From 2c946d39fbfc8ed47b32ba450f03af2919702928 Mon Sep 17 00:00:00 2001
From: steckbrief <steckbrief@chefmail.de>
Date: Wed, 6 Jan 2016 19:39:32 +0100
Subject: server validation added several bug fixes

---
 storage-backend/index.php | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/storage-backend/index.php b/storage-backend/index.php
index d9c82d5..0998c8c 100644
--- a/storage-backend/index.php
+++ b/storage-backend/index.php
@@ -11,6 +11,7 @@
  *   size
  *   content_type
  *   user_jid
+ * 403: In case the XMPP Server Key is not valid
  * 406:
  *   File is empty (error code: 1)
  *   File too large (error code: 2, parameters: max_file_size)
@@ -47,6 +48,10 @@ switch ($method) {
 	$filesize = getMandatoryPostParameter('size');
 	$type = getOptionalPostParameter('content_type');
 	$userJid = getMandatoryPostParameter('user_jid');
+    // Check if xmppServerKey is allowed to request slots
+    if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) {
+      sendHttpReturnCodeAndJson(403, 'Server is not allowed to request an upload slot');
+    }
     // check file size - return 406 (not acceptable) if file too small
     if ($filesize <= 0) {
       sendHttpReturnCodeAndJson(406, ['msg' => 'File is empty.', 'err_code' => 1]);
@@ -82,17 +87,17 @@ switch ($method) {
       sendHttpReturnCodeAndJson(403, "The slot does not exist.");
     }
     $slotParameters = require(getSlotFilePath($slotUUID, $config));
-    if ($slotParameters['filename'] != $filename) {
+    if ($slotParameters['filename'] != $filename) { // Works because filename is rawurlencoded in slot store and filename is from PUT URL
       sendHttpReturnCodeAndJson(403, "Uploaded filename differs from requested slot filename.");
     }
-    $uploadFilePath = getUploadFilePath($slotUUID, $config, $filename);
+    $uploadFilePath = getUploadFilePath($slotUUID, $config, rawurldecode($filename));
     if (file_exists($uploadFilePath)) {
       sendHttpReturnCodeAndJson(403, "The slot was already used.");
     }
     // save file
     $incomingFileStream = fopen("php://input", "r");
     $targetFileStream = fopen($uploadFilePath, "w");
-    $uploadedFilesize = stream_copy_to_stream($incomingFileStream, $targetFileStream);
+    $uploadedFilesize = stream_copy_to_stream($incomingFileStream, $targetFileStream, $slotParameters['filesize'] + 1); // max. 1 byte more than expected to avoid spamming
     fclose($targetFileStream);
     // check actual file size with registered file size - return 413
     if ($uploadedFilesize != $slotParameters['filesize']) {
@@ -113,6 +118,15 @@ switch ($method) {
     break;
 }
 
+function checkXmppServerKey($validXmppServerKeys, $xmppServerKey) {
+  foreach ($validXmppServerKeys as $validXmppServerKey) {
+    if ($validXmppServerKey == $xmppServerKey) {
+      return true;
+    }
+  }
+  return false;
+}
+
 function getMandatoryPostParameter($parameterName) {
   $parameter = $_POST[$parameterName];
   if (!isset($parameter) || is_null($parameter) || empty($parameter)) {
@@ -154,7 +168,7 @@ function getFilenameFromUri($uri) {
 
 function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $config) {
   $contents = "<?php\n/*\n * This is an autogenerated file - do not edit\n */\n\n";
-  $contents .= 'return [\'filename\' => \''.$filename.'\', \'filesize\' => \''.$filesize.'\', ';
+  $contents .= 'return [\'filename\' => \''.rawurlencode($filename).'\', \'filesize\' => \''.$filesize.'\', ';
   $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\'];';
   if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) {
     sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry.");
-- 
cgit v1.2.3