james/fembooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

re-arrange oekaki bits for better permissions

Browse Source
This commit is contained in:
Shish 2012-06-26 19:47:40 +01:00
parent 756de7b023
commit 80673b73ec
1 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
ext/oekaki/main.php
View File

@ -10,40 +10,9 @@ class Oekaki extends Extension {
global $user, $page; global $user, $page;
if($event->page_matches("oekaki")) { if($event->page_matches("oekaki")) {
if($event->get_arg(0) == "create" and $user->can("create_image")){ if($user->can("create_image")) {
if($event->get_arg(0) == "create") {
$this->theme->display_page(); $this->theme->display_page();
}else{
$this->theme->display_permission_denied();
}
if($event->get_arg(0) == "upload") {
// FIXME: this allows anyone to upload anything to /data ...
// hardcoding the ext to .png should stop the obvious exploit,
// but more checking may be wise
if(isset($_FILES["picture"])) {
header('Content-type: text/plain');
$file = $_FILES['picture']['name'];
$ext = (strpos($file, '.') === FALSE) ? '' : substr($file, strrpos($file, '.'));
$uploadname = $_SERVER['REMOTE_ADDR'] . "." . time();
$uploadfile = data_path('oekaki_unclaimed/'.$uploadname);
log_info("oekaki", "Uploading file [$uploadname]");
$success = TRUE;
if (isset($_FILES["chibifile"]))
$success = $success && move_uploaded_file($_FILES['chibifile']['tmp_name'], $uploadfile . ".chi");
// hardcode the ext, so nobody can upload "foo.php"
$success = $success && move_uploaded_file($_FILES['picture']['tmp_name'], $uploadfile . ".png"); # $ext);
if ($success) {
echo "CHIBIOK\n";
} else {
echo "CHIBIERROR\n";
}
}
else {
echo "CHIBIERROR No Data\n";
}
} }
if($event->get_arg(0) == "claim") { if($event->get_arg(0) == "claim") {
// FIXME: move .chi to data/oekaki/$ha/$hash mirroring images and thumbs // FIXME: move .chi to data/oekaki/$ha/$hash mirroring images and thumbs
@ -75,6 +44,37 @@ class Oekaki extends Extension {
} }
} }
} }
if($event->get_arg(0) == "upload") {
// FIXME: this allows anyone to upload anything to /data ...
// hardcoding the ext to .png should stop the obvious exploit,
// but more checking may be wise
if(isset($_FILES["picture"])) {
header('Content-type: text/plain');
$file = $_FILES['picture']['name'];
$ext = (strpos($file, '.') === FALSE) ? '' : substr($file, strrpos($file, '.'));
$uploadname = $_SERVER['REMOTE_ADDR'] . "." . time();
$uploadfile = data_path('oekaki_unclaimed/'.$uploadname);
log_info("oekaki", "Uploading file [$uploadname]");
$success = TRUE;
if (isset($_FILES["chibifile"]))
$success = $success && move_uploaded_file($_FILES['chibifile']['tmp_name'], $uploadfile . ".chi");
// hardcode the ext, so nobody can upload "foo.php"
$success = $success && move_uploaded_file($_FILES['picture']['tmp_name'], $uploadfile . ".png"); # $ext);
if ($success) {
echo "CHIBIOK\n";
} else {
echo "CHIBIERROR\n";
}
}
else {
echo "CHIBIERROR No Data\n";
}
}
}
} }
// FIXME: "edit this image" button on existing images? // FIXME: "edit this image" button on existing images?