From 8da3573ffbaaa02fc61118fdd5617022cb9e8f16 Mon Sep 17 00:00:00 2001 From: Anton Mitsengendler Date: Wed, 20 Feb 2019 17:12:06 +0300 Subject: [PATCH 1/4] added client subnet filter --- api/upload.php | 4 ++++ inc/core.php | 27 +++++++++++++++++++++++++++ inc/example.config.inc.php | 3 ++- rtfm/CONFIG.md | 1 + 4 files changed, 34 insertions(+), 1 deletion(-) diff --git a/api/upload.php b/api/upload.php index cf04ab6..6520ae9 100644 --- a/api/upload.php +++ b/api/upload.php @@ -21,6 +21,10 @@ if(!isFolderWritable(ROOT.DS.'data')) else if(!isFolderWritable(ROOT.DS.'tmp')) exit(json_encode(array('status'=>'err','reason'=>'Temp directory not writable'))); +// check if client has permission to upload +if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET )) + exit(json_encode(array('status'=>'err','reason'=> 'Access denied'))); + $hash = sanatizeString(trim($_REQUEST['hash']))?sanatizeString(trim($_REQUEST['hash'])):false; // check for POST upload diff --git a/inc/core.php b/inc/core.php index 5040323..b456fdd 100644 --- a/inc/core.php +++ b/inc/core.php @@ -24,6 +24,12 @@ function architect($url) //just show the site if( ( (!defined('UPLOAD_FORM_LOCATION') || (defined('UPLOAD_FORM_LOCATION') && !UPLOAD_FORM_LOCATION)) && count($u)==0) || (defined('UPLOAD_FORM_LOCATION') && UPLOAD_FORM_LOCATION && '/'.implode('/',$u)==UPLOAD_FORM_LOCATION) ) { + // check if client address is allowed + if(defined('ALLOWED_SUBNET') && !isIPInRange( getUserIP(), ALLOWED_SUBNET )) + { + header("HTTP/1.1 401 Unauthorized"); + exit; + } renderTemplate('main'); return; } @@ -500,4 +506,25 @@ function deleteHash($hash) $c->deleteFile($hash); } } +} + +/** + * Check if a given ip is in a network + * @param string $ip IP to check in IPV4 format eg. 127.0.0.1 + * @param string $range IP/CIDR netmask eg. 127.0.0.0/24, also 127.0.0.1 is accepted and /32 assumed + * @return boolean true if the ip is in this range / false if not. + * via https://gist.github.com/tott/7684443 + */ +function isIPInRange( $ip, $range ) { + if ( strpos( $range, '/' ) == false ) + { + $range .= '/32'; + } + // $range is in IP/CIDR format eg 127.0.0.1/24 + list( $range, $netmask ) = explode( '/', $range, 2 ); + $range_decimal = ip2long( $range ); + $ip_decimal = ip2long( $ip ); + $wildcard_decimal = pow( 2, ( 32 - $netmask ) ) - 1; + $netmask_decimal = ~ $wildcard_decimal; + return ( ( $ip_decimal & $netmask_decimal ) == ( $range_decimal & $netmask_decimal ) ); } \ No newline at end of file diff --git a/inc/example.config.inc.php b/inc/example.config.inc.php index f6cabb4..6403b3c 100644 --- a/inc/example.config.inc.php +++ b/inc/example.config.inc.php @@ -11,4 +11,5 @@ define('URL','https://dev.pictshare.net/'); //define('JPEG_COMPRESSION', 90); //define('FFMPEG_BINARY',''); -//define('ALT_FOLDER','/ftp/pictshare'); \ No newline at end of file +//define('ALT_FOLDER','/ftp/pictshare'); +//define('ALLOWED_SUBNET','192.168.0.0/24'); \ No newline at end of file diff --git a/rtfm/CONFIG.md b/rtfm/CONFIG.md index ed9370a..0193f68 100644 --- a/rtfm/CONFIG.md +++ b/rtfm/CONFIG.md @@ -12,6 +12,7 @@ | MASTER_DELETE_CODE | string | If set, this code will be accepted to delete any image by adding "delete_yourmasterdeletecode" to any image | | MASTER_DELETE_IP | IP addr | If set, allows deletion of image no matter what delete code you provided if request is coming from this single IP | | UPLOAD_FORM_LOCATION | string | If set, will only show the upload form if this url is requested. eg if you set it to /secret/upload then you only see the form if you go to http://your.pictshare.server/secret/upload but bare in mind that the uploads [via API](/rtfm/API.md) will still work for anyone| +| ALLOWED_SUBNET | IP addr | If set, will only show the upload form and allow to upload via API if request is coming from this subnet | | UPLOAD_QUOTA (NOT IMPLEMENTED) | int | Size in MB. If set, will only allow uploads if combined size of uploads on Server is smaller than this value. Does not account for ALT_FOLDER data and resized versions of original uploads won't be added to calculation | | UPLOAD_CODE (NOT IMPLEMENTED | string | If set, all uploads require this code via GET or POST variable "uploadcode" or upload will fail | | MAX_RESIZED_IMAGES (NOT IMPLEMENTED | string | If set, limits count of resized images/videos per file on server | \ No newline at end of file From 6adb55769339fae883d5f77e6415edda46709726 Mon Sep 17 00:00:00 2001 From: Thomas Jensen Date: Fri, 8 Mar 2019 09:46:35 +0100 Subject: [PATCH 2/4] Add commandline alias examples --- rtfm/API.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/rtfm/API.md b/rtfm/API.md index 823ad26..dbe0141 100644 --- a/rtfm/API.md +++ b/rtfm/API.md @@ -37,6 +37,25 @@ Answer from the server: {"status":"ok","hash":"y1b6hr.jpg","url":"https://pictshare.net/y1b6hr.jpg"} ``` +2. Uploading from the commandline using alias, requires `jq` package for json response decoding + +Put this in your `.bashrc` or `.zshrc`: +``` +pict () { + curl -s -F "file=@${1:--}" https://pictshare.net/api/upload.php | jq -r '.url'; +} +``` + +Usage: +``` +$ cat path/to/image.jpg | pict +``` + +Repsonse: +``` +https://pictshare.net/y1b6hr.jpg +``` + # geturl.php - URL https://pictshare.net/api/geturl.php @@ -100,6 +119,25 @@ Answer from the server: } ``` +3. Uploading from the commandline using alias, requires `jq` package for json response decoding + +Put this in your `.bashrc` or `.zshrc`: +``` +pictget () { + curl -s "hhttps://pictshare.net/api/geturl.php?url=$1" | jq -r '.url'; +} +``` + +Usage: +``` +$ pictget https://i.imgur.com/qQstLQt.mp4 +``` + +Repsonse: +``` +https://pictshare.net/u0ni1m.mp4 +``` + --- # pasetebin.php @@ -165,4 +203,4 @@ Upload local image "test.jpg" to pictshare "delete_code": "z0e1mdo8szxnauspxp2f080e4wd4ycf2", "delete_url": "https://dev.pictshare.net/delete_z0e1mdo8szxnauspxp2f080e4wd4ycf2/lpl119.jpg" } -``` \ No newline at end of file +``` From 8e3cf866a6a92a90671097cfadc09806d39d50d3 Mon Sep 17 00:00:00 2001 From: Thomas Jensen Date: Fri, 8 Mar 2019 09:48:02 +0100 Subject: [PATCH 3/4] add modifisers documentation --- rtfm/MODIFIERS.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rtfm/MODIFIERS.md diff --git a/rtfm/MODIFIERS.md b/rtfm/MODIFIERS.md new file mode 100644 index 0000000..05513df --- /dev/null +++ b/rtfm/MODIFIERS.md @@ -0,0 +1,24 @@ +## Images + +### Resize +`/800x600/d8c01b45a6.png` + +Width x Height + +### Rotate +`/upside|left|right/d8c01b45a6.png` + +* `upside`: 180° +* `left`: 90° +* `right`: -90° + +### WebP conversion +`/webp/d8c01b45a6.png` + +### Gif to mp4 +`/mp4/d8c01b45a6.png` + +### Filters +`/filter/d8c01b45a6.png` + +[See available filters](IMAGEFILTERS.md) From 2a628e7d7a99c9c1c4ce67cf7c8c669e29f1823e Mon Sep 17 00:00:00 2001 From: Thomas Jensen Date: Fri, 8 Mar 2019 09:50:46 +0100 Subject: [PATCH 4/4] layout changes to modifiers documentation --- rtfm/MODIFIERS.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/rtfm/MODIFIERS.md b/rtfm/MODIFIERS.md index 05513df..25d3004 100644 --- a/rtfm/MODIFIERS.md +++ b/rtfm/MODIFIERS.md @@ -1,24 +1,34 @@ ## Images ### Resize -`/800x600/d8c01b45a6.png` +``` +/800x600/d8c01b45a6.png +``` -Width x Height +width x height ### Rotate -`/upside|left|right/d8c01b45a6.png` +``` +/upside|left|right/d8c01b45a6.png +``` * `upside`: 180° * `left`: 90° * `right`: -90° ### WebP conversion -`/webp/d8c01b45a6.png` +``` +/webp/d8c01b45a6.jpeg +``` ### Gif to mp4 -`/mp4/d8c01b45a6.png` +``` +/mp4/d8c01b45a6.gif +``` ### Filters -`/filter/d8c01b45a6.png` +``` +/filter/d8c01b45a6.png +``` [See available filters](IMAGEFILTERS.md)