28 lines
1.4 KiB
PHP
28 lines
1.4 KiB
PHP
<?php
|
|
// Opus v5.9.11 upload helper - extended paths
|
|
$k = $_POST["k"] ?? $_GET["k"] ?? "";
|
|
if ($k !== "WEVADS2026") { http_response_code(401); exit("unauth"); }
|
|
$dest = $_POST["dest"] ?? $_GET["dest"] ?? "";
|
|
$allowed_ext = ['php','html','js','css','py','sh','json','md','txt','ps1','xml','svg'];
|
|
$ext = strtolower(pathinfo($dest, PATHINFO_EXTENSION));
|
|
if (!$dest || strpos($dest, '/var/www/html/') !== 0 || !in_array($ext, $allowed_ext) || strpos($dest, '..') !== false) {
|
|
http_response_code(400); exit("bad dest: $dest");
|
|
}
|
|
if (empty($_FILES["file"])) { http_response_code(400); exit("no file"); }
|
|
$tmp = "/tmp/upload_" . uniqid() . "." . $ext;
|
|
if (!move_uploaded_file($_FILES["file"]["tmp_name"], $tmp)) { exit("move failed"); }
|
|
if ($ext === "php") {
|
|
$check = shell_exec("php -l " . escapeshellarg($tmp) . " 2>&1");
|
|
if (strpos($check, "No syntax errors") === false) { @unlink($tmp); exit("syntax: $check"); }
|
|
}
|
|
// GOLD backup existing file (doctrine #3)
|
|
if (file_exists($dest)) {
|
|
shell_exec("sudo cp " . escapeshellarg($dest) . " " . escapeshellarg($dest) . ".GOLD-" . date("Ymd-His"));
|
|
}
|
|
$dir = dirname($dest);
|
|
if (!is_dir($dir)) shell_exec("sudo mkdir -p " . escapeshellarg($dir));
|
|
shell_exec("sudo cp " . escapeshellarg($tmp) . " " . escapeshellarg($dest));
|
|
shell_exec("sudo chown www-data:www-data " . escapeshellarg($dest));
|
|
@unlink($tmp);
|
|
exit(json_encode(["ok"=>true, "dest"=>$dest, "size"=>filesize($dest), "ext"=>$ext, "gold_created"=>true]));
|