text-chat-upload-file.php
06fbd764
 <?php
 /**
  *  Copyright (C) 2021  Double Bastion LLC
  *
  *  This file is part of Roundpin, which is licensed under the
  *  GNU Affero General Public License Version 3.0. The license terms
  *  are detailed in the "LICENSE.txt" file located in the root directory.
  */
 
 session_start();
 
 if (isset($_POST['s_ajax_call']) && ($_POST['s_ajax_call'] == $_SESSION['validate_s_access']) && isset($_POST['sipUser']) && $_POST['sipUser'] != '') {
 
   $sipUser = $_POST['sipUser'];
 
   try {
 
     $resmessage = '';
 
     // Check for undefined error, multiple files, $_FILES corruption
     if (!isset($_FILES['uploadedFile']['error']) || is_array($_FILES['uploadedFile']['error'])) {
         throw new RuntimeException('Invalid parameters.');
     }
 
     // Check $_FILES['upfile']['error'] value
     switch ($_FILES['uploadedFile']['error']) {
         case UPLOAD_ERR_OK:
              break;
         case UPLOAD_ERR_NO_FILE:
              throw new RuntimeException('No file sent.');
         case UPLOAD_ERR_INI_SIZE:
              throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');
         case UPLOAD_ERR_FORM_SIZE:
              throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');
         default:
              throw new RuntimeException('Unknown error.');
     }
 
     // Check file size (in bytes)
     if ($_FILES['uploadedFile']['size'] > 786432000) {
         throw new RuntimeException('Uploaded file size exceeds the limit of 750 MB.');
     }
 
     // Check MIME Type
     $finfo = new finfo(FILEINFO_MIME_TYPE);
     if (false === $ext = array_search($finfo->file($_FILES['uploadedFile']['tmp_name']),
         array(
 	'aac' => 'audio/aac',
 	'abw' => 'application/x-abiword',
 	'arc' => 'application/x-freearc',
 	'avi' => 'video/x-msvideo',
 	'azw' => 'application/vnd.amazon.ebook',
 	'bin' => 'application/octet-stream',
 	'bmp' => 'image/bmp',
 	'bz' => 'application/x-bzip',
 	'bz2' => 'application/x-bzip2',
 	'cda' => 'application/x-cdf',
 	'csh' => 'application/x-csh',
 	'css' => 'text/css',
 	'csv' => 'text/csv',
 	'doc' => 'application/msword',
 	'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
 	'eot' => 'application/vnd.ms-fontobject',
 	'epub' => 'application/epub+zip',
 	'gz' => 'application/gzip',
 	'gif' => 'image/gif',
 	'htm' => 'text/html',
 	'html' => 'text/html',
 	'ico' => 'image/vnd.microsoft.icon',
 	'ics' => 'text/calendar',
 	'jar' => 'application/java-archive',
 	'jpeg' => 'image/jpeg',
 	'jpg' => 'image/jpeg',
 	'json' => 'application/json',
 	'jsonld' => 'application/ld+json',
 	'mid' => 'audio/midi',
 	'midi' => 'audio/midi',
 	'mp3' => 'audio/mpeg',
 	'mp4' => 'video/mp4',
 	'mpeg' => 'video/mpeg',
 	'mpkg' => 'application/vnd.apple.installer+xml',
 	'odp' => 'application/vnd.oasis.opendocument.presentation',
 	'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
 	'odt' => 'application/vnd.oasis.opendocument.text',
 	'oga' => 'audio/ogg',
 	'ogv' => 'video/ogg',
 	'ogx' => 'application/ogg',
 	'opus' => 'audio/opus',
 	'otf' => 'font/otf',
 	'png' => 'image/png',
 	'pdf' => 'application/pdf',
 	'ppt' => 'application/vnd.ms-powerpoint',
 	'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
 	'rar' => 'application/vnd.rar',
 	'rtf' => 'application/rtf',
 	'sh' => 'application/x-sh',
 	'swf' => 'application/x-shockwave-flash',
 	'tar' => 'application/x-tar',
 	'tif' => 'image/tiff',
 	'tiff' => 'image/tiff',
 	'ts' => 'video/mp2t',
 	'ttf' => 'font/ttf',
 	'txt' => 'text/plain',
 	'vsd' => 'application/vnd.visio',
 	'wav' => 'audio/wav',
 	'weba' => 'audio/webm',
 	'webm' => 'video/webm',
 	'webp' => 'image/webp',
 	'woff' => 'font/woff',
 	'woff2' => 'font/woff2',
 	'xhtml' => 'application/xhtml+xml',
 	'xls' => 'application/vnd.ms-excel',
 	'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
 	'xml' => 'text/xml',
 	'xul' => 'application/vnd.mozilla.xul+xml',
 	'zip' => 'application/zip',
 	'3gp' => 'video/3gpp',
 	'3g2' => 'video/3gpp2',
 	'7z' => 'application/x-7z-compressed',
         ),
         true
     )) {
         throw new RuntimeException('Invalid file format.');
     }
 
     // Check if the uploaded file contains PHP or JavaScript code tags
     $upFileContent = file_get_contents($_FILES['uploadedFile']['tmp_name']);
     if ((strpos($upFileContent, "<?php") !== false) || (strpos($upFileContent, "<script") !== false)) { throw new RuntimeException('Invalid file type.'); }
 
     // Create the directories if they don't exist
     if (!is_dir('textchat')) {
         mkdir('textchat', 0700);
     }
 
     if (!is_dir('textchat/' . $sipUser)) {
         mkdir('textchat/' . $sipUser, 0700);
     }
 
     if (!is_dir('textchat/' . $sipUser . '/uploads')) {
         mkdir('textchat/' . $sipUser . '/uploads', 0700);
     }
 
     // Check if the name of the uploaded file is valid
     $nameWithoutExt = pathinfo($_FILES["uploadedFile"]["name"], PATHINFO_FILENAME);
     if (preg_match('/^[a-zA-Z0-9\-\_\.]+$/', $nameWithoutExt)) {
 
         // Check if a file with the same name already exists in the 'uploads' directory of that respective user
         if (!file_exists('textchat/' . $sipUser . '/uploads/' . basename($_FILES["uploadedFile"]["name"]))) {
 
             $upload_dir = 'textchat/' . $sipUser . '/uploads/';
             $targetfile = $upload_dir . basename($_FILES["uploadedFile"]["name"]);
 
             // Scan the uploaded file with ClamAV if ClamAV is installed
             if (file_exists('/usr/bin/clamdscan')) {
 
                 $clamdisrunning = exec("systemctl show -p ActiveState --value clamav-daemon");
 
                 if ($clamdisrunning == 'active') {
 
 		    $safePath = escapeshellarg($_FILES["uploadedFile"]['tmp_name']);
                     $runclamdscan = 'clamdscan --fdpass --quiet ' . $safePath . '';
 		    $resout = '';
 		    $rescheck = 1;
 		    exec($runclamdscan, $resout, $rescheck);
 
 		    if ($rescheck == 0) {
 
                         if (move_uploaded_file($_FILES["uploadedFile"]["tmp_name"], $targetfile)) {
                             chmod($targetfile, 0600);
                         } else {
                             throw new RuntimeException('There was an error while uploading the file.');
                         }
 
                     } else { unlink($safePath); throw new RuntimeException('The file contains a virus or other type of malware.'); }
 
                 } else { throw new RuntimeException("The ClavAV antivirus is installed but clamav-daemon is not active and the uploaded file couldn't be scanned! Please check the status of clamav-daemon!"); }
 
             } else {
 
                     if (move_uploaded_file($_FILES["uploadedFile"]["tmp_name"], $targetfile)) {
                         chmod($targetfile, 0600);
                     } else { throw new RuntimeException('There was an error while uploading the file.'); }
             }
 
         } else { throw new RuntimeException('A file with the same name, ' . basename($_FILES["uploadedFile"]["name"]) . ', has been already sent. Please send a different file or rename your file before sending it.'); }
 
     } else { throw new RuntimeException('The name of the uploaded file is not valid.'); }
 
   } catch (RuntimeException $e) {
 
         $resmessage = $e->getMessage();
   }
 
   $respdata = ['error' => $resmessage];
 
   echo json_encode($respdata);
 
 } else {
        header("Location: roundpin-login.php");
 }
 
 ?>