share new password page, totp setup focus, logout clear session cookie
This commit is contained in:
Ryan
82
share.php
82
share.php
@@ -1,10 +1,11 @@
|
||||
<?php
|
||||
// share.php
|
||||
|
||||
require_once 'config.php';
|
||||
|
||||
// Get token and password (if provided)
|
||||
$token = isset($_GET['token']) ? $_GET['token'] : '';
|
||||
$providedPass = isset($_GET['pass']) ? $_GET['pass'] : '';
|
||||
// Retrieve and sanitize input
|
||||
$token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
|
||||
$providedPass = filter_input(INPUT_GET, 'pass', FILTER_SANITIZE_STRING);
|
||||
|
||||
if (empty($token)) {
|
||||
http_response_code(400);
|
||||
@@ -12,7 +13,7 @@ if (empty($token)) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// Load share links.
|
||||
// Load share links from file
|
||||
$shareFile = META_DIR . "share_links.json";
|
||||
if (!file_exists($shareFile)) {
|
||||
http_response_code(404);
|
||||
@@ -36,18 +37,54 @@ if (time() > $record['expires']) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// If a password is required and none is provided, show a simple form.
|
||||
// If a password is required and none is provided, show a password form.
|
||||
if (!empty($record['password']) && empty($providedPass)) {
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<title>Enter Password</title>
|
||||
<style>
|
||||
body {
|
||||
font-family: Arial, sans-serif;
|
||||
padding: 20px;
|
||||
background-color: #f4f4f4;
|
||||
color: #333;
|
||||
}
|
||||
form {
|
||||
max-width: 400px;
|
||||
margin: 40px auto;
|
||||
background: #fff;
|
||||
padding: 20px;
|
||||
border-radius: 8px;
|
||||
box-shadow: 0 2px 4px rgba(0,0,0,0.1);
|
||||
}
|
||||
input[type="password"] {
|
||||
width: 100%;
|
||||
padding: 10px;
|
||||
margin: 10px 0;
|
||||
border: 1px solid #ccc;
|
||||
border-radius: 4px;
|
||||
}
|
||||
button {
|
||||
padding: 10px 20px;
|
||||
background: #007BFF;
|
||||
border: none;
|
||||
border-radius: 4px;
|
||||
color: #fff;
|
||||
cursor: pointer;
|
||||
}
|
||||
button:hover {
|
||||
background: #0056b3;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body style="font-family: Arial, sans-serif; padding: 20px;">
|
||||
<body>
|
||||
<h2>This file is protected by a password.</h2>
|
||||
<form method="get" action="share.php">
|
||||
<input type="hidden" name="token" value="<?php echo htmlspecialchars($token); ?>">
|
||||
<input type="hidden" name="token" value="<?php echo htmlspecialchars($token, ENT_QUOTES, 'UTF-8'); ?>">
|
||||
<label for="pass">Password:</label>
|
||||
<input type="password" name="pass" id="pass" required>
|
||||
<button type="submit">Submit</button>
|
||||
@@ -58,7 +95,7 @@ if (!empty($record['password']) && empty($providedPass)) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// If a password was set, validate it.
|
||||
// Validate provided password if set.
|
||||
if (!empty($record['password'])) {
|
||||
if (!password_verify($providedPass, $record['password'])) {
|
||||
http_response_code(403);
|
||||
@@ -67,7 +104,7 @@ if (!empty($record['password'])) {
|
||||
}
|
||||
}
|
||||
|
||||
// Build file path.
|
||||
// Build file path securely.
|
||||
$folder = trim($record['folder'], "/\\ ");
|
||||
$file = $record['file'];
|
||||
$filePath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR;
|
||||
@@ -76,24 +113,37 @@ if (!empty($folder) && strtolower($folder) !== 'root') {
|
||||
}
|
||||
$filePath .= $file;
|
||||
|
||||
if (!file_exists($filePath)) {
|
||||
// Resolve the real path and ensure it's within the allowed directory.
|
||||
$realFilePath = realpath($filePath);
|
||||
$uploadDirReal = realpath(UPLOAD_DIR);
|
||||
if ($realFilePath === false || strpos($realFilePath, $uploadDirReal) !== 0) {
|
||||
http_response_code(404);
|
||||
echo json_encode(["error" => "File not found."]);
|
||||
exit;
|
||||
}
|
||||
|
||||
if (!file_exists($realFilePath)) {
|
||||
http_response_code(404);
|
||||
echo json_encode(["error" => "File not found."]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// Serve the file.
|
||||
$mimeType = mime_content_type($filePath);
|
||||
$mimeType = mime_content_type($realFilePath);
|
||||
header("Content-Type: " . $mimeType);
|
||||
|
||||
// Determine extension and set disposition accordingly.
|
||||
$ext = strtolower(pathinfo($filePath, PATHINFO_EXTENSION));
|
||||
// Set Content-Disposition based on file type.
|
||||
$ext = strtolower(pathinfo($realFilePath, PATHINFO_EXTENSION));
|
||||
if (in_array($ext, ['jpg','jpeg','png','gif','bmp','webp','svg','ico'])) {
|
||||
header('Content-Disposition: inline; filename="' . basename($filePath) . '"');
|
||||
header('Content-Disposition: inline; filename="' . basename($realFilePath) . '"');
|
||||
} else {
|
||||
header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
|
||||
header('Content-Disposition: attachment; filename="' . basename($realFilePath) . '"');
|
||||
}
|
||||
|
||||
readfile($filePath);
|
||||
// Optionally disable caching for sensitive files.
|
||||
header("Cache-Control: no-store, no-cache, must-revalidate");
|
||||
header("Pragma: no-cache");
|
||||
|
||||
readfile($realFilePath);
|
||||
exit;
|
||||
?>
|
||||
Reference in New Issue
Block a user