examples/php-xhr: Added filename sanitation and file size check befor…

…e saving (#4432)
transloadit · May 26, 2023 · 81ba34c · 81ba34c
1 parent 2b855ce
commit 81ba34c
Showing 1 changed file with 29 additions and 3 deletions.
diff --git a/examples/php-xhr/server.php b/examples/php-xhr/server.php
@@ -3,6 +3,9 @@
 ini_set('display_startup_errors', 1);
 error_reporting(E_ALL);
 
+// Get the maximum upload file size
+$max_size = ini_get('upload_max_filesize');
+
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
     if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
         header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');
@@ -18,14 +21,31 @@
     exit(0);
 }
 
-if ($_POST && !empty($_FILES["file"])) {
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_FILES["file"])) {
     $target_dir = __DIR__ . DIRECTORY_SEPARATOR . 'uploads';
-    $target_file = $target_dir . DIRECTORY_SEPARATOR . basename($_FILES['file']['name']);
+    $file_name = basename($_FILES['file']['name']);
+    $file_size = $_FILES['file']['size'];
+    $target_file = $target_dir . DIRECTORY_SEPARATOR . $file_name;
+
+    // Validate file size
+    if ($file_size > $max_size) {
+        header('Access-Control-Allow-Origin: *');
+        header('Content-type: application/json');
+        $data = ['message' => 'File size exceeds the maximum allowed size of ' . $max_size . '.'];
+        http_response_code(400);
+        echo json_encode($data);
+        exit;
+    }
+
+    // Sanitize file name to prevent directory traversal attacks
+    $file_name = preg_replace('/[^a-zA-Z0-9._-]/', '', $file_name);
+    $target_file = $target_dir . DIRECTORY_SEPARATOR . $file_name;
+
     try {
         if (move_uploaded_file($_FILES['file']['tmp_name'], $target_file)) {
             header('Access-Control-Allow-Origin: *');
             header('Content-type: application/json');
-            $data = ['url' => $target_file, 'message' => 'The file ' . basename($_FILES['file']['name']) . ' has been uploaded.'];
+            $data = ['url' => $target_file, 'message' => 'The file ' . $file_name . ' has been uploaded.'];
             http_response_code(201);
             echo json_encode($data);
         } else {
@@ -39,4 +59,10 @@
         http_response_code(400);
         echo json_encode($data);
     }
+} else {
+    header('Access-Control-Allow-Origin: *');
+    header('Content-type: application/json');
+    $data = ['message' => 'Please upload a file.'];
+    http_response_code(400);
+    echo json_encode($data);
 }