صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
Medowar
/
feuerwehr-freising-antragsformular
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
درخت: 76ce7706bf
شاخه‌ها تگ‌ها
feuerwehr-freis...
/
api
/
upload-preview.php

upload-preview.php 4.5 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. use App\App\Bootstrap;
    6. 

  6. use App\Security\Csrf;
    7. 

  7. use App\Security\FormAccess;
    8. 

  8. use App\Security\RateLimiter;
    9. 

  9. use App\Storage\JsonStore;
    10. 

  10. 

  11. require dirname(__DIR__) . '/src/autoload.php';
    12. 

  12. Bootstrap::init();
    13. 

  13. 

  14. if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
    15. 

  15.     http_response_code(405);
    16. 

  16.     header('Content-Type: text/plain; charset=utf-8');
    17. 

  17.     echo 'Method not allowed';
    18. 

  18.     exit;
    19. 

  19. }
    20. 

  20. 

  21. $csrf = $_GET['csrf'] ?? '';
    22. 

  22. if (!Csrf::validate(is_string($csrf) ? $csrf : null)) {
    23. 

  23.     http_response_code(419);
    24. 

  24.     header('Content-Type: text/plain; charset=utf-8');
    25. 

  25.     echo 'Ungültiges CSRF-Token.';
    26. 

  26.     exit;
    27. 

  27. }
    28. 

  28. 

  29. $email = strtolower(trim((string) ($_GET['email'] ?? '')));
    30. 

  30. if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
    31. 

  31.     http_response_code(422);
    32. 

  32.     header('Content-Type: text/plain; charset=utf-8');
    33. 

  33.     echo 'Bitte gültige E-Mail eingeben.';
    34. 

  34.     exit;
    35. 

  35. }
    36. 

  36. 

  37. $activityRaw = $_GET['last_user_activity_at'] ?? null;
    38. 

  38. $lastUserActivityAt = is_scalar($activityRaw) ? (int) $activityRaw : null;
    39. 

  39. $formAccess = new FormAccess();
    40. 

  40. $auth = $formAccess->assertVerifiedForEmail($email, $lastUserActivityAt);
    41. 

  41. if (($auth['ok'] ?? false) !== true) {
    42. 

  42.     $reason = (string) ($auth['reason'] ?? '');
    43. 

  43.     Bootstrap::jsonResponse([
    44. 

  44.         'ok' => false,
    45. 

  45.         'message' => (string) ($auth['message'] ?? 'Bitte E-Mail erneut verifizieren.'),
    46. 

  46.         'auth_required' => $reason === 'auth_required',
    47. 

  47.         'auth_expired' => $reason === 'auth_expired',
    48. 

  48.     ], (int) ($auth['status_code'] ?? 401));
    49. 

  49. }
    50. 

  50. 

  51. $field = trim((string) ($_GET['field'] ?? ''));
    52. 

  52. $index = (int) ($_GET['index'] ?? -1);
    53. 

  53. if ($field === '' || $index < 0) {
    54. 

  54.     http_response_code(422);
    55. 

  55.     header('Content-Type: text/plain; charset=utf-8');
    56. 

  56.     echo 'Ungültiger Upload-Eintrag.';
    57. 

  57.     exit;
    58. 

  58. }
    59. 

  59. 

  60. /** @return string|null */
    61. 

  61. function resolveStoredPreviewPath(array $entry, array $app): ?string
    62. 

  62. {
    63. 

  63.     $baseDir = rtrim((string) ($app['storage']['uploads'] ?? ''), '/');
    64. 

  64.     if ($baseDir === '') {
    65. 

  65.         return null;
    66. 

  66.     }
    67. 

  67. 

  68.     $storedDir = trim((string) ($entry['stored_dir'] ?? ''), '/');
    69. 

  69.     $storedFilename = trim((string) ($entry['stored_filename'] ?? ''));
    70. 

  70.     if ($storedDir === '' || $storedFilename === '') {
    71. 

  71.         return null;
    72. 

  72.     }
    73. 

  73.     if (str_contains($storedDir, '..') || str_contains($storedFilename, '..')) {
    74. 

  74.         return null;
    75. 

  75.     }
    76. 

  76.     if (!preg_match('/^[A-Za-z0-9._\/-]+$/', $storedDir)) {
    77. 

  77.         return null;
    78. 

  78.     }
    79. 

  79.     if (!preg_match('/^[A-Za-z0-9._ -]+$/', $storedFilename)) {
    80. 

  80.         return null;
    81. 

  81.     }
    82. 

  82. 

  83.     $path = $baseDir . '/' . $storedDir . '/' . $storedFilename;
    84. 

  84.     $realBase = realpath($baseDir);
    85. 

  85.     $realPath = realpath($path);
    86. 

  86.     if ($realBase !== false && $realPath !== false && !str_starts_with($realPath, $realBase)) {
    87. 

  87.         return null;
    88. 

  88.     }
    89. 

  89. 

  90.     return $path;
    91. 

  91. }
    92. 

  92. 

  93. $app = Bootstrap::config('app');
    94. 

  94. $limiter = new RateLimiter();
    95. 

  95. $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
    96. 

  96. $rateKey = sprintf('preview-upload:%s:%s', $ip, $email);
    97. 

  97. if (!$limiter->allow($rateKey, (int) $app['rate_limit']['requests'], (int) $app['rate_limit']['window_seconds'])) {
    98. 

  98.     http_response_code(429);
    99. 

  99.     header('Content-Type: text/plain; charset=utf-8');
    100. 

  100.     echo 'Zu viele Anfragen. Bitte später erneut versuchen.';
    101. 

  101.     exit;
    102. 

  102. }
    103. 

  103. 

  104. $store = new JsonStore();
    105. 

  105. $draft = $store->getDraft($email);
    106. 

  106. 

  107. if (!is_array($draft)) {
    108. 

  108.     http_response_code(404);
    109. 

  109.     header('Content-Type: text/plain; charset=utf-8');
    110. 

  110.     echo 'Entwurf nicht gefunden.';
    111. 

  111.     exit;
    112. 

  112. }
    113. 

  113. 

  114. $uploads = (array) ($draft['uploads'] ?? []);
    115. 

  115. $files = $uploads[$field] ?? null;
    116. 

  116. $entry = (is_array($files) && isset($files[$index]) && is_array($files[$index])) ? $files[$index] : null;
    117. 

  117. if (!is_array($entry)) {
    118. 

  118.     http_response_code(404);
    119. 

  119.     header('Content-Type: text/plain; charset=utf-8');
    120. 

  120.     echo 'Upload nicht gefunden.';
    121. 

  121.     exit;
    122. 

  122. }
    123. 

  123. 

  124. $path = resolveStoredPreviewPath($entry, $app);
    125. 

  125. if ($path === null || !is_file($path)) {
    126. 

  126.     http_response_code(404);
    127. 

  127.     header('Content-Type: text/plain; charset=utf-8');
    128. 

  128.     echo 'Datei nicht gefunden.';
    129. 

  129.     exit;
    130. 

  130. }
    131. 

  131. 

  132. $mime = (string) ($entry['mime'] ?? '');
    133. 

  133. if ($mime === '') {
    134. 

  134.     $detected = @mime_content_type($path);
    135. 

  135.     $mime = is_string($detected) ? $detected : 'application/octet-stream';
    136. 

  136. }
    137. 

  137. 

  138. $downloadName = (string) ($entry['original_filename'] ?? basename($path));
    139. 

  139. $fallbackName = preg_replace('/[^A-Za-z0-9._-]/', '_', $downloadName) ?: 'upload.bin';
    140. 

  140. $encodedName = rawurlencode($downloadName);
    141. 

  141. 

  142. header('Content-Type: ' . $mime);
    143. 

  143. header('X-Content-Type-Options: nosniff');
    144. 

  144. header('Content-Length: ' . (string) filesize($path));
    145. 

  145. header('Content-Disposition: inline; filename="' . $fallbackName . '"; filename*=UTF-8\'\'' . $encodedName);
    146. 

  146. readfile($path);
    147. 

  147. exit;
    148.