From 8bbc9138da95b9a96e8763f66a3873007edc9e0f Mon Sep 17 00:00:00 2001 From: Rouji Date: Sat, 23 Mar 2019 18:12:25 +0100 Subject: [PATCH] clean up some things also added logging and (clunky) scan using clamd --- README.md | 40 ++++++-- index.php | 281 +++++++++++++++++++++++++++++------------------------- 2 files changed, 180 insertions(+), 141 deletions(-) diff --git a/README.md b/README.md index 58f576b..7ed039d 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ # Single .php Filehost Simple PHP script, mainly for sharing random files with people using curl. (and thus in an easily scriptable way) -It receives files uploaded via HTTP POST, and saves them to a configured directory, with a randomised filename (but preserving the original file extension). -On successful upload, it returns a link to the uploaded file. Serving the file to people you've shared the link with can then simply be left to apache to figure out. +Puts a file sent via POST into a configured directory with a randomised filename but preserving the original file extension, and returns a link to it. +Actually serving the file to people is left to apache to figure out. There's also a mechanism for removing files over a certain age, which can be invoked by calling the script with a commandline argument. -## Config +# Config All configuration is done using the global variables at the top of **index.php**. Hopefully, they're explained well enough in the short comments besides them. To accommodate for larger uploads, you'll also need to set the following values in your php.ini: @@ -18,10 +18,32 @@ max_execution_time The code responsible for the default info text can be found at the very bottom of index.php, in case you want to reword anything. +## Apache +Pretty straight forward, I use something like this: -## Purging Old Files -To check for any files, that exceed their max age, and delete them, you need to call index.php with the argument "purge" ``` + + Options +FollowSymLinks -MultiViews -Indexes + AddDefaultCharset UTF-8 + AllowOverride None + + RewriteEngine On + RewriteCond "%{ENV:REDIRECT_STATUS}" "^$" + RewriteRule "^/?$" "index.php" [L,END] + RewriteRule "^(.+)$" "files/$1" [L,END] + + + + Options -ExecCGI + php_flag engine off + SetHandler None + AddType text/plain .php .php5 .html .htm .cpp .c .h .sh + +``` + +# Purging Old Files +To check for any files, that exceed their max age, and delete them, you need to call index.php with the argument "purge" +```bash php index.php purge ``` @@ -32,12 +54,12 @@ To automate this, simply create a cron job: If you specify **$STORE_PATH** using an absolute path, you can omit the **cd** -### Max. File Age +## Max. File Age The max age of a file is computed using the following formula: ``` -$fileMaxAge = $MIN_FILEAGE + - ($MAX_FILEAGE - $MIN_FILEAGE) * - pow(1-($fileSize/$MAX_FILESIZE),$DECAY_EXP); +$file_max_age = $MIN_FILEAGE + + ($MAX_FILEAGE - $MIN_FILEAGE) * + pow(1-($fileSize/$MAX_FILESIZE),$DECAY_EXP); ``` ...which is a basic exponential decay curve that favours smaller files, meaning small files are kept longer and really big ones are deleted relatively quickly. **$DECAY_EXP** is one of the configurable globals and basically makes the curve more or less exponential-looking. Set to 1 for a completely linear relationship. diff --git a/index.php b/index.php index 2ce49cb..c2b5283 100755 --- a/index.php +++ b/index.php @@ -1,110 +1,99 @@ Warning: php.ini: %s (%s) set lower than %s (%s)\n", - $iniName, - $iniValue, - $varName, - $varValue); + $ini_name, + $ini_val, + $var_name, + $var_val); } +// runs a file through clamdscan +// fails silently(!) if clamd is not running or something +function clam($path) +{ + $cmd = 'clamdscan --quiet ' . escapeshellarg($path); + $out = ''; + $ret = -1; + exec($cmd, $out, $ret); + return $ret != 1; +} -//////////////////////////////////////////////////////////////////////////////// -// store an uploaded file, given its name and temporary path, (e.g. values -// straight out of $_FILES) +//extract extension from a path (does not include the dot) +function get_ext($path) +{ + global $MAX_EXT_LEN; + + $ext = pathinfo($path, PATHINFO_EXTENSION); + //special handling of .tar.* archives + $ext2 = pathinfo(substr($path,0,-(strlen($ext)+1)), PATHINFO_EXTENSION); + if ($ext2 === 'tar') + { + $ext = $ext2.'.'.$ext; + } + //trim extension to max. 7 chars + $ext = substr($ext, 0, $MAX_EXT_LEN); + return $ext; +} + +// store an uploaded file, given its name and temporary path (e.g. values straight out of $_FILES) // files are stored wit a randomised name, but with their original extension // // $name: original filename // $tmpFile: temporary path of uploaded file // $formatted: set to true to display formatted message instead of bare link -//////////////////////////////////////////////////////////////////////////////// -function storeFile($name, $tmpFile, $formatted = false) +function store_file($name, $tmpFile, $formatted = false) { global $STORE_PATH; global $ID_LENGTH; global $HTTP_PROTO; - global $DOWNLOAD_URL; + global $DOWNLOAD_PATH; global $MAX_FILESIZE; - + global $CLAM_SCAN; + global $LOG_PATH; //create folder, if it doesn't exist if (!file_exists($STORE_PATH)) @@ -119,13 +108,13 @@ function storeFile($name, $tmpFile, $formatted = false) return; } - $ext = getExtension($name); + $ext = get_ext($name); $tries_per_len=3; //try random names a few times before upping the length for ($len = $ID_LENGTH; ; ++$len) { for ($n=0; $n<=$tries_per_len; ++$n) { - $id = rndStr($len); + $id = rnd_str($len); $basename = $id . (empty($ext) ? '' : '.' . $ext); $target_file = $STORE_PATH . $basename; @@ -137,48 +126,54 @@ function storeFile($name, $tmpFile, $formatted = false) $res = move_uploaded_file($tmpFile, $target_file); if ($res) { + //scan file using clam + if ($CLAM_SCAN && !clam($target_file)) + { + unlink($target_file); + header("HTTP/1.0 400 Bad Request"); + print("Error 400: File rejected by virus scan"); + return; + } + //print the download link of the file - $url = sprintf("%s://%s/".$DOWNLOAD_URL, + $url = sprintf('%s://%s/'.$DOWNLOAD_PATH, $HTTP_PROTO, $_SERVER["SERVER_NAME"], $basename); if ($formatted) { - printf("
Access your file here:\n%s
", - $url,$url); + printf('
Access your file here:\n%s
', $url, $url); } else { printf($url); } + + // log uploader's IP, original filename, etc. + if ($LOG_PATH) + { + file_put_contents( + $LOG_PATH, + implode("\t", array( + date('c'), + $_SERVER['REMOTE_ADDR'], + filesize($tmpFile), + escapeshellarg($name), + $basename + )) . "\n", + FILE_APPEND + ); + } } else { - //TODO: proper error handling + //TODO: proper error handling? header("HTTP/1.0 520 Unknown Error"); } } -//extract extension from a path (does not include the dot) -function getExtension($path) -{ - $ext = pathinfo($path, PATHINFO_EXTENSION); - //special handling of .tar.* archives - $ext2 = pathinfo(substr($path,0,-(strlen($ext)+1)), PATHINFO_EXTENSION); - if ($ext2 === 'tar') - { - $ext = $ext2.'.'.$ext; - } - //trim extension to max. 7 chars - $ext = substr($ext,0,7); - return $ext; -} - - -//////////////////////////////////////////////////////////////////////////////// // purge all files older than their retention period allows. -//////////////////////////////////////////////////////////////////////////////// -function purgeFiles() +function purge_files() { global $STORE_PATH; global $MAX_FILEAGE; @@ -186,61 +181,50 @@ function purgeFiles() global $MIN_FILEAGE; global $DECAY_EXP; - $numDel = 0; //number of deleted files - $totalSize = 0; //total size of deleted files + $num_del = 0; //number of deleted files + $total_size = 0; //total size of deleted files //for each stored file foreach (scandir($STORE_PATH) as $file) { //skip virtual . and .. files - if ($file == '.' || - $file == '..' || - $file == '.htaccess' || - $file == '.htpasswd') + if ($file === '.' || + $file === '..') { continue; } $file = $STORE_PATH . $file; - $fileSize = filesize($file) / (1024*1024); //size in MiB - $fileAge = (time()-filemtime($file)) / (60*60*24); //age in days + $file_size = filesize($file) / (1024*1024); //size in MiB + $file_age = (time()-filemtime($file)) / (60*60*24); //age in days //keep all files below the min age - if ($fileAge < $MIN_FILEAGE) + if ($file_age < $MIN_FILEAGE) { continue; } - //calculate the maximum age, in days, for this file - //minage + (maxage-minage) * (1-(size/maxsize))^exp; - $fileMaxAge = $MIN_FILEAGE + + //calculate the maximum age in days for this file + $file_max_age = $MIN_FILEAGE + ($MAX_FILEAGE - $MIN_FILEAGE) * - pow(1-($fileSize/$MAX_FILESIZE),$DECAY_EXP); + pow(1-($file_size/$MAX_FILESIZE),$DECAY_EXP); //delete if older - if ($fileAge > $fileMaxAge) + if ($file_age > $file_max_age) { unlink($file); - printf("deleted \"%s\", %d MiB, %d days old\n", - $file, - $fileSize, - $fileAge); - - $numDel += 1; - $totalSize += $fileSize; + printf("deleted \"%s\", %d MiB, %d days old\n", $file, $file_size, $file_age); + $num_del += 1; + $total_size += $file_size; } } - printf("Purge finished. Deleted %d files totalling %d MiB\n", - $numDel, - $totalSize); + printf("Deleted %d files totalling %d MiB\n", $num_del, $total_size); } -//////////////////////////////////////////////////////////////////////////////// // send a ShareX custom uploader config as .json -//////////////////////////////////////////////////////////////////////////////// -function sendShareXConfig() +function send_sharex_config() { global $HTTP_PROTO; $host = $_SERVER["HTTP_HOST"]; @@ -261,10 +245,8 @@ EOT; print($content); } -//////////////////////////////////////////////////////////////////////////////// // send a Hupl uploader config as .hupl (which is just JSON) -//////////////////////////////////////////////////////////////////////////////// -function sendHuplConfig() +function send_hupl_config() { global $HTTP_PROTO; $host = $_SERVER["HTTP_HOST"]; @@ -283,31 +265,35 @@ EOT; print($content); } -//////////////////////////////////////////////////////////////////////////////// // print a plaintext info page, explaining what this script does and how to // use it, how to upload, etc. -// essentially the homepage -//////////////////////////////////////////////////////////////////////////////// -function printInfo() +function print_index() { global $ADMIN_EMAIL; - global $HTTP_PROTO; global $MAX_FILEAGE; + global $HTTP_PROTO; + global $MAX_FILEAGE; global $MAX_FILESIZE; global $MIN_FILEAGE; global $DECAY_EXP; $url = $HTTP_PROTO."://".$_SERVER["HTTP_HOST"].$_SERVER['REQUEST_URI']; - $sharexUrl = $url."?sharex"; - $huplUrl = $url."?hupl"; + $sharex_url = $url."?sharex"; + $hupl_url = $url."?hupl"; echo << + + Filehost + + + 
  === How To Upload ===
 You can upload files to this site via a simple HTTP POST, e.g. using curl:
 curl -F "file=@/path/to/your/file.jpg" $url
 
-On Windows, you can use ShareX and import this custom uploader.
-On Android, you can use an app called Hupl with this uploader.
+On Windows, you can use ShareX and import this custom uploader.
+On Android, you can use an app called Hupl with this uploader.
 
 
 Or simply choose a file and click "Upload" below:
@@ -345,6 +331,37 @@ The PHP script used to provide this service is open source and available on
 If you want to report abuse of this service, or have any other inquiries, 
 please write an email to $ADMIN_EMAIL
+ + EOT; } -?> + + +// decide what to do, based on POST parameters etc. +if (isset($_FILES["file"]["name"]) && + isset($_FILES["file"]["tmp_name"]) && + is_uploaded_file($_FILES["file"]["tmp_name"])) +{ + //file was uploaded, store it + $formatted = isset($_GET["formatted"]) || isset($_POST["formatted"]); + store_file($_FILES["file"]["name"], + $_FILES["file"]["tmp_name"], + $formatted); +} +else if (isset($_GET['sharex'])) +{ + send_sharex_config(); +} +else if (isset($_GET['hupl'])) +{ + send_hupl_config(); +} +else if (isset($argv[1]) && $argv[1] === 'purge') +{ + purge_files(); +} +else +{ + check_config(); + print_index(); +}