rocksolid-light/Rocksolid_Light/spoolnews/upload.php

<?php
include "config.inc.php";
include "newsportal.php";

$logfile = $logdir . '/files.log';

$keyfile = $spooldir . '/keys.dat';
$keys = unserialize(file_get_contents($keyfile));

$name = '';

$logged_in = false;
if (! isset($_POST['username'])) {
    $_POST['username'] = $_COOKIE['mail_name'];
}
$name = $_POST['username'];
if (! isset($_POST['password'])) {
    $_POST['password'] = null;
}
if (! isset($_COOKIE['mail_auth'])) {
    $_COOKIE['mail_auth'] = null;
}
if ((password_verify($_POST['username'] . $keys[0] . get_user_config($_POST['username'], 'encryptionkey'), $_COOKIE['mail_auth'])) || (password_verify($_POST['username'] . $keys[1] . get_user_config($_POST['username'], 'encryptionkey'), $_COOKIE['mail_auth']))) {
    $logged_in = true;
}

$title .= ' - Upload file';
include "head.inc";
echo '<h1 class="np_thread_headline">';
echo '<a href="../spoolnews/files.php" target=' . $frame['menu'] . '>files</a> / ';
echo htmlspecialchars($_COOKIE['mail_name']) . '</h1>';
echo '<table cellpadding="0" cellspacing="0" class="np_buttonbar"><tr>';
echo '<table cellpadding="0" cellspacing="0" class="np_buttonbar"><tr>';
// Browse button
echo '<td>';
echo '<form target="' . $frame['content'] . '" method="post" action="files.php">';
echo '<input name="command" type="hidden" id="command" value="Browse" readonly="readonly">';
echo '<button class="np_button_link" type="submit">Browse</button>';
echo '</form>';
echo '</td>';
// Upload button
echo '<td>';
echo '<form target="' . $frame['content'] . '" method="post" action="upload.php">';
echo '<input name="command" type="hidden" id="command" value="Upload" readonly="readonly">';
echo '<button class="np_button_link" type="submit">Upload</button>';
echo '</form>';
echo '</td>';
echo '<td width=100%></td></tr></table>';
echo '<hr>';
if (isset($_FILES['photo'])) {
    $_FILES['photo']['name'] = preg_replace('/[^a-zA-Z0-9\.]/', '_', $_FILES['photo']['name']);
    // Check auth here
    if (isset($_POST['key']) && password_verify($CONFIG['thissitekey'] . $_POST['username'], $_POST['key'])) {
        if (check_bbs_auth($_POST['username'], $_POST['password'])) {
            $userdir = $spooldir . '/upload/' . strtolower($_POST['username']);
            $upload_to = $userdir . '/' . $_FILES['photo']['name'];
            if (is_file($upload_to)) {
                echo $_FILES['photo']['name'] . ' already exists in your folder';
            } else {
                if (! is_dir($userdir)) {
                    mkdir($userdir);
                }
                $success = move_uploaded_file($_FILES['photo']['tmp_name'], $upload_to);
                if ($success) {
                    file_put_contents($logfile, "\n" . format_log_date() . " Saved: " . strtolower($_POST['username']) . "/" . $_FILES['photo']['name'], FILE_APPEND);
                    echo 'Saved ' . $_FILES['photo']['name'] . ' to your files folder';
                } else {
                    echo 'There was an error saving ' . $_FILES['photo']['name'];
                }
            }
            ?>
<script type="text/javascript">
       if (navigator.cookieEnabled)
         var savename = "<?php echo stripslashes($name); ?>";
         document.cookie = "mail_name="+savename+"; path=/";
      </script>
<?php
        } else {
            echo 'Authentication Failed';
        }
        echo '<br /><br />';
    }
}

echo '<table border="0" align="center" cellpadding="0" cellspacing="1">';
echo '<form name="form1" method="post" action="user.php" enctype="multipart/form-data">';
// echo '<form name="form1" method="post" action="upload.php" enctype="multipart/form-data">';

if (! isset($_POST['username'])) {
    $_POST['username'] = '';
}
if (! isset($_POST['password'])) {
    $_POST['password'] = '';
}
if (! $logged_in && ! check_bbs_auth($_POST['username'], $_POST['password'])) {
    echo '<tr><td><strong>Please Login to Upload<br /></strong></td></tr>';
    echo '<tr><td>Username:</td><td><input name="username" type="text" id="username" value="' . $name . '"></td></tr>';
    echo '<tr><td>Password:</td><td><input name="password" type="password" id="password"></td></tr>';
    echo '<td><input name="source" type="hidden" id="source" value="Upload:upload.php" readonly="readonly"></td>';
    echo '<td><input name="command" type="hidden" id="command" value="Upload" readonly="readonly"></td>';
    echo '<td><input type="submit" name="Submit" value="Login"></td>';
} else {
    echo '<tr><td><strong>Logged in as ' . $_POST['username'] . '<br />(max size=2MB)</strong></td></tr>';
    echo '<td><input name="command" type="hidden" id="command" value="Upload" readonly="readonly"></td>';
    echo '<input type="hidden" name="key" value="' . password_hash($CONFIG['thissitekey'] . $name, PASSWORD_DEFAULT) . '">';
    echo '<input type="hidden" name="username" value="' . $_POST['username'] . '">';
    echo '<input type="hidden" name="password" value="' . $_POST['password'] . '">';
    echo '<tr><td><input type="file" name="photo" id="fileSelect" value="fileSelect" accept="image/*,audio/*,text/*,application/*"></td>
';
    echo '<td>&nbsp;<input type="submit" name="Submit" value="Upload"></td>';
}
echo '</tr>';
echo '</form>';
echo '</table>';
echo '</body></html>';
?>
Add file upload/download features 2021-05-13 11:24:54 +02:00			`<?php`
			`include "config.inc.php";`
			`include "newsportal.php";`

Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`$logfile = $logdir . '/files.log';`
Add logging to files feature 2021-06-01 02:09:52 +02:00
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`$keyfile = $spooldir . '/keys.dat';`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$keys = unserialize(file_get_contents($keyfile));`

			`$name = '';`

			`$logged_in = false;`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`if (! isset($_POST['username'])) {`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$_POST['username'] = $_COOKIE['mail_name'];`
Add file upload/download features 2021-05-13 11:24:54 +02:00			`}`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$name = $_POST['username'];`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`if (! isset($_POST['password'])) {`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$_POST['password'] = null;`
			`}`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`if (! isset($_COOKIE['mail_auth'])) {`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$_COOKIE['mail_auth'] = null;`
			`}`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`if ((password_verify($_POST['username'] . $keys[0] . get_user_config($_POST['username'], 'encryptionkey'), $_COOKIE['mail_auth'])) \|\| (password_verify($_POST['username'] . $keys[1] . get_user_config($_POST['username'], 'encryptionkey'), $_COOKIE['mail_auth']))) {`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`$logged_in = true;`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00			`}`

Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`$title .= ' - Upload file';`
Add file upload/download features 2021-05-13 11:24:54 +02:00			`include "head.inc";`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<h1 class="np_thread_headline">';`
			`echo '<a href="../spoolnews/files.php" target=' . $frame['menu'] . '>files</a> / ';`
			`echo htmlspecialchars($_COOKIE['mail_name']) . '</h1>';`
			`echo '<table cellpadding="0" cellspacing="0" class="np_buttonbar"><tr>';`
			`echo '<table cellpadding="0" cellspacing="0" class="np_buttonbar"><tr>';`
Clean up file section interface a bit 2021-06-09 08:56:22 +02:00			`// Browse button`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<td>';`
			`echo '<form target="' . $frame['content'] . '" method="post" action="files.php">';`
			`echo '<input name="command" type="hidden" id="command" value="Browse" readonly="readonly">';`
			`echo '<button class="np_button_link" type="submit">Browse</button>';`
			`echo '</form>';`
			`echo '</td>';`
Clean up file section interface a bit 2021-06-09 08:56:22 +02:00			`// Upload button`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<td>';`
			`echo '<form target="' . $frame['content'] . '" method="post" action="upload.php">';`
			`echo '<input name="command" type="hidden" id="command" value="Upload" readonly="readonly">';`
			`echo '<button class="np_button_link" type="submit">Upload</button>';`
			`echo '</form>';`
			`echo '</td>';`
			`echo '<td width=100%></td></tr></table>';`
			`echo '<hr>';`
			`if (isset($_FILES['photo'])) {`
			`$_FILES['photo']['name'] = preg_replace('/[^a-zA-Z0-9\.]/', '_', $_FILES['photo']['name']);`
			`// Check auth here`
			`if (isset($_POST['key']) && password_verify($CONFIG['thissitekey'] . $_POST['username'], $_POST['key'])) {`
			`if (check_bbs_auth($_POST['username'], $_POST['password'])) {`
			`$userdir = $spooldir . '/upload/' . strtolower($_POST['username']);`
			`$upload_to = $userdir . '/' . $_FILES['photo']['name'];`
			`if (is_file($upload_to)) {`
			`echo $_FILES['photo']['name'] . ' already exists in your folder';`
			`} else {`
			`if (! is_dir($userdir)) {`
			`mkdir($userdir);`
			`}`
			`$success = move_uploaded_file($_FILES['photo']['tmp_name'], $upload_to);`
			`if ($success) {`
			`file_put_contents($logfile, "\n" . format_log_date() . " Saved: " . strtolower($_POST['username']) . "/" . $_FILES['photo']['name'], FILE_APPEND);`
			`echo 'Saved ' . $_FILES['photo']['name'] . ' to your files folder';`
			`} else {`
			`echo 'There was an error saving ' . $_FILES['photo']['name'];`
			`}`
			`}`
			`?>`
			`<script type="text/javascript">`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00			`if (navigator.cookieEnabled)`
			`var savename = "<?php echo stripslashes($name); ?>";`
Combine user login for mail, files and user. 2023-07-09 22:10:59 +02:00			`document.cookie = "mail_name="+savename+"; path=/";`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00			`</script>`
			`<?php`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`} else {`
			`echo 'Authentication Failed';`
			`}`
			`echo '<br /><br />';`
Revert "* upload.php now checks for user login instead of prompting for a login" This reverts commit 271ca2ead36a3ff73aa386e09b5d18bc96cd6317. 2023-07-08 21:49:44 +02:00			`}`
Add file upload/download features 2021-05-13 11:24:54 +02:00			`}`
Revert "* upload.php now checks for user login instead of prompting for a login" This reverts commit 271ca2ead36a3ff73aa386e09b5d18bc96cd6317. 2023-07-08 21:49:44 +02:00
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<table border="0" align="center" cellpadding="0" cellspacing="1">';`
			`echo '<form name="form1" method="post" action="user.php" enctype="multipart/form-data">';`
			`// echo '<form name="form1" method="post" action="upload.php" enctype="multipart/form-data">';`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`if (! isset($_POST['username'])) {`
			`$_POST['username'] = '';`
			`}`
			`if (! isset($_POST['password'])) {`
			`$_POST['password'] = '';`
			`}`
			`if (! $logged_in && ! check_bbs_auth($_POST['username'], $_POST['password'])) {`
			`echo '<tr><td><strong>Please Login to Upload<br /></strong></td></tr>';`
			`echo '<tr><td>Username:</td><td><input name="username" type="text" id="username" value="' . $name . '"></td></tr>';`
			`echo '<tr><td>Password:</td><td><input name="password" type="password" id="password"></td></tr>';`
Add link after log in to return to action requested. 2023-09-22 12:09:32 +02:00			`echo '<td><input name="source" type="hidden" id="source" value="Upload:upload.php" readonly="readonly"></td>';`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<td><input name="command" type="hidden" id="command" value="Upload" readonly="readonly"></td>';`
			`echo '<td><input type="submit" name="Submit" value="Login"></td>';`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00			`} else {`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<tr><td><strong>Logged in as ' . $_POST['username'] . '<br />(max size=2MB)</strong></td></tr>';`
			`echo '<td><input name="command" type="hidden" id="command" value="Upload" readonly="readonly"></td>';`
			`echo '<input type="hidden" name="key" value="' . password_hash($CONFIG['thissitekey'] . $name, PASSWORD_DEFAULT) . '">';`
			`echo '<input type="hidden" name="username" value="' . $_POST['username'] . '">';`
			`echo '<input type="hidden" name="password" value="' . $_POST['password'] . '">';`
			`echo '<tr><td><input type="file" name="photo" id="fileSelect" value="fileSelect" accept="image/,audio/,text/,application/"></td>`
Revert "* upload.php now checks for user login instead of prompting for a login" This reverts commit 271ca2ead36a3ff73aa386e09b5d18bc96cd6317. 2023-07-08 21:49:44 +02:00			`';`
Only changes to indentation. No other changes. 2023-08-20 00:33:05 +02:00			`echo '<td> <input type="submit" name="Submit" value="Upload"></td>';`
Stay logged in while uploading/browsing files 2021-07-01 13:02:05 +02:00			`}`
Add file upload/download features 2021-05-13 11:24:54 +02:00			`echo '</tr>';`
			`echo '</form>';`
			`echo '</table>';`
			`echo '</body></html>';`
			`?>`