regex configuration constants
This commit is contained in:
Ryan
@@ -49,7 +49,7 @@ if (!$newUsername || !$newPassword) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Validate username using preg_match (allow letters, numbers, underscores, dashes, and spaces).
|
// Validate username using preg_match (allow letters, numbers, underscores, dashes, and spaces).
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $newUsername)) {
|
if (!preg_match(REGEX_USER, $newUsername)) {
|
||||||
echo json_encode(["error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
|
echo json_encode(["error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,6 +11,10 @@ define('TRASH_DIR', UPLOAD_DIR . 'trash/');
|
|||||||
define('TIMEZONE', 'America/New_York');
|
define('TIMEZONE', 'America/New_York');
|
||||||
define('DATE_TIME_FORMAT', 'm/d/y h:iA');
|
define('DATE_TIME_FORMAT', 'm/d/y h:iA');
|
||||||
define('TOTAL_UPLOAD_SIZE', '5G');
|
define('TOTAL_UPLOAD_SIZE', '5G');
|
||||||
|
define('REGEX_FOLDER_NAME', '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u');
|
||||||
|
define('PATTERN_FOLDER_NAME', '[\p{L}\p{N}_\-\s\/\\\\]+');
|
||||||
|
define('REGEX_FILE_NAME', '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u');
|
||||||
|
define('REGEX_USER', '/^[\p{L}\p{N}_\- ]+$/u');
|
||||||
|
|
||||||
date_default_timezone_set(TIMEZONE);
|
date_default_timezone_set(TIMEZONE);
|
||||||
|
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ $destinationFolder = trim($data['destination']);
|
|||||||
$files = $data['files'];
|
$files = $data['files'];
|
||||||
|
|
||||||
// Validate folder names: allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
// Validate folder names: allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
||||||
$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
|
$folderPattern = REGEX_FOLDER_NAME;
|
||||||
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
|
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
|
||||||
echo json_encode(["error" => "Invalid source folder name."]);
|
echo json_encode(["error" => "Invalid source folder name."]);
|
||||||
exit;
|
exit;
|
||||||
@@ -104,7 +104,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest
|
|||||||
$errors = [];
|
$errors = [];
|
||||||
|
|
||||||
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
foreach ($files as $fileName) {
|
foreach ($files as $fileName) {
|
||||||
// Save the original name for metadata lookup.
|
// Save the original name for metadata lookup.
|
||||||
|
|||||||
@@ -45,13 +45,13 @@ $folderName = trim($input['folderName']);
|
|||||||
$parent = isset($input['parent']) ? trim($input['parent']) : "";
|
$parent = isset($input['parent']) ? trim($input['parent']) : "";
|
||||||
|
|
||||||
// Basic sanitation: allow only letters, numbers, underscores, dashes, and spaces in folderName
|
// Basic sanitation: allow only letters, numbers, underscores, dashes, and spaces in folderName
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) {
|
if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
|
||||||
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
|
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Optionally, sanitize the parent folder if needed.
|
// Optionally, sanitize the parent folder if needed.
|
||||||
if ($parent && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $parent)) {
|
if ($parent && !preg_match(REGEX_FOLDER_NAME, $parent)) {
|
||||||
echo json_encode(['success' => false, 'error' => 'Invalid parent folder name.']);
|
echo json_encode(['success' => false, 'error' => 'Invalid parent folder name.']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -27,7 +27,7 @@ $allowUpload = isset($input['allowUpload']) ? intval($input['allowUpload']) : 0;
|
|||||||
|
|
||||||
// Validate folder name using regex.
|
// Validate folder name using regex.
|
||||||
// Allow letters, numbers, underscores, hyphens, spaces and slashes.
|
// Allow letters, numbers, underscores, hyphens, spaces and slashes.
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ $expirationMinutes = isset($input['expirationMinutes']) ? intval($input['expirat
|
|||||||
$password = isset($input['password']) ? $input['password'] : "";
|
$password = isset($input['password']) ? $input['password'] : "";
|
||||||
|
|
||||||
// Validate folder using regex.
|
// Validate folder using regex.
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -69,7 +69,7 @@ if (!isset($data['files']) || !is_array($data['files'])) {
|
|||||||
$folder = isset($data['folder']) ? trim($data['folder']) : 'root';
|
$folder = isset($data['folder']) ? trim($data['folder']) : 'root';
|
||||||
|
|
||||||
// Validate folder: allow letters, numbers, underscores, dashes, spaces, and forward slashes
|
// Validate folder: allow letters, numbers, underscores, dashes, spaces, and forward slashes
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -96,7 +96,7 @@ $movedFiles = [];
|
|||||||
$errors = [];
|
$errors = [];
|
||||||
|
|
||||||
// Define a safe file name pattern: allow letters, numbers, underscores, dashes, dots, and spaces.
|
// Define a safe file name pattern: allow letters, numbers, underscores, dashes, dots, and spaces.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
foreach ($data['files'] as $fileName) {
|
foreach ($data['files'] as $fileName) {
|
||||||
$basename = basename(trim($fileName));
|
$basename = basename(trim($fileName));
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ if ($folderName === 'root') {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) {
|
if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
|
||||||
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
|
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ $deletedFiles = [];
|
|||||||
$errors = [];
|
$errors = [];
|
||||||
|
|
||||||
// Define a safe file name pattern.
|
// Define a safe file name pattern.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
foreach ($filesToDelete as $trashName) {
|
foreach ($filesToDelete as $trashName) {
|
||||||
$trashName = trim($trashName);
|
$trashName = trim($trashName);
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ $file = isset($_GET['file']) ? basename($_GET['file']) : '';
|
|||||||
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
|
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
|
||||||
|
|
||||||
// Validate file name (allowing letters, numbers, underscores, dashes, dots, and parentheses)
|
// Validate file name (allowing letters, numbers, underscores, dashes, dots, and parentheses)
|
||||||
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $file)) {
|
if (!preg_match(REGEX_FILE_NAME, $file)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
echo json_encode(["error" => "Invalid file name."]);
|
echo json_encode(["error" => "Invalid file name."]);
|
||||||
exit;
|
exit;
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ $files = $data['files'];
|
|||||||
if ($folder !== "root") {
|
if ($folder !== "root") {
|
||||||
$parts = explode('/', $folder);
|
$parts = explode('/', $folder);
|
||||||
foreach ($parts as $part) {
|
foreach ($parts as $part) {
|
||||||
if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) {
|
if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
@@ -76,7 +76,7 @@ if (empty($files)) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
foreach ($files as $fileName) {
|
foreach ($files as $fileName) {
|
||||||
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $fileName)) {
|
if (!preg_match(REGEX_FILE_NAME, $fileName)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
header('Content-Type: application/json');
|
header('Content-Type: application/json');
|
||||||
echo json_encode(["error" => "Invalid file name: " . $fileName]);
|
echo json_encode(["error" => "Invalid file name: " . $fileName]);
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ if (empty($files)) {
|
|||||||
if ($folder !== "root") {
|
if ($folder !== "root") {
|
||||||
$parts = explode('/', $folder);
|
$parts = explode('/', $folder);
|
||||||
foreach ($parts as $part) {
|
foreach ($parts as $part) {
|
||||||
if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) {
|
if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
@@ -92,7 +92,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest
|
|||||||
$errors = [];
|
$errors = [];
|
||||||
$allSuccess = true;
|
$allSuccess = true;
|
||||||
$extractedFiles = array(); // Array to collect names of extracted files
|
$extractedFiles = array(); // Array to collect names of extracted files
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
// ---------- Process Each File ----------
|
// ---------- Process Each File ----------
|
||||||
foreach ($files as $zipFileName) {
|
foreach ($files as $zipFileName) {
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
|
|||||||
|
|
||||||
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
|
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
|
||||||
// Allow only safe characters in the folder parameter (letters, numbers, underscores, dashes, spaces, and forward slashes).
|
// Allow only safe characters in the folder parameter (letters, numbers, underscores, dashes, spaces, and forward slashes).
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -53,7 +53,7 @@ $files = array_values(array_diff(scandir($directory), array('.', '..')));
|
|||||||
$fileList = [];
|
$fileList = [];
|
||||||
|
|
||||||
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
foreach ($files as $file) {
|
foreach ($files as $file) {
|
||||||
// Skip hidden files (those that begin with a dot)
|
// Skip hidden files (those that begin with a dot)
|
||||||
|
|||||||
@@ -20,7 +20,7 @@ function getSubfolders($dir, $relative = '') {
|
|||||||
$folders = [];
|
$folders = [];
|
||||||
$items = scandir($dir);
|
$items = scandir($dir);
|
||||||
// Allow letters, numbers, underscores, dashes, and spaces in folder names.
|
// Allow letters, numbers, underscores, dashes, and spaces in folder names.
|
||||||
$safeFolderNamePattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
|
$safeFolderNamePattern = REGEX_FOLDER_NAME;
|
||||||
foreach ($items as $item) {
|
foreach ($items as $item) {
|
||||||
if ($item === '.' || $item === '..') continue;
|
if ($item === '.' || $item === '..') continue;
|
||||||
if (!preg_match($safeFolderNamePattern, $item)) {
|
if (!preg_match($safeFolderNamePattern, $item)) {
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ if (file_exists($usersFile)) {
|
|||||||
$parts = explode(':', trim($line));
|
$parts = explode(':', trim($line));
|
||||||
if (count($parts) >= 3) {
|
if (count($parts) >= 3) {
|
||||||
// Validate username format:
|
// Validate username format:
|
||||||
if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) {
|
if (preg_match(REGEX_USER, $parts[0])) {
|
||||||
$users[] = [
|
$users[] = [
|
||||||
"username" => $parts[0],
|
"username" => $parts[0],
|
||||||
"role" => trim($parts[2])
|
"role" => trim($parts[2])
|
||||||
|
|||||||
@@ -81,7 +81,7 @@ $username = trim($_SERVER['PHP_AUTH_USER']);
|
|||||||
$password = trim($_SERVER['PHP_AUTH_PW']);
|
$password = trim($_SERVER['PHP_AUTH_PW']);
|
||||||
|
|
||||||
// Validate username format (optional)
|
// Validate username format (optional)
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $username)) {
|
if (!preg_match(REGEX_USER, $username)) {
|
||||||
header('WWW-Authenticate: Basic realm="FileRise Login"');
|
header('WWW-Authenticate: Basic realm="FileRise Login"');
|
||||||
header('HTTP/1.0 401 Unauthorized');
|
header('HTTP/1.0 401 Unauthorized');
|
||||||
echo 'Invalid username format';
|
echo 'Invalid username format';
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ $sourceFolder = trim($data['source']) ?: 'root';
|
|||||||
$destinationFolder = trim($data['destination']) ?: 'root';
|
$destinationFolder = trim($data['destination']) ?: 'root';
|
||||||
|
|
||||||
// Allow only letters, numbers, underscores, dashes, spaces, and forward slashes in folder names.
|
// Allow only letters, numbers, underscores, dashes, spaces, and forward slashes in folder names.
|
||||||
$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
|
$folderPattern = REGEX_FOLDER_NAME;
|
||||||
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
|
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
|
||||||
echo json_encode(["error" => "Invalid source folder name."]);
|
echo json_encode(["error" => "Invalid source folder name."]);
|
||||||
exit;
|
exit;
|
||||||
@@ -111,7 +111,7 @@ $srcMetadata = file_exists($srcMetaFile) ? json_decode(file_get_contents($srcMet
|
|||||||
$destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($destMetaFile), true) : [];
|
$destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($destMetaFile), true) : [];
|
||||||
|
|
||||||
$errors = [];
|
$errors = [];
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
foreach ($data['files'] as $fileName) {
|
foreach ($data['files'] as $fileName) {
|
||||||
// Save the original name for metadata lookup.
|
// Save the original name for metadata lookup.
|
||||||
|
|||||||
@@ -18,11 +18,13 @@ if (!isset($_POST['folder'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$folder = urldecode($_POST['folder']);
|
$folder = urldecode($_POST['folder']);
|
||||||
if (!preg_match('/^resumable_[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
$regex = "/^resumable_" . PATTERN_FOLDER_NAME . "$/u"; // full regex pattern
|
||||||
|
if (!preg_match($regex, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name"]);
|
echo json_encode(["error" => "Invalid folder name"]);
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$tempDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder;
|
$tempDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder;
|
||||||
|
|
||||||
// If the folder doesn't exist, simply return success.
|
// If the folder doesn't exist, simply return success.
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ if (!$usernameToRemove) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Optional: Validate the username format (allow letters, numbers, underscores, dashes, and spaces)
|
// Optional: Validate the username format (allow letters, numbers, underscores, dashes, and spaces)
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $usernameToRemove)) {
|
if (!preg_match(REGEX_USER, $usernameToRemove)) {
|
||||||
echo json_encode(["error" => "Invalid username format"]);
|
echo json_encode(["error" => "Invalid username format"]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -40,7 +40,7 @@ if (!$data || !isset($data['folder']) || !isset($data['oldName']) || !isset($dat
|
|||||||
|
|
||||||
$folder = trim($data['folder']) ?: 'root';
|
$folder = trim($data['folder']) ?: 'root';
|
||||||
// For subfolders, allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
// For subfolders, allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name"]);
|
echo json_encode(["error" => "Invalid folder name"]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -49,7 +49,7 @@ $oldName = basename(trim($data['oldName']));
|
|||||||
$newName = basename(trim($data['newName']));
|
$newName = basename(trim($data['newName']));
|
||||||
|
|
||||||
// Validate file names: allow letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
// Validate file names: allow letters, numbers, underscores, dashes, dots, parentheses, and spaces.
|
||||||
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $oldName) || !preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $newName)) {
|
if (!preg_match(REGEX_FILE_NAME, $oldName) || !preg_match(REGEX_FILE_NAME, $newName)) {
|
||||||
echo json_encode(["error" => "Invalid file name."]);
|
echo json_encode(["error" => "Invalid file name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ $oldFolder = trim($input['oldFolder']);
|
|||||||
$newFolder = trim($input['newFolder']);
|
$newFolder = trim($input['newFolder']);
|
||||||
|
|
||||||
// Validate folder names
|
// Validate folder names
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $oldFolder) || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $newFolder)) {
|
if (!preg_match(REGEX_FOLDER_NAME, $oldFolder) || !preg_match(REGEX_FOLDER_NAME, $newFolder)) {
|
||||||
echo json_encode(['success' => false, 'error' => 'Invalid folder name(s).']);
|
echo json_encode(['success' => false, 'error' => 'Invalid folder name(s).']);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ if (!isset($data['files']) || !is_array($data['files'])) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Define a safe file name pattern.
|
// Define a safe file name pattern.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME;
|
||||||
|
|
||||||
$restoredItems = [];
|
$restoredItems = [];
|
||||||
$errors = [];
|
$errors = [];
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ $folder = isset($data["folder"]) ? trim($data["folder"]) : "root";
|
|||||||
|
|
||||||
// If a subfolder is provided, validate it.
|
// If a subfolder is provided, validate it.
|
||||||
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
|
||||||
if ($folder !== "root" && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== "root" && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name"]);
|
echo json_encode(["error" => "Invalid folder name"]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -87,7 +87,7 @@ if ($file === "global") {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Validate folder name.
|
// Validate folder name.
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name."]);
|
echo json_encode(["error" => "Invalid folder name."]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ if (!$userId) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ——— Validate userId format ———
|
// ——— Validate userId format ———
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) {
|
if (!preg_match(REGEX_USER, $userId)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
error_log("Invalid userId format: {$userId}");
|
error_log("Invalid userId format: {$userId}");
|
||||||
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));
|
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));
|
||||||
|
|||||||
@@ -29,7 +29,7 @@ if (empty($_SESSION['username'])) {
|
|||||||
|
|
||||||
// 4) Validate username format
|
// 4) Validate username format
|
||||||
$userId = $_SESSION['username'];
|
$userId = $_SESSION['username'];
|
||||||
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) {
|
if (!preg_match(REGEX_USER, $userId)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
error_log("totp_saveCode: invalid username format: {$userId}");
|
error_log("totp_saveCode: invalid username format: {$userId}");
|
||||||
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));
|
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));
|
||||||
|
|||||||
@@ -49,7 +49,7 @@ if (file_exists($usersFile)) {
|
|||||||
$parts = explode(':', trim($line));
|
$parts = explode(':', trim($line));
|
||||||
if (count($parts) >= 3) {
|
if (count($parts) >= 3) {
|
||||||
// Validate username format:
|
// Validate username format:
|
||||||
if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) {
|
if (preg_match(REGEX_USER, $parts[0])) {
|
||||||
// Use a lowercase key for consistency.
|
// Use a lowercase key for consistency.
|
||||||
$userRoles[strtolower($parts[0])] = trim($parts[2]);
|
$userRoles[strtolower($parts[0])] = trim($parts[2]);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -67,14 +67,14 @@ if (isset($_POST['resumableChunkNumber'])) {
|
|||||||
|
|
||||||
// First, strip directory components.
|
// First, strip directory components.
|
||||||
$resumableFilename = urldecode(basename($_POST['resumableFilename']));
|
$resumableFilename = urldecode(basename($_POST['resumableFilename']));
|
||||||
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
|
if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
echo json_encode(["error" => "Invalid file name: " . $resumableFilename]);
|
echo json_encode(["error" => "Invalid file name: " . $resumableFilename]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
|
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name"]);
|
echo json_encode(["error" => "Invalid folder name"]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -175,7 +175,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
|
|||||||
// ------------- Full Upload (Non-chunked) -------------
|
// ------------- Full Upload (Non-chunked) -------------
|
||||||
// Validate folder name input.
|
// Validate folder name input.
|
||||||
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
|
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
|
||||||
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
|
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
|
||||||
echo json_encode(["error" => "Invalid folder name"]);
|
echo json_encode(["error" => "Invalid folder name"]);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -198,7 +198,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
|
|||||||
$metadataChanged = []; // key: folder path, value: boolean
|
$metadataChanged = []; // key: folder path, value: boolean
|
||||||
|
|
||||||
// Use a Unicode-enabled pattern to allow special characters.
|
// Use a Unicode-enabled pattern to allow special characters.
|
||||||
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
|
$safeFileNamePattern = REGEX_FILE_NAME
|
||||||
|
|
||||||
foreach ($_FILES["file"]["name"] as $index => $fileName) {
|
foreach ($_FILES["file"]["name"] as $index => $fileName) {
|
||||||
// First, ensure we only work with the base filename to avoid traversal issues.
|
// First, ensure we only work with the base filename to avoid traversal issues.
|
||||||
|
|||||||
Reference in New Issue
Block a user