php://input', 'r'); | |
| 94 | |
| 95 /* Read the data a chunk at a time and write to the file */ | |
| 96 while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) { | |
| 97 fwrite($store_file, $data); | |
| 98 } | |
| 99 | |
| 100 /* Close the streams */ | |
| 101 fclose($incoming_data); | |
| 102 fclose($store_file); | |
| 103 } else if($request_method === 'GET' || $request_method === 'HEAD') { | |
| 104 // Send file (using X-Sendfile would be nice here...) | |
| 105 if(file_exists($store_file_name)) { | |
| 106 header('Content-Disposition: attachment'); | |
| 107 header('Content-Type: application/octet-stream'); | |
| 108 header('Content-Length: '.filesize($store_file_name)); | |
| 109 if($request_method !== 'HEAD') { | |
| 110 readfile($store_file_name); | |
| 111 } | |
| 112 } else { | |
| 113 header('HTTP/1.0 404 Not Found'); | |
| 114 } | |
| 115 } else { | |
| 116 header('HTTP/1.0 400 Bad Request'); | |
| 117 } | |
| 118 | |
| 119 exit; |