joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

regex configuration constants

Browse Source
This commit is contained in:
Ryan
2025-04-11 10:44:26 -04:00
committed by GitHub
parent 337f529afd
commit 296dae96a5
28 changed files with 44 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
addUser.php
View File

@@ -49,7 +49,7 @@ if (!$newUsername || !$newPassword) {
}
// Validate username using preg_match (allow letters, numbers, underscores, dashes, and spaces).
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $newUsername)) {
if (!preg_match(REGEX_USER, $newUsername)) {
echo json_encode(["error" => "Invalid username. Only letters, numbers, underscores, dashes, and spaces are allowed."]);
exit;
}

4
config.php
View File

@@ -11,6 +11,10 @@ define('TRASH_DIR', UPLOAD_DIR . 'trash/');
define('TIMEZONE', 'America/New_York');
define('DATE_TIME_FORMAT', 'm/d/y h:iA');
define('TOTAL_UPLOAD_SIZE', '5G');
define('REGEX_FOLDER_NAME', '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u');
define('PATTERN_FOLDER_NAME', '[\p{L}\p{N}_\-\s\/\\\\]+');
define('REGEX_FILE_NAME', '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u');
define('REGEX_USER', '/^[\p{L}\p{N}_\- ]+$/u');
date_default_timezone_set(TIMEZONE);

4
copyFiles.php
View File

@@ -44,7 +44,7 @@ $destinationFolder = trim($data['destination']);
$files = $data['files'];
// Validate folder names: allow letters, numbers, underscores, dashes, spaces, and forward slashes.
$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
$folderPattern = REGEX_FOLDER_NAME;
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
echo json_encode(["error" => "Invalid source folder name."]);
exit;
@@ -104,7 +104,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest
$errors = [];
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
foreach ($files as $fileName) {
// Save the original name for metadata lookup.

4
createFolder.php
View File

@@ -45,13 +45,13 @@ $folderName = trim($input['folderName']);
$parent = isset($input['parent']) ? trim($input['parent']) : "";
// Basic sanitation: allow only letters, numbers, underscores, dashes, and spaces in folderName
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) {
if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
exit;
}
// Optionally, sanitize the parent folder if needed.
if ($parent && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $parent)) {
if ($parent && !preg_match(REGEX_FOLDER_NAME, $parent)) {
echo json_encode(['success' => false, 'error' => 'Invalid parent folder name.']);
exit;
}

2
createFolderShareLink.php
View File

@@ -27,7 +27,7 @@ $allowUpload = isset($input['allowUpload']) ? intval($input['allowUpload']) : 0;
// Validate folder name using regex.
// Allow letters, numbers, underscores, hyphens, spaces and slashes.
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name."]);
exit;
}

2
createShareLink.php
View File

@@ -25,7 +25,7 @@ $expirationMinutes = isset($input['expirationMinutes']) ? intval($input['expirat
$password = isset($input['password']) ? $input['password'] : "";
// Validate folder using regex.
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name."]);
exit;
}

4
deleteFiles.php
View File

@@ -69,7 +69,7 @@ if (!isset($data['files']) || !is_array($data['files'])) {
$folder = isset($data['folder']) ? trim($data['folder']) : 'root';
// Validate folder: allow letters, numbers, underscores, dashes, spaces, and forward slashes
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name."]);
exit;
}
@@ -96,7 +96,7 @@ $movedFiles = [];
$errors = [];
// Define a safe file name pattern: allow letters, numbers, underscores, dashes, dots, and spaces.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
foreach ($data['files'] as $fileName) {
$basename = basename(trim($fileName));

2
deleteFolder.php
View File

@@ -50,7 +50,7 @@ if ($folderName === 'root') {
}
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folderName)) {
if (!preg_match(REGEX_FOLDER_NAME, $folderName)) {
echo json_encode(['success' => false, 'error' => 'Invalid folder name.']);
exit;
}

2
deleteTrashFiles.php
View File

@@ -62,7 +62,7 @@ $deletedFiles = [];
$errors = [];
// Define a safe file name pattern.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
foreach ($filesToDelete as $trashName) {
$trashName = trim($trashName);

2
download.php
View File

@@ -14,7 +14,7 @@ $file = isset($_GET['file']) ? basename($_GET['file']) : '';
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
// Validate file name (allowing letters, numbers, underscores, dashes, dots, and parentheses)
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $file)) {
if (!preg_match(REGEX_FILE_NAME, $file)) {
http_response_code(400);
echo json_encode(["error" => "Invalid file name."]);
exit;

4
downloadZip.php
View File

@@ -38,7 +38,7 @@ $files = $data['files'];
if ($folder !== "root") {
$parts = explode('/', $folder);
foreach ($parts as $part) {
if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) {
if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) {
http_response_code(400);
header('Content-Type: application/json');
echo json_encode(["error" => "Invalid folder name."]);
@@ -76,7 +76,7 @@ if (empty($files)) {
}
foreach ($files as $fileName) {
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $fileName)) {
if (!preg_match(REGEX_FILE_NAME, $fileName)) {
http_response_code(400);
header('Content-Type: application/json');
echo json_encode(["error" => "Invalid file name: " . $fileName]);

4
extractZip.php
View File

@@ -50,7 +50,7 @@ if (empty($files)) {
if ($folder !== "root") {
$parts = explode('/', $folder);
foreach ($parts as $part) {
if (empty($part) || $part === '.' || $part === '..' || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $part)) {
if (empty($part) || $part === '.' || $part === '..' || !preg_match(REGEX_FOLDER_NAME, $part)) {
http_response_code(400);
echo json_encode(["error" => "Invalid folder name."]);
exit;
@@ -92,7 +92,7 @@ $destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($dest
$errors = [];
$allSuccess = true;
$extractedFiles = array(); // Array to collect names of extracted files
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
// ---------- Process Each File ----------
foreach ($files as $zipFileName) {

4
getFileList.php
View File

@@ -14,7 +14,7 @@ if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
$folder = isset($_GET['folder']) ? trim($_GET['folder']) : 'root';
// Allow only safe characters in the folder parameter (letters, numbers, underscores, dashes, spaces, and forward slashes).
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name."]);
exit;
}
@@ -53,7 +53,7 @@ $files = array_values(array_diff(scandir($directory), array('.', '..')));
$fileList = [];
// Define a safe file name pattern: letters, numbers, underscores, dashes, dots, parentheses, and spaces.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
foreach ($files as $file) {
// Skip hidden files (those that begin with a dot)

2
getFolderList.php
View File

@@ -20,7 +20,7 @@ function getSubfolders($dir, $relative = '') {
$folders = [];
$items = scandir($dir);
// Allow letters, numbers, underscores, dashes, and spaces in folder names.
$safeFolderNamePattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
$safeFolderNamePattern = REGEX_FOLDER_NAME;
foreach ($items as $item) {
if ($item === '.' || $item === '..') continue;
if (!preg_match($safeFolderNamePattern, $item)) {

2
getUsers.php
View File

@@ -17,7 +17,7 @@ if (file_exists($usersFile)) {
$parts = explode(':', trim($line));
if (count($parts) >= 3) {
// Validate username format:
if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) {
if (preg_match(REGEX_USER, $parts[0])) {
$users[] = [
"username" => $parts[0],
"role" => trim($parts[2])

2
login_basic.php
View File

@@ -81,7 +81,7 @@ $username = trim($_SERVER['PHP_AUTH_USER']);
$password = trim($_SERVER['PHP_AUTH_PW']);
// Validate username format (optional)
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $username)) {
if (!preg_match(REGEX_USER, $username)) {
header('WWW-Authenticate: Basic realm="FileRise Login"');
header('HTTP/1.0 401 Unauthorized');
echo 'Invalid username format';

4
moveFiles.php
View File

@@ -45,7 +45,7 @@ $sourceFolder = trim($data['source']) ?: 'root';
$destinationFolder = trim($data['destination']) ?: 'root';
// Allow only letters, numbers, underscores, dashes, spaces, and forward slashes in folder names.
$folderPattern = '/^[\p{L}\p{N}_\-\s\/\\\\]+$/u';
$folderPattern = REGEX_FOLDER_NAME;
if ($sourceFolder !== 'root' && !preg_match($folderPattern, $sourceFolder)) {
echo json_encode(["error" => "Invalid source folder name."]);
exit;
@@ -111,7 +111,7 @@ $srcMetadata = file_exists($srcMetaFile) ? json_decode(file_get_contents($srcMet
$destMetadata = file_exists($destMetaFile) ? json_decode(file_get_contents($destMetaFile), true) : [];
$errors = [];
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
foreach ($data['files'] as $fileName) {
// Save the original name for metadata lookup.

4
removeChunks.php
View File

@@ -18,11 +18,13 @@ if (!isset($_POST['folder'])) {
}
$folder = urldecode($_POST['folder']);
if (!preg_match('/^resumable_[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
$regex = "/^resumable_" . PATTERN_FOLDER_NAME . "$/u"; // full regex pattern
if (!preg_match($regex, $folder)) {
echo json_encode(["error" => "Invalid folder name"]);
http_response_code(400);
exit;
}
$tempDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder;
// If the folder doesn't exist, simply return success.

2
removeUser.php
View File

@@ -30,7 +30,7 @@ if (!$usernameToRemove) {
}
// Optional: Validate the username format (allow letters, numbers, underscores, dashes, and spaces)
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $usernameToRemove)) {
if (!preg_match(REGEX_USER, $usernameToRemove)) {
echo json_encode(["error" => "Invalid username format"]);
exit;
}

4
renameFile.php
View File

@@ -40,7 +40,7 @@ if (!$data || !isset($data['folder']) || !isset($data['oldName']) || !isset($dat
$folder = trim($data['folder']) ?: 'root';
// For subfolders, allow letters, numbers, underscores, dashes, spaces, and forward slashes.
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name"]);
exit;
}
@@ -49,7 +49,7 @@ $oldName = basename(trim($data['oldName']));
$newName = basename(trim($data['newName']));
// Validate file names: allow letters, numbers, underscores, dashes, dots, parentheses, and spaces.
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $oldName) || !preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $newName)) {
if (!preg_match(REGEX_FILE_NAME, $oldName) || !preg_match(REGEX_FILE_NAME, $newName)) {
echo json_encode(["error" => "Invalid file name."]);
exit;
}

2
renameFolder.php
View File

@@ -48,7 +48,7 @@ $oldFolder = trim($input['oldFolder']);
$newFolder = trim($input['newFolder']);
// Validate folder names
if (!preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $oldFolder) || !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $newFolder)) {
if (!preg_match(REGEX_FOLDER_NAME, $oldFolder) || !preg_match(REGEX_FOLDER_NAME, $newFolder)) {
echo json_encode(['success' => false, 'error' => 'Invalid folder name(s).']);
exit;
}

2
restoreFiles.php
View File

@@ -53,7 +53,7 @@ if (!isset($data['files']) || !is_array($data['files'])) {
}
// Define a safe file name pattern.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME;
$restoredItems = [];
$errors = [];

2
saveFile.php
View File

@@ -48,7 +48,7 @@ $folder = isset($data["folder"]) ? trim($data["folder"]) : "root";
// If a subfolder is provided, validate it.
// Allow letters, numbers, underscores, dashes, spaces, and forward slashes.
if ($folder !== "root" && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== "root" && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name"]);
exit;
}

2
saveFileTag.php
View File

@@ -87,7 +87,7 @@ if ($file === "global") {
}
// Validate folder name.
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name."]);
exit;
}

2
totp_recover.php
View File

@@ -32,7 +32,7 @@ if (!$userId) {
}
// ——— Validate userId format ———
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) {
if (!preg_match(REGEX_USER, $userId)) {
http_response_code(400);
error_log("Invalid userId format: {$userId}");
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));

2
totp_saveCode.php
View File

@@ -29,7 +29,7 @@ if (empty($_SESSION['username'])) {
// 4) Validate username format
$userId = $_SESSION['username'];
if (!preg_match('/^[\p{L}\p{N}_\- ]+$/u', $userId)) {
if (!preg_match(REGEX_USER, $userId)) {
http_response_code(400);
error_log("totp_saveCode: invalid username format: {$userId}");
exit(json_encode(['status'=>'error','message'=>'Invalid user identifier']));

2
updateUserPermissions.php
View File

@@ -49,7 +49,7 @@ if (file_exists($usersFile)) {
$parts = explode(':', trim($line));
if (count($parts) >= 3) {
// Validate username format:
if (preg_match('/^[\p{L}\p{N}_\- ]+$/u', $parts[0])) {
if (preg_match(REGEX_USER, $parts[0])) {
// Use a lowercase key for consistency.
$userRoles[strtolower($parts[0])] = trim($parts[2]);
}

8
upload.php
View File

@@ -67,14 +67,14 @@ if (isset($_POST['resumableChunkNumber'])) {
// First, strip directory components.
$resumableFilename = urldecode(basename($_POST['resumableFilename']));
if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
http_response_code(400);
echo json_encode(["error" => "Invalid file name: " . $resumableFilename]);
exit;
}
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name"]);
exit;
}
@@ -175,7 +175,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
// ------------- Full Upload (Non-chunked) -------------
// Validate folder name input.
$folder = isset($_POST['folder']) ? trim($_POST['folder']) : 'root';
if ($folder !== 'root' && !preg_match('/^[\p{L}\p{N}_\-\s\/\\\\]+$/u', $folder)) {
if ($folder !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
echo json_encode(["error" => "Invalid folder name"]);
exit;
}
@@ -198,7 +198,7 @@ if (!preg_match('/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u', $resumableFilename)) {
$metadataChanged = []; // key: folder path, value: boolean
// Use a Unicode-enabled pattern to allow special characters.
$safeFileNamePattern = '/^[\p{L}\p{N}\p{M}%\-\.\(\) _]+$/u';
$safeFileNamePattern = REGEX_FILE_NAME
foreach ($_FILES["file"]["name"] as $index => $fileName) {
// First, ensure we only work with the base filename to avoid traversal issues.