upload.php 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189
  1. <?php
  2. session_start();
  3. if(!isset($_SESSION['hostz-user']) or !isset($_SESSION['hostz-passwd'])) { exit(1); }
  4. $username = $_SESSION['hostz-user'];
  5. $password = $_SESSION['hostz-passwd'];
  6. // check if user is valid
  7. include_once("users/$username.php");
  8. // config variables
  9. include_once("config.php");
  10. // get filesize for uploaded files
  11. function tomb($size, $precision = 2)
  12. {
  13. $base = log($size) / log(1024);
  14. $suffixes = array('', 'KB', 'MB', 'GB', 'TB');
  15. return round(pow(1024, $base - floor($base)), $precision) . $suffixes[floor($base)];
  16. }
  17. if($password!=$user_password)
  18. {
  19. $_SESSION['hostz-user'] = null;
  20. $_SESSION['hostz-passwd'] = null;
  21. exit(1);
  22. }
  23. echo "<html>";
  24. for($i=0; $i<count($_FILES["file"]["name"]); $i++)
  25. {
  26. $temp = explode(".", $_FILES["file"]["name"][$i]);
  27. $extension = end($temp);
  28. if ((($_FILES["file"]["type"][$i] == "image/gif")
  29. || ($_FILES["file"]["type"][$i] == "image/x-gif")
  30. || ($_FILES["file"]["type"][$i] == "image/jpeg")
  31. || ($_FILES["file"]["type"][$i] == "image/x-jpeg")
  32. || ($_FILES["file"]["type"][$i] == "image/x-jpg")
  33. || ($_FILES["file"]["type"][$i] == "image/jpg")
  34. || ($_FILES["file"]["type"][$i] == "image/pjpeg")
  35. || ($_FILES["file"]["type"][$i] == "image/x-png")
  36. || ($_FILES["file"]["type"][$i] == "image/bmp")
  37. || ($_FILES["file"]["type"][$i] == "image/x-icon")
  38. || ($_FILES["file"]["type"][$i] == "text/css")
  39. || ($_FILES["file"]["type"][$i] == "application/octet-stream")
  40. || ($_FILES["file"]["type"][$i] == "text/html")
  41. || ($_FILES["file"]["type"][$i] == "application/vnd.android.package-archive")
  42. || ($_FILES["file"]["type"][$i] == "text/htm")
  43. || ($_FILES["file"]["type"][$i] == "text/xhtml")
  44. || ($_FILES["file"]["type"][$i] == "text/xml")
  45. || ($_FILES["file"]["type"][$i] == "application/xhtml+xml")
  46. || ($_FILES["file"]["type"][$i] == "application/xml")
  47. || ($_FILES["file"]["type"][$i] == "text/plain")
  48. || ($_FILES["file"]["type"][$i] == "application/octet-stream")
  49. || ($_FILES["file"]["type"][$i] == "application/x-gunzip")
  50. || ($_FILES["file"]["type"][$i] == "application/x-gzip-compressed")
  51. || ($_FILES["file"]["type"][$i] == "application/x-rar-compressed")
  52. || ($_FILES["file"]["type"][$i] == "application/x-rar")
  53. || ($_FILES["file"]["type"][$i] == "application/octet-stream")
  54. || ($_FILES["file"]["type"][$i] == "application/x-7z-compressed")
  55. || ($_FILES["file"]["type"][$i] == "application/x-7z")
  56. || ($_FILES["file"]["type"][$i] == "application/x-compress")
  57. || ($_FILES["file"]["type"][$i] == "application/x-compressed")
  58. || ($_FILES["file"]["type"][$i] == "application/x-tar")
  59. || ($_FILES["file"]["type"][$i] == "application/x-tar-compressed")
  60. || ($_FILES["file"]["type"][$i] == "application/x-gtar")
  61. || ($_FILES["file"]["type"][$i] == "application/x-tgz")
  62. || ($_FILES["file"]["type"][$i] == "application/tgz")
  63. || ($_FILES["file"]["type"][$i] == "application/tar")
  64. || ($_FILES["file"]["type"][$i] == "application/gzip")
  65. || ($_FILES["file"]["type"][$i] == "application/x-gzip")
  66. || ($_FILES["file"]["type"][$i] == "application/x-zip")
  67. || ($_FILES["file"]["type"][$i] == "application/zip")
  68. || ($_FILES["file"]["type"][$i] == "application/x-zip-compressed")
  69. || ($_FILES["file"]["type"][$i] == "text/c")
  70. || ($_FILES["file"]["type"][$i] == "text/cpp")
  71. || ($_FILES["file"]["type"][$i] == "text/lua")
  72. || ($_FILES["file"]["type"][$i] == "text/py")
  73. || ($_FILES["file"]["type"][$i] == "text/x-lua")
  74. || ($_FILES["file"]["type"][$i] == "text/x-c")
  75. || ($_FILES["file"]["type"][$i] == "audio/mp3")
  76. || ($_FILES["file"]["type"][$i] == "audio/x-mp3")
  77. || ($_FILES["file"]["type"][$i] == "audio/mpeg")
  78. || ($_FILES["file"]["type"][$i] == "audio/x-mpeg")
  79. || ($_FILES["file"]["type"][$i] == "audio/mpeg3")
  80. || ($_FILES["file"]["type"][$i] == "audio/x-mpeg3")
  81. || ($_FILES["file"]["type"][$i] == "audio/wav")
  82. || ($_FILES["file"]["type"][$i] == "audio/wave")
  83. || ($_FILES["file"]["type"][$i] == "audio/x-wav")
  84. || ($_FILES["file"]["type"][$i] == "audio/ogg")
  85. || ($_FILES["file"]["type"][$i] == "audio/x-ogg")
  86. || ($_FILES["file"]["type"][$i] == "video/mp4")
  87. || ($_FILES["file"]["type"][$i] == "video/ogg")
  88. || ($_FILES["file"]["type"][$i] == "video/webm")
  89. || ($_FILES["file"]["type"][$i] == "application/json")
  90. || ($_FILES["file"]["type"][$i] == "application/pdf")
  91. || ($_FILES["file"]["type"][$i] == "image/svg+xml")
  92. || ($_FILES["file"]["type"][$i] == "application/rtf")
  93. || ($_FILES["file"]["type"][$i] == "font/ttf")
  94. || ($_FILES["file"]["type"][$i] == "font/otf")
  95. || ($_FILES["file"]["type"][$i] == "video/x-flv")
  96. || ($_FILES["file"]["type"][$i] == "video/mp4v-es")
  97. || ($_FILES["file"]["type"][$i] == "application/x-python")
  98. || ($_FILES["file"]["type"][$i] == "text/x-python")
  99. || ($_FILES["file"]["type"][$i] == "text/python")
  100. || ($_FILES["file"]["type"][$i] == "application/x-compressed")
  101. || ($_FILES["file"]["type"][$i] == "text/javascript")
  102. || ($_FILES["file"]["type"][$i] == "application/x-shockwave-flash")
  103. || ($_FILES["file"]["type"][$i] == "application/x-javascript")
  104. || ($_FILES["file"]["type"][$i] == "application/bzip2")
  105. || ($_FILES["file"]["type"][$i] == "application/x-bzip")
  106. || ($_FILES["file"]["type"][$i] == "application/x-bz2")
  107. || ($_FILES["file"]["type"][$i] == "application/octet")
  108. || ($_FILES["file"]["type"][$i] == "application/octet-stream")
  109. || ($_FILES["file"]["type"][$i] == "application/force-download")
  110. || ($_FILES["file"]["type"][$i] == "image/png")
  111. || ($_FILES["file"]["type"][$i] == ""))
  112. && ($_FILES["file"]["size"][$i] < $user_max_upload)
  113. && in_array(strtolower($extension), $allowedExts))
  114. {
  115. if ($_FILES["file"]["error"][$i] > 0)
  116. {
  117. echo $_FILES["file"]["name"][$i] . " - Return Code: " . $_FILES["file"]["error"][$i] . "<br>";
  118. }
  119. else
  120. {
  121. if(isset($_GET['p']))
  122. {
  123. $path = $_GET['p'];
  124. if(stristr($path, "../") == true)
  125. {
  126. echo "<meta http-equiv='refresh' content='0;url=ctrl.php?action=backtracking_error'>";
  127. }
  128. else if (file_exists("users/$username/$path/" . $_FILES["file"]["name"][$i]))
  129. {
  130. echo "Error:" . $_FILES["file"]["name"][$i] . " file exists.<br>";
  131. }
  132. else
  133. {
  134. $usage = file_get_contents("users/$username.usage");
  135. $usage = $usage + $_FILES["file"]["size"][$i];
  136. if($usage > $user_max_webspace) {
  137. echo "Error: Exceeding max webspace usage.<br>";
  138. }
  139. else
  140. {
  141. $filelist = file_get_contents("users/$username.files");
  142. file_put_contents("users/$username.usage", $usage);
  143. move_uploaded_file($_FILES["file"]["tmp_name"][$i],
  144. "users/$username/$path/" . $_FILES["file"]["name"][$i]);
  145. file_put_contents("users/$username.files", $_FILES["file"]["name"][$i] . "\n" . $filelist);
  146. echo "Success: " . $_FILES["file"]["name"][$i] . " Uploaded! Size: " . tomb($_FILES["file"]["size"][$i]) . "<br />\n";
  147. }
  148. }
  149. }
  150. else
  151. {
  152. if (file_exists("users/$username/" . $_FILES["file"]["name"][$i]))
  153. {
  154. echo "Error: " . $_FILES["file"]["name"][$i] . " exists.<br>";
  155. }
  156. else
  157. {
  158. $usage = file_get_contents("users/$username.usage");
  159. $usage = $usage + $_FILES["file"]["size"][$i];
  160. if($usage > $user_max_webspace) {
  161. echo "Error: Exceeding max webspace usage.<br>";
  162. }
  163. else
  164. {
  165. file_put_contents("users/$username.usage", $usage);
  166. move_uploaded_file($_FILES["file"]["tmp_name"][$i],
  167. "users/$username/" . $_FILES["file"]["name"][$i]);
  168. echo "Success: " . $_FILES["file"]["name"][$i] . " Uploaded! Size: " . tomb($_FILES["file"]["size"][$i]) . "<br>";
  169. }
  170. }
  171. }
  172. }
  173. }
  174. else
  175. {
  176. echo "Error: " . $_FILES["file"]["name"][$i] . " is too large, or is a invalid filetype";
  177. }
  178. }
  179. echo "</html>";
  180. ?>