diff options
author | steckbrief <steckbrief@chefmail.de> | 2016-01-13 09:30:49 +0100 |
---|---|---|
committer | steckbrief <steckbrief@chefmail.de> | 2016-01-13 09:30:49 +0100 |
commit | c6da13b6320e3bb20f57a24ccb336de2684dd658 (patch) | |
tree | 3a671e09d7da86518e2136a24568ae7673623812 | |
parent | 9bd8c79f56d970c95634bb20b6626e0d89fadb0b (diff) |
rawurl(de|en)coding moved to slot parameter storing and loading
Diffstat (limited to '')
-rw-r--r-- | storage-backend/index.php | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/storage-backend/index.php b/storage-backend/index.php index b18a801..ab59617 100644 --- a/storage-backend/index.php +++ b/storage-backend/index.php @@ -86,11 +86,11 @@ switch ($method) { if (!slotExists($slotUUID, $config)) { sendHttpReturnCodeAndJson(403, "The slot does not exist."); } - $slotParameters = require(getSlotFilePath($slotUUID, $config)); - if ($slotParameters['filename'] != $filename) { // Works because filename is rawurlencoded in slot store and filename is from PUT URL + $slotParameters = loadSlotParameters($slotUUID, $config); + if (!checkFilenameParameter($filename, $slotParameters)) { sendHttpReturnCodeAndJson(403, "Uploaded filename differs from requested slot filename."); } - $uploadFilePath = getUploadFilePath($slotUUID, $config, rawurldecode($filename)); + $uploadFilePath = getUploadFilePath($slotUUID, $config, $slotParameters['filename']); if (file_exists($uploadFilePath)) { sendHttpReturnCodeAndJson(403, "The slot was already used."); } @@ -127,6 +127,18 @@ function checkXmppServerKey($validXmppServerKeys, $xmppServerKey) { return false; } +function checkFilenameParameter($filename, $slotParameters) { + $filename = rawurldecode($filename); // the filename is a http get parameter and therefore encoded + return $slotParameters['filename'] == $filename; +} + +function loadSlotParameters($slotUUID, $config) { + $slotParameters = require(getSlotFilePath($slotUUID, $config)); + $slotParameters['filename'] = rawurldecode($slotParameters['filename']); + + return $slotParameters; +} + function getMandatoryPostParameter($parameterName) { $parameter = $_POST[$parameterName]; if (!isset($parameter) || is_null($parameter) || empty($parameter)) { |