mirror of
https://github.com/hyzendust/share.freedoms4.org.git
synced 2026-04-15 21:48:33 +02:00
Add: early quota check
This commit is contained in:
hyzen
44
index.php
44
index.php
@@ -3,7 +3,7 @@
|
||||
// CONFIGURATION
|
||||
// -------------------------
|
||||
$AUTH_USER = 'user';
|
||||
$AUTH_PASS = 'pass';
|
||||
$AUTH_PASS = 'pass'; // Change this to a strong password
|
||||
$UPLOAD_DIR = __DIR__ . '/files/';
|
||||
//$ALLOWED_TYPES = ['image/png', 'image/jpeg', 'application/pdf', 'text/plain']; // optional
|
||||
$ALLOWED_TYPES = [];
|
||||
@@ -66,7 +66,7 @@ function check_rate_limit($ip, $file_size) {
|
||||
|
||||
$usage_data[] = [
|
||||
'timestamp' => $current_time,
|
||||
'size' => $file_size,
|
||||
'size' => $file_size
|
||||
];
|
||||
|
||||
file_put_contents($rate_file, json_encode($usage_data, JSON_PRETTY_PRINT));
|
||||
@@ -131,8 +131,8 @@ if ($request_method === 'GET' && isset($_GET['quota'])) {
|
||||
// -------------------------
|
||||
// FILE DOWNLOAD (GET/HEAD)
|
||||
// -------------------------
|
||||
else if ($request_method === 'GET' || $request_method === 'HEAD') {
|
||||
$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME']) + 1);
|
||||
if ($request_method === 'GET' || $request_method === 'HEAD') {
|
||||
$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
|
||||
$sanitized_name = basename($upload_file_name);
|
||||
$store_file_name = $UPLOAD_DIR . $sanitized_name;
|
||||
|
||||
@@ -161,14 +161,14 @@ else if ($request_method === 'GET' || $request_method === 'HEAD') {
|
||||
// -------------------------
|
||||
// OPTIONS (CORS preflight)
|
||||
// -------------------------
|
||||
else if ($request_method === 'OPTIONS') {
|
||||
if ($request_method === 'OPTIONS') {
|
||||
exit;
|
||||
}
|
||||
|
||||
// -------------------------
|
||||
// BASIC HTTP AUTH (for POST uploads/deletes)
|
||||
// -------------------------
|
||||
else if ($request_method === 'POST') {
|
||||
if ($request_method === 'POST') {
|
||||
if (!isset($_SERVER['PHP_AUTH_USER']) ||
|
||||
$_SERVER['PHP_AUTH_USER'] !== $AUTH_USER ||
|
||||
$_SERVER['PHP_AUTH_PW'] !== $AUTH_PASS) {
|
||||
@@ -178,16 +178,31 @@ else if ($request_method === 'POST') {
|
||||
exit;
|
||||
}
|
||||
|
||||
// -------------------------
|
||||
// EARLY QUOTA CHECK (using Content-Length, before file is buffered)
|
||||
// This rejects oversized uploads immediately for both web and CLI uploads.
|
||||
// -------------------------
|
||||
$content_length = isset($_SERVER['CONTENT_LENGTH']) ? (int)$_SERVER['CONTENT_LENGTH'] : 0;
|
||||
if ($content_length > 0) {
|
||||
$client_ip = get_client_ip();
|
||||
$remaining = get_remaining_quota($client_ip);
|
||||
if ($content_length > $remaining) {
|
||||
http_response_code(429);
|
||||
echo 'Rate limit exceeded. You have ' . round($remaining / 1024 / 1024, 2) . ' MB remaining in your 24-hour quota.';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
// -------------------------
|
||||
// FILE DELETE HANDLING
|
||||
// -------------------------
|
||||
if (isset($_POST['delete'])) {
|
||||
$fileToDelete = basename($_POST['delete']);
|
||||
$fileToDelete = basename($_POST['delete']); // sanitize filename
|
||||
$target = $UPLOAD_DIR . $fileToDelete;
|
||||
|
||||
if (file_exists($target)) {
|
||||
if (unlink($target)) {
|
||||
@unlink($target . '-type');
|
||||
@unlink($target . '-type'); // Also delete type file if exists
|
||||
echo 'Deleted successfully';
|
||||
exit;
|
||||
} else {
|
||||
@@ -223,7 +238,9 @@ else if ($request_method === 'POST') {
|
||||
}
|
||||
|
||||
// Rate limiting check
|
||||
// This records the usage after the early check already passed.
|
||||
$client_ip = get_client_ip();
|
||||
|
||||
if (!check_rate_limit($client_ip, $file['size'])) {
|
||||
$remaining = get_remaining_quota($client_ip);
|
||||
http_response_code(429);
|
||||
@@ -231,7 +248,7 @@ else if ($request_method === 'POST') {
|
||||
exit;
|
||||
}
|
||||
|
||||
// Check if upload directory exists
|
||||
// Check if upload directory exists (normal files)
|
||||
if (!is_dir($UPLOAD_DIR)) {
|
||||
http_response_code(500);
|
||||
echo 'Upload directory not available.';
|
||||
@@ -251,11 +268,12 @@ else if ($request_method === 'POST') {
|
||||
}
|
||||
|
||||
$originalName = basename($file['name']);
|
||||
// Sanitize original filename (remove extension first)
|
||||
$ext = pathinfo($originalName, PATHINFO_EXTENSION);
|
||||
$nameWithoutExt = pathinfo($originalName, PATHINFO_FILENAME);
|
||||
$nameWithoutExt = preg_replace('/[^A-Za-z0-9_\-]/', '_', $nameWithoutExt);
|
||||
|
||||
// Generate unique filename
|
||||
// Generate random string and append
|
||||
do {
|
||||
$random = random_string();
|
||||
$filename = $nameWithoutExt . '_' . $random . ($ext ? '.' . $ext : '');
|
||||
@@ -269,7 +287,7 @@ else if ($request_method === 'POST') {
|
||||
exit;
|
||||
}
|
||||
|
||||
// Store MIME type
|
||||
// Store MIME type for consistency
|
||||
file_put_contents($target . '-type', $file['type']);
|
||||
|
||||
// Return public URL
|
||||
@@ -288,7 +306,5 @@ else if ($request_method === 'POST') {
|
||||
// -------------------------
|
||||
// INVALID REQUEST METHOD
|
||||
// -------------------------
|
||||
else {
|
||||
header('HTTP/1.0 400 Bad Request');
|
||||
}
|
||||
header('HTTP/1.0 400 Bad Request');
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user