From 4a8d1d1f3a1958794882b48f060553d09ba24753 Mon Sep 17 00:00:00 2001 From: rail5 Date: Mon, 24 Apr 2023 13:12:41 -0400 Subject: [PATCH] setup.php now deletes itself when finished. Some code cleanup --- README.md | 22 +++---- download.php | 47 +++++++------- functions.global.php | 37 +++++------ layout.php | 12 ++-- login.php | 54 ++++++++-------- manage.php | 40 ++++++------ setup.php | 142 +++++++++++++++++++++++-------------------- upload.php | 48 +++++++-------- 8 files changed, 206 insertions(+), 196 deletions(-) diff --git a/README.md b/README.md index 9de1409..22519b5 100644 --- a/README.md +++ b/README.md @@ -26,23 +26,23 @@ Simple, Self-Hosted, PHP File Sharing It's recommended that you alter your server configuration to block direct access to the sqlite database file (created by **setup.php** as **filedb.sqlite**), and to block direct access to the *files directory*, as such for example: ``` - location = /SimpleFS/Installation/Folder/filedb.sqlite { - deny all; - return 404; - } - location = /SimpleFS/Installation/Folder/files/ { - deny all; - return 404; - } + location = /SimpleFS/Installation/Folder/filedb.sqlite { + deny all; + return 404; + } + location = /SimpleFS/Installation/Folder/files/ { + deny all; + return 404; + } ``` - For Apache Users This repo includes .htaccess files preventing direct access to the sqlite database file and to the files directory. Please ensure that your Apache installation is configured to allow .htaccess overrides, as in for instance, in your **apache2.conf**: ``` - Options Indexes FollowSymLinks - AllowOverride All - Require all granted + Options Indexes FollowSymLinks + AllowOverride All + Require all granted ``` diff --git a/download.php b/download.php index 453cafb..e24a8be 100644 --- a/download.php +++ b/download.php @@ -4,46 +4,43 @@ require('config.global.php'); require('functions.global.php'); require('layout.php'); -$notRealFile = 0; - - if (!isset($_GET['id'])) { - header('location: index.php'); // user loaded without requesting file by id + header('location: index.php'); // user loaded without requesting file by id + die(); } if (!is_numeric($_GET['id'])) { - header('location: index.php'); // user requested non-numeric (invalid) file id, damned fuzzers + header('location: index.php'); // user requested non-numeric (invalid) file id, damned fuzzers + die(); } $reqFile = $_GET['id']; $fetched = contactDB("SELECT * FROM files WHERE fileid='$reqFile';", 1); -if (count($fetched) == 0) { - $notRealFile = 1; // user requested invalid (unmatched) file id, possibly a deleted file -} +$realFile = (count($fetched) != 0); // Set realFile to true if we found the file id, false if we didn't find it -if ($notRealFile == 1) { - echo deliverTop("SimpleFS - Download"); +if (!$realFile) { + echo deliverTop("SimpleFS - Download"); - echo deliverMiddle("File Not Found", "The file you requested doesn't exist on this server", ""); - - echo deliverBottom(); + echo deliverMiddle("File Not Found", "The file you requested doesn't exist on this server", ""); + + echo deliverBottom(); } else { - $fileName = str_replace("files/", "", $fetched[0]); - - if ($_GET['dl'] == "true") { + $fileName = str_replace("files/", "", $fetched[0]); + + if ($_GET['dl'] == "true") { - header('Content-Type: application/octet-stream'); - header("Content-Transfer-Encoding: Binary"); - header("Content-disposition: attachment; filename=\"" .$fileName. "\""); - readfile($fetched[0]); - } else { - echo deliverTop("SimpleFS - Download"); - echo deliverMiddle("Download", $fileName, ''); - echo deliverBottom(); + header('Content-Type: application/octet-stream'); + header("Content-Transfer-Encoding: Binary"); + header("Content-disposition: attachment; filename=\"" .$fileName. "\""); + readfile($fetched[0]); + } else { + echo deliverTop("SimpleFS - Download"); + echo deliverMiddle("Download", $fileName, ''); + echo deliverBottom(); - } + } } diff --git a/functions.global.php b/functions.global.php index e2574e5..ad4da8b 100644 --- a/functions.global.php +++ b/functions.global.php @@ -3,26 +3,27 @@ /* General Global Include Functions Here */ function contactDB($query, $column) { - - // $query: the SQLite query to the database - // $column: the column you're asking the DB to report back on - // 1: fileid - // 2: filepath - // 3: fileowner - // ie, $result = contactDB("SELECT * FROM files WHERE fileowner='admin';", 2); - // populates the $result[] array with the file paths to every file owned by the admin user - - $dbresult = array(); - - $datab = 'sqlite:./filedb.sqlite'; - $dbpdo = new PDO($datab) or die ("Fatal Error: Can't open the database"); - - foreach ($dbpdo->query($query) as $row) { - array_push($dbresult, $row[$column]); + + // $query: the SQLite query to the database + // $column: the column you're asking the DB to report back on + // 1: fileid + // 2: filepath + // 3: fileowner + // 4: filedate + // ie, $result = contactDB("SELECT * FROM files WHERE fileowner='admin';", 2); + // populates the $result[] array with the file paths to every file owned by the admin user + + $dbresult = array(); + + $datab = 'sqlite:./filedb.sqlite'; + $dbpdo = new PDO($datab) or die ("Fatal Error: Can't open the database"); + + foreach ($dbpdo->query($query) as $row) { + array_push($dbresult, $row[$column]); } - $dbpdo = NULL; // Closing connection - return $dbresult; + $dbpdo = NULL; // Closing connection + return $dbresult; } ?> diff --git a/layout.php b/layout.php index 3c99b1a..94e71c1 100644 --- a/layout.php +++ b/layout.php @@ -8,7 +8,7 @@ session_start(); function deliverTop($pagetitle) { - $top = ' + $top = ' + $middle = '
@@ -55,8 +55,8 @@ function deliverMiddle($toptext, $bottomtext, $buttons) { } function deliverBottom() { - - $bottom = ' + + $bottom = '
@@ -73,7 +73,7 @@ function deliverBottom() { '; - return $bottom; + return $bottom; } ?> diff --git a/login.php b/login.php index 0a912c8..70e4f5e 100644 --- a/login.php +++ b/login.php @@ -4,34 +4,34 @@ require('config.global.php'); require('layout.php'); if ($_POST['submitted'] == true) { - if ($_POST['username'] == $adminuser) { - if (password_verify($_POST['password'], $adminpass)) { - $_SESSION['simplefsvalid'] = true; - $_SESSION['simplefsuser'] = "admin"; - // signed in, redirect - header('location: manage.php'); - } else { - $_SESSION['simplefsvalid'] = false; - $_SESSION['simplefsuser'] = NULL; - die('Invalid username or password'); + if ($_POST['username'] == $adminuser) { + if (password_verify($_POST['password'], $adminpass)) { + $_SESSION['simplefsvalid'] = true; + $_SESSION['simplefsuser'] = "admin"; + // signed in, redirect + header('location: manage.php'); + } else { + $_SESSION['simplefsvalid'] = false; + $_SESSION['simplefsuser'] = NULL; + die('Invalid username or password'); - } - } else if ($_POST['username'] == $secuser) { - if (password_verify($_POST['password'], $secpass)) { - $_SESSION['simplefsvalid'] = true; - $_SESSION['simplefsuser'] = "guest"; - // signed in, redirect - header('location: manage.php'); - } else { - $_SESSION['simplefsvalid'] = false; - $_SESSION['simplefsuser'] = NULL; - die('Invalid username or password'); - } - } else { - $_SESSION['simplefsvalid'] = false; - $_SESSION['simplefsuser'] = NULL; - die('Invalid username or password'); - } + } + } else if ($_POST['username'] == $secuser) { + if (password_verify($_POST['password'], $secpass)) { + $_SESSION['simplefsvalid'] = true; + $_SESSION['simplefsuser'] = "guest"; + // signed in, redirect + header('location: manage.php'); + } else { + $_SESSION['simplefsvalid'] = false; + $_SESSION['simplefsuser'] = NULL; + die('Invalid username or password'); + } + } else { + $_SESSION['simplefsvalid'] = false; + $_SESSION['simplefsuser'] = NULL; + die('Invalid username or password'); + } } echo deliverTop("SimpleFS - Sign in"); diff --git a/manage.php b/manage.php index 5f0835f..bd680d4 100644 --- a/manage.php +++ b/manage.php @@ -5,8 +5,8 @@ require('layout.php'); require('functions.global.php'); if ($_SESSION['simplefsvalid'] != true) { - header('location: login.php'); - die(); + header('location: login.php'); + die(); } $currentUser = $_SESSION['simplefsuser']; @@ -23,17 +23,17 @@ $i = 0; $outputContents = ""; if ($_POST['msubmitted'] == true) { - - while ($i < $nFiles) { - if ($_POST["file$myFilesId[$i]"] == "marked") { - unlink($myFilesName[$i]); // Delete selected file - - $dbChange = contactDB("DELETE FROM files WHERE fileid='$myFilesId[$i]';", 0); // Update database - } - $i = $i + 1; - } - $i = 0; // Reset iteration for next use - $noticeText = "

Files successfully deleted


".PHP_EOL; + + while ($i < $nFiles) { + if ($_POST["file$myFilesId[$i]"] == "marked") { + unlink($myFilesName[$i]); // Delete selected file + + $dbChange = contactDB("DELETE FROM files WHERE fileid='$myFilesId[$i]';", 0); // Update database + } + $i = $i + 1; + } + $i = 0; // Reset iteration for next use + $noticeText = "

Files successfully deleted


".PHP_EOL; } unset($myFilesId); @@ -45,19 +45,19 @@ $myFilesName = contactDB("SELECT * FROM files where fileowner='$currentUser';", $nFiles = count($myFilesId); if ($nFiles == 0) { - $outputContents = "You haven't uploaded any files yet"; + $outputContents = "You haven't uploaded any files yet"; } else { - while ($i < $nFiles) { - $fileName = str_replace("files/", "", $myFilesName[$i]); - $outputContents = $outputContents.'
'.PHP_EOL; - $i = $i + 1; - } + while ($i < $nFiles) { + $fileName = str_replace("files/", "", $myFilesName[$i]); + $outputContents = $outputContents.'
'.PHP_EOL; + $i = $i + 1; + } } echo deliverTop("SimpleFS - Manage"); if (isset($noticeText)) { - echo $noticeText; + echo $noticeText; } echo deliverMiddle("Manage", '
'.PHP_EOL.''.PHP_EOL.$outputContents, '


'); diff --git a/setup.php b/setup.php index 86fe417..6420e27 100644 --- a/setup.php +++ b/setup.php @@ -6,107 +6,119 @@

Warning: Your PHP configuration has disabled file uploads

Please check your php.ini for the line:

file_uploads = On


'; } // Check for SQLite and PDO if (!extension_loaded("pdo_sqlite")) { - echo '

Warning: You do not have the PHP SQLite extension installed.

Please install the PHP sqlite3 extension before moving forward



'; + echo '

Warning: You do not have the PHP SQLite extension installed.

Please install the PHP sqlite3 extension before moving forward



'; } echo '
php.ini specifies your server\'s maximum upload filesize as: '.ini_get('upload_max_filesize').'

'; ?> -
-

IMPORTANT:

-

Delete this file immediately after completing set-up


-
- +
+

IMPORTANT:

+

Delete this file immediately after completing set-up


+ + Create admin (uploader) account -
+
-
+
-
+
Create a second user who can also upload stuff? -
- -
- -
+
+ +
+ +

- - + + ".PHP_EOL); - - echo '
User(s) created. I mean, check config.global.php to make sure, but then delete this file ASAP.'; - - if (file_exists("./filedb.sqlite")) { - unlink("./filedb.sqlite"); - } + if ($_POST['makeuser'] == true) { + fwrite($myfile, '$secuser = \''.$_POST['user2'].'\';'.PHP_EOL); + fwrite($myfile, '$secpass = \''.$usrhash.'\';'.PHP_EOL); + } + + fwrite($myfile, '$deleteafter = -1'.PHP_EOL); + + if (!fwrite($myfile, "?>".PHP_EOL)) { + echo '
Error creating config.global.php
Does the web server have write permissions here?'; + die(); + } + + echo '
User(s) created.'; + + if (file_exists("./filedb.sqlite")) { + unlink("./filedb.sqlite"); + } - touch("./filedb.sqlite"); - $initializeDB = contactDB("CREATE TABLE files ( - fileid int NOT NULL PRIMARY KEY, - filepath varchar(255) NOT NULL, - fileowner varchar(255) NOT NULL - );", 0); - - echo '
Initialized file database'; - + touch("./filedb.sqlite"); + $initializeDB = contactDB("CREATE TABLE files ( + fileid int NOT NULL PRIMARY KEY, + filepath varchar(255) NOT NULL, + fileowner varchar(255) NOT NULL + );", 0); + + echo '
Initialized file database'; + + // Delete setup.php + unlink("./setup.php"); + } ?> -
+
diff --git a/upload.php b/upload.php index 83b3bfc..a059e1b 100644 --- a/upload.php +++ b/upload.php @@ -6,8 +6,8 @@ require('functions.global.php'); require('layout.php'); if ($_SESSION['simplefsvalid'] != true) { - header('location: login.php'); - die(); + header('location: login.php'); + die(); } $currentUser = $_SESSION['simplefsuser']; @@ -15,7 +15,7 @@ $currentUser = $_SESSION['simplefsuser']; echo deliverTop("SimpleFS - Upload"); if ($_POST['fsubmitted'] == "true") { - + $target_dir = "files/"; $target_file = $target_dir . basename($_FILES["upfile"]["name"]); $uploadOk = 1; @@ -45,13 +45,13 @@ if($fileType == "php" || $fileType == "htm" || $fileType == "html" || $fileType /* This following part shouldn't be deleted though, my apologies but without sanitizing these filenames, could break the whole thing */ /* **** */ if (strpos($target_file, "'") !== false) { - echo "

Error: Cannot upload files with apostrophes or quote-marks

"; - $uploadOk = 0; + echo "

Error: Cannot upload files with apostrophes or quote-marks

"; + $uploadOk = 0; } if (strpos($target_file, '"') !== false) { - echo "

Error: Cannot upload files with apostrophes or quote-marks

"; - $uploadOk = 0; + echo "

Error: Cannot upload files with apostrophes or quote-marks

"; + $uploadOk = 0; } /* Getting a list of all file IDs */ @@ -62,26 +62,26 @@ if ($uploadOk == 0) { echo "

Error: file was not uploaded

"; } else { if (move_uploaded_file($_FILES["upfile"]["tmp_name"], $target_file)) { - - $newFileId = rand(10000, 99999); - while (in_array($newFileId, $fileListId)) { - $newFileId = rand(10000, 99999); - } + + $newFileId = rand(10000, 99999); + while (in_array($newFileId, $fileListId)) { + $newFileId = rand(10000, 99999); + } - - /* Write entry to DB */ - - $publish = contactDB("INSERT INTO files (fileid, filepath, fileowner) - VALUES ($newFileId, '$target_file', '$currentUser');", 0); - - /* Tell the user all is well */ - - echo "

The file ". htmlspecialchars( basename( $_FILES["upfile"]["name"])). " has been uploaded.

"; + + /* Write entry to DB */ + + $publish = contactDB("INSERT INTO files (fileid, filepath, fileowner) + VALUES ($newFileId, '$target_file', '$currentUser');", 0); + + /* Tell the user all is well */ + + echo "

The file ". htmlspecialchars( basename( $_FILES["upfile"]["name"])). " has been uploaded.

"; - - + + } else { - echo "

Error uploading file

"; + echo "

Error uploading file

"; } }