diff --git a/addUser.php b/addUser.php index cc8aba2..f90222b 100644 --- a/addUser.php +++ b/addUser.php @@ -49,7 +49,7 @@ if (!$newUsername || !$newPassword) { } // Validate username using preg_match (allow letters, numbers, underscores, dashes, and spaces). -if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $newUsername)) { +if (!preg_match(REGEX_USER, $newUsername)) { echo json_encode(["error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."]); exit; } diff --git a/config.php b/config.php index 47a2c81..5a522c1 100644 --- a/config.php +++ b/config.php @@ -11,6 +11,10 @@ define('TRASH_DIR', UPLOAD_DIR . 'trash/'); define('TIMEZONE', 'America/New_York'); define('DATE_TIME_FORMAT', 'm/d/y h:iA'); define('TOTAL_UPLOAD_SIZE', '5G'); +define('REGEX_FOLDER_NAME', '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u'); +define('PATTERN_FOLDER_NAME', '[\p{L}\p{N}_\-\s\/\\\\]+'); +define('REGEX_FILE_NAME', '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'); +define('REGEX_USER', '/^[\p{L}\p{N}_\- ]+$/u'); date_default_timezone_set(TIMEZONE); diff --git a/copyFiles.php b/copyFiles.php index 7da5952..6f98f62 100644 --- a/copyFiles.php +++ b/copyFiles.php @@ -44,7 +44,7 @@ $destinationFolder = trim($data['destination']); $files = $data['files']; // Validate folder names: allow letters, numbers, underscores, dashes, spaces, and forward slashes. -$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u'; +$folderPattern = REGEX_FOLDER_NAME; if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) { echo json_encode(["error" => "Invalid source folder name."]); exit; @@ -104,7 +104,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest $errors = []; // Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces. -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; foreach ($files as $fileName) { // Save the original name for metadata lookup. diff --git a/createFolder.php b/createFolder.php index 2cdc9ba..be2ded9 100644 --- a/createFolder.php +++ b/createFolder.php @@ -45,13 +45,13 @@ $folderName = trim($input['folderName']); $parent = isset($input['parent']) ? trim($input['parent']) : ""; // Basic sanitation: allow only letters, numbers, underscores, dashes, and spaces in folderName -if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) { +if (!preg_match(REGEX_FOLDER_NAME, $folderName)) { echo json_encode(['success' => false, 'error' => 'Invalid folder name.']); exit; } // Optionally, sanitize the parent folder if needed. -if ($parent && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $parent)) { +if ($parent && !preg_match(REGEX_FOLDER_NAME, $parent)) { echo json_encode(['success' => false, 'error' => 'Invalid parent folder name.']); exit; } diff --git a/createFolderShareLink.php b/createFolderShareLink.php index 885ed4d..cc1da96 100644 --- a/createFolderShareLink.php +++ b/createFolderShareLink.php @@ -27,7 +27,7 @@ $allowUpload = isset($input['allowUpload']) ? intval($input['allowUpload']) : 0; // Validate folder name using regex. // Allow letters, numbers, underscores, hyphens, spaces and slashes. -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name."]); exit; } diff --git a/createShareLink.php b/createShareLink.php index 9d754ab..5e9d45b 100644 --- a/createShareLink.php +++ b/createShareLink.php @@ -25,7 +25,7 @@ $expirationMinutes = isset($input['expirationMinutes']) ? intval($input['expirat $password = isset($input['password']) ? $input['password'] : ""; // Validate folder using regex. -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name."]); exit; } diff --git a/deleteFiles.php b/deleteFiles.php index 4083cdd..269e23f 100644 --- a/deleteFiles.php +++ b/deleteFiles.php @@ -69,7 +69,7 @@ if (!isset($data['files']) || !is_array($data['files'])) { $folder = isset($data['folder']) ? trim($data['folder']) : 'root'; // Validate folder: allow letters, numbers, underscores, dashes, spaces, and forward slashes -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name."]); exit; } @@ -96,7 +96,7 @@ $movedFiles = []; $errors = []; // Define a safe file name pattern: allow letters, numbers, underscores, dashes, dots, and spaces. -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; foreach ($data['files'] as $fileName) { $basename = basename(trim($fileName)); diff --git a/deleteFolder.php b/deleteFolder.php index 1c3ce9e..a97371d 100644 --- a/deleteFolder.php +++ b/deleteFolder.php @@ -50,7 +50,7 @@ if ($folderName === 'root') { } // Allow letters, numbers, underscores, dashes, spaces, and forward slashes. -if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) { +if (!preg_match(REGEX_FOLDER_NAME, $folderName)) { echo json_encode(['success' => false, 'error' => 'Invalid folder name.']); exit; } diff --git a/deleteTrashFiles.php b/deleteTrashFiles.php index 717e62a..666e911 100644 --- a/deleteTrashFiles.php +++ b/deleteTrashFiles.php @@ -62,7 +62,7 @@ $deletedFiles = []; $errors = []; // Define a safe file name pattern. -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; foreach ($filesToDelete as $trashName) { $trashName = trim($trashName); diff --git a/download.php b/download.php index 85ba9d2..70fdfe7 100644 --- a/download.php +++ b/download.php @@ -14,7 +14,7 @@ $file = isset($_GET['file']) ? basename($_GET['file']) : ''; $folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root'; // Validate file name (allowing letters, numbers, underscores, dashes, dots, and parentheses) -if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $file)) { +if (!preg_match(REGEX_FILE_NAME, $file)) { http_response_code(400); echo json_encode(["error" => "Invalid file name."]); exit; diff --git a/downloadZip.php b/downloadZip.php index 4b046b8..4b7ec44 100644 --- a/downloadZip.php +++ b/downloadZip.php @@ -38,7 +38,7 @@ $files = $data['files']; if ($folder !== "root") { $parts = explode('/', $folder); foreach ($parts as $part) { - if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) { + if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) { http_response_code(400); header('Content-Type: application/json'); echo json_encode(["error" => "Invalid folder name."]); @@ -76,7 +76,7 @@ if (empty($files)) { } foreach ($files as $fileName) { - if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $fileName)) { + if (!preg_match(REGEX_FILE_NAME, $fileName)) { http_response_code(400); header('Content-Type: application/json'); echo json_encode(["error" => "Invalid file name: " . $fileName]); diff --git a/extractZip.php b/extractZip.php index f6c6848..5bad5e6 100644 --- a/extractZip.php +++ b/extractZip.php @@ -50,7 +50,7 @@ if (empty($files)) { if ($folder !== "root") { $parts = explode('/', $folder); foreach ($parts as $part) { - if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) { + if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) { http_response_code(400); echo json_encode(["error" => "Invalid folder name."]); exit; @@ -92,7 +92,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest $errors = []; $allSuccess = true; $extractedFiles = array(); // Array to collect names of extracted files -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; // ---------- Process Each File ---------- foreach ($files as $zipFileName) { diff --git a/getFileList.php b/getFileList.php index f44dbd8..6f4674f 100644 --- a/getFileList.php +++ b/getFileList.php @@ -14,7 +14,7 @@ if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) { $folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root'; // Allow only safe characters in the folder parameter (letters, numbers, underscores, dashes, spaces, and forward slashes). -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name."]); exit; } @@ -53,7 +53,7 @@ $files = array_values(array_diff(scandir($directory), array('.', '..'))); $fileList = []; // Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces. -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; foreach ($files as $file) { // Skip hidden files (those that begin with a dot) diff --git a/getFolderList.php b/getFolderList.php index a477b71..cf61b22 100644 --- a/getFolderList.php +++ b/getFolderList.php @@ -20,7 +20,7 @@ function getSubfolders($dir, $relative = '') { $folders = []; $items = scandir($dir); // Allow letters, numbers, underscores, dashes, and spaces in folder names. - $safeFolderNamePattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u'; + $safeFolderNamePattern = REGEX_FOLDER_NAME; foreach ($items as $item) { if ($item === '.' || $item === '..') continue; if (!preg_match($safeFolderNamePattern, $item)) { diff --git a/getUsers.php b/getUsers.php index 9bde782..6d1efdc 100644 --- a/getUsers.php +++ b/getUsers.php @@ -17,7 +17,7 @@ if (file_exists($usersFile)) { $parts = explode(':', trim($line)); if (count($parts) >= 3) { // Validate username format: - if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) { + if (preg_match(REGEX_USER, $parts[0])) { $users[] = [ "username" => $parts[0], "role" => trim($parts[2]) diff --git a/login_basic.php b/login_basic.php index bc9d7a6..ded910e 100644 --- a/login_basic.php +++ b/login_basic.php @@ -81,7 +81,7 @@ $username = trim($_SERVER['PHP_AUTH_USER']); $password = trim($_SERVER['PHP_AUTH_PW']); // Validate username format (optional) -if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $username)) { +if (!preg_match(REGEX_USER, $username)) { header('WWW-Authenticate: Basic realm="FileRise Login"'); header('HTTP/1.0 401 Unauthorized'); echo 'Invalid username format'; diff --git a/moveFiles.php b/moveFiles.php index 28b1d18..65dc9ea 100644 --- a/moveFiles.php +++ b/moveFiles.php @@ -45,7 +45,7 @@ $sourceFolder = trim($data['source']) ?: 'root'; $destinationFolder = trim($data['destination']) ?: 'root'; // Allow only letters, numbers, underscores, dashes, spaces, and forward slashes in folder names. -$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u'; +$folderPattern = REGEX_FOLDER_NAME; if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) { echo json_encode(["error" => "Invalid source folder name."]); exit; @@ -111,7 +111,7 @@ $srcMetadata = file_exists($srcMetaFile) ? json_decode(file_get_contents($srcMet $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($destMetaFile), true) : []; $errors = []; -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; foreach ($data['files'] as $fileName) { // Save the original name for metadata lookup. diff --git a/removeChunks.php b/removeChunks.php index 345f631..d6caca1 100644 --- a/removeChunks.php +++ b/removeChunks.php @@ -18,11 +18,13 @@ if (!isset($_POST['folder'])) { } $folder = urldecode($_POST['folder']); -if (!preg_match('/^resumable_[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +$regex = "/^resumable_" . PATTERN_FOLDER_NAME . "$/u"; // full regex pattern +if (!preg_match($regex, $folder)) { echo json_encode(["error" => "Invalid folder name"]); http_response_code(400); exit; } + $tempDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder; // If the folder doesn't exist, simply return success. diff --git a/removeUser.php b/removeUser.php index 9757cd1..7289ebe 100644 --- a/removeUser.php +++ b/removeUser.php @@ -30,7 +30,7 @@ if (!$usernameToRemove) { } // Optional: Validate the username format (allow letters, numbers, underscores, dashes, and spaces) -if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $usernameToRemove)) { +if (!preg_match(REGEX_USER, $usernameToRemove)) { echo json_encode(["error" => "Invalid username format"]); exit; } diff --git a/renameFile.php b/renameFile.php index fda71c5..4bb32f6 100644 --- a/renameFile.php +++ b/renameFile.php @@ -40,7 +40,7 @@ if (!$data || !isset($data['folder']) || !isset($data['oldName']) || !isset($dat $folder = trim($data['folder']) ?: 'root'; // For subfolders, allow letters, numbers, underscores, dashes, spaces, and forward slashes. -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name"]); exit; } @@ -49,7 +49,7 @@ $oldName = basename(trim($data['oldName'])); $newName = basename(trim($data['newName'])); // Validate file names: allow letters, numbers, underscores, dashes, dots, parentheses, and spaces. -if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $oldName) || !preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $newName)) { +if (!preg_match(REGEX_FILE_NAME, $oldName) || !preg_match(REGEX_FILE_NAME, $newName)) { echo json_encode(["error" => "Invalid file name."]); exit; } diff --git a/renameFolder.php b/renameFolder.php index 02056de..c0e0575 100644 --- a/renameFolder.php +++ b/renameFolder.php @@ -48,7 +48,7 @@ $oldFolder = trim($input['oldFolder']); $newFolder = trim($input['newFolder']); // Validate folder names -if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $oldFolder) || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $newFolder)) { +if (!preg_match(REGEX_FOLDER_NAME, $oldFolder) || !preg_match(REGEX_FOLDER_NAME, $newFolder)) { echo json_encode(['success' => false, 'error' => 'Invalid folder name(s).']); exit; } diff --git a/restoreFiles.php b/restoreFiles.php index fdf48d6..23d3858 100644 --- a/restoreFiles.php +++ b/restoreFiles.php @@ -53,7 +53,7 @@ if (!isset($data['files']) || !is_array($data['files'])) { } // Define a safe file name pattern. -$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; +$safeFileNamePattern = REGEX_FILE_NAME; $restoredItems = []; $errors = []; diff --git a/saveFile.php b/saveFile.php index 332b622..58b33c2 100644 --- a/saveFile.php +++ b/saveFile.php @@ -48,7 +48,7 @@ $folder = isset($data["folder"]) ? trim($data["folder"]) : "root"; // If a subfolder is provided, validate it. // Allow letters, numbers, underscores, dashes, spaces, and forward slashes. -if ($folder !== "root" && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== "root" && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name"]); exit; } diff --git a/saveFileTag.php b/saveFileTag.php index d20f999..3cae40e 100644 --- a/saveFileTag.php +++ b/saveFileTag.php @@ -87,7 +87,7 @@ if ($file === "global") { } // Validate folder name. -if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { +if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name."]); exit; } diff --git a/totp_recover.php b/totp_recover.php index e15dd0c..387be11 100644 --- a/totp_recover.php +++ b/totp_recover.php @@ -32,7 +32,7 @@ if (!$userId) { } // ——— Validate userId format ——— -if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) { +if (!preg_match(REGEX_USER, $userId)) { http_response_code(400); error_log("Invalid userId format: {$userId}"); exit(json_encode(['status'=>'error','message'=>'Invalid user identifier'])); diff --git a/totp_saveCode.php b/totp_saveCode.php index ffec0ec..ba37ffc 100644 --- a/totp_saveCode.php +++ b/totp_saveCode.php @@ -29,7 +29,7 @@ if (empty($_SESSION['username'])) { // 4) Validate username format $userId = $_SESSION['username']; -if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) { +if (!preg_match(REGEX_USER, $userId)) { http_response_code(400); error_log("totp_saveCode: invalid username format: {$userId}"); exit(json_encode(['status'=>'error','message'=>'Invalid user identifier'])); diff --git a/updateUserPermissions.php b/updateUserPermissions.php index 064a52e..c5ebbb9 100644 --- a/updateUserPermissions.php +++ b/updateUserPermissions.php @@ -49,7 +49,7 @@ if (file_exists($usersFile)) { $parts = explode(':', trim($line)); if (count($parts) >= 3) { // Validate username format: - if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) { + if (preg_match(REGEX_USER, $parts[0])) { // Use a lowercase key for consistency. $userRoles[strtolower($parts[0])] = trim($parts[2]); } diff --git a/upload.php b/upload.php index 2cd571b..e15eb1c 100644 --- a/upload.php +++ b/upload.php @@ -67,14 +67,14 @@ if (isset($_POST['resumableChunkNumber'])) { // First, strip directory components. $resumableFilename = urldecode(basename($_POST['resumableFilename'])); -if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) { +if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) { http_response_code(400); echo json_encode(["error" => "Invalid file name: " . $resumableFilename]); exit; } $folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root'; - if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { + if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name"]); exit; } @@ -175,7 +175,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) { // ------------- Full Upload (Non-chunked) ------------- // Validate folder name input. $folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root'; - if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) { + if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) { echo json_encode(["error" => "Invalid folder name"]); exit; } @@ -198,7 +198,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) { $metadataChanged = []; // key: folder path, value: boolean // Use a Unicode-enabled pattern to allow special characters. - $safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u'; + $safeFileNamePattern = REGEX_FILE_NAME foreach ($_FILES["file"]["name"] as $index => $fileName) { // First, ensure we only work with the base filename to avoid traversal issues.