aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--storage-backend/index.php18
1 files changed, 15 insertions, 3 deletions
diff --git a/storage-backend/index.php b/storage-backend/index.php
index b18a801..ab59617 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -86,11 +86,11 @@ switch ($method) {
if (!slotExists($slotUUID, $config)) {
sendHttpReturnCodeAndJson(403, "The slot does not exist.");
}
- $slotParameters = require(getSlotFilePath($slotUUID, $config));
- if ($slotParameters['filename'] != $filename) { // Works because filename is rawurlencoded in slot store and filename is from PUT URL
+ $slotParameters = loadSlotParameters($slotUUID, $config);
+ if (!checkFilenameParameter($filename, $slotParameters)) {
sendHttpReturnCodeAndJson(403, "Uploaded filename differs from requested slot filename.");
}
- $uploadFilePath = getUploadFilePath($slotUUID, $config, rawurldecode($filename));
+ $uploadFilePath = getUploadFilePath($slotUUID, $config, $slotParameters['filename']);
if (file_exists($uploadFilePath)) {
sendHttpReturnCodeAndJson(403, "The slot was already used.");
}
@@ -127,6 +127,18 @@ function checkXmppServerKey($validXmppServerKeys, $xmppServerKey) {
return false;
}
+function checkFilenameParameter($filename, $slotParameters) {
+ $filename = rawurldecode($filename); // the filename is a http get parameter and therefore encoded
+ return $slotParameters['filename'] == $filename;
+}
+
+function loadSlotParameters($slotUUID, $config) {
+ $slotParameters = require(getSlotFilePath($slotUUID, $config));
+ $slotParameters['filename'] = rawurldecode($slotParameters['filename']);
+
+ return $slotParameters;
+}
+
function getMandatoryPostParameter($parameterName) {
$parameter = $_POST[$parameterName];
if (!isset($parameter) || is_null($parameter) || empty($parameter)) {