new file mode 100644

@@ -0,0 +1,202 @@

+<?php

+/**

+ *  Copyright (C) 2021  Double Bastion LLC

+ *

+ *  This file is part of Roundpin, which is licensed under the

+ *  GNU Affero General Public License Version 3.0. The license terms

+ *  are detailed in the "LICENSE.txt" file located in the root directory.

+ */

+

+session_start();

+

+if (isset($_POST['s_ajax_call']) && ($_POST['s_ajax_call'] == $_SESSION['validate_s_access']) && isset($_POST['sipUser']) && $_POST['sipUser'] != '') {

+

+  $sipUser = $_POST['sipUser'];

+

+  try {

+

+    $resmessage = '';

+

+    // Check for undefined error, multiple files, $_FILES corruption

+    if (!isset($_FILES['uploadedFile']['error']) || is_array($_FILES['uploadedFile']['error'])) {

+        throw new RuntimeException('Invalid parameters.');

+    }

+

+    // Check $_FILES['upfile']['error'] value

+    switch ($_FILES['uploadedFile']['error']) {

+        case UPLOAD_ERR_OK:

+             break;

+        case UPLOAD_ERR_NO_FILE:

+             throw new RuntimeException('No file sent.');

+        case UPLOAD_ERR_INI_SIZE:

+             throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');

+        case UPLOAD_ERR_FORM_SIZE:

+             throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');

+        default:

+             throw new RuntimeException('Unknown error.');

+    }

+

+    // Check file size (in bytes)

+    if ($_FILES['uploadedFile']['size'] > 786432000) {

+        throw new RuntimeException('Uploaded file size exceeds the limit of 750 MB.');

+    }

+

+    // Check MIME Type

+    $finfo = new finfo(FILEINFO_MIME_TYPE);

+    if (false === $ext = array_search($finfo->file($_FILES['uploadedFile']['tmp_name']),

+        array(

+	'aac' => 'audio/aac',

+	'abw' => 'application/x-abiword',

+	'arc' => 'application/x-freearc',

+	'avi' => 'video/x-msvideo',

+	'azw' => 'application/vnd.amazon.ebook',

+	'bin' => 'application/octet-stream',

+	'bmp' => 'image/bmp',

+	'bz' => 'application/x-bzip',

+	'bz2' => 'application/x-bzip2',

+	'cda' => 'application/x-cdf',

+	'csh' => 'application/x-csh',

+	'css' => 'text/css',

+	'csv' => 'text/csv',

+	'doc' => 'application/msword',

+	'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',

+	'eot' => 'application/vnd.ms-fontobject',

+	'epub' => 'application/epub+zip',

+	'gz' => 'application/gzip',

+	'gif' => 'image/gif',

+	'htm' => 'text/html',

+	'html' => 'text/html',

+	'ico' => 'image/vnd.microsoft.icon',

+	'ics' => 'text/calendar',

+	'jar' => 'application/java-archive',

+	'jpeg' => 'image/jpeg',

+	'jpg' => 'image/jpeg',

+	'json' => 'application/json',

+	'jsonld' => 'application/ld+json',

+	'mid' => 'audio/midi',

+	'midi' => 'audio/midi',

+	'mp3' => 'audio/mpeg',

+	'mp4' => 'video/mp4',

+	'mpeg' => 'video/mpeg',

+	'mpkg' => 'application/vnd.apple.installer+xml',

+	'odp' => 'application/vnd.oasis.opendocument.presentation',

+	'ods' => 'application/vnd.oasis.opendocument.spreadsheet',

+	'odt' => 'application/vnd.oasis.opendocument.text',

+	'oga' => 'audio/ogg',

+	'ogv' => 'video/ogg',

+	'ogx' => 'application/ogg',

+	'opus' => 'audio/opus',

+	'otf' => 'font/otf',

+	'png' => 'image/png',

+	'pdf' => 'application/pdf',

+	'ppt' => 'application/vnd.ms-powerpoint',

+	'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',

+	'rar' => 'application/vnd.rar',

+	'rtf' => 'application/rtf',

+	'sh' => 'application/x-sh',

+	'swf' => 'application/x-shockwave-flash',

+	'tar' => 'application/x-tar',

+	'tif' => 'image/tiff',

+	'tiff' => 'image/tiff',

+	'ts' => 'video/mp2t',

+	'ttf' => 'font/ttf',

+	'txt' => 'text/plain',

+	'vsd' => 'application/vnd.visio',

+	'wav' => 'audio/wav',

+	'weba' => 'audio/webm',

+	'webm' => 'video/webm',

+	'webp' => 'image/webp',

+	'woff' => 'font/woff',

+	'woff2' => 'font/woff2',

+	'xhtml' => 'application/xhtml+xml',

+	'xls' => 'application/vnd.ms-excel',

+	'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',

+	'xml' => 'text/xml',

+	'xul' => 'application/vnd.mozilla.xul+xml',

+	'zip' => 'application/zip',

+	'3gp' => 'video/3gpp',

+	'3g2' => 'video/3gpp2',

+	'7z' => 'application/x-7z-compressed',

+        ),

+        true

+    )) {

+        throw new RuntimeException('Invalid file format.');

+    }

+

+    // Check if the uploaded file contains PHP or JavaScript code tags

+    $upFileContent = file_get_contents($_FILES['uploadedFile']['tmp_name']);

+    if ((strpos($upFileContent, "<?php") !== false) || (strpos($upFileContent, "<script") !== false)) { throw new RuntimeException('Invalid file type.'); }

+

+    // Create the directories if they don't exist

+    if (!is_dir('textchat')) {

+        mkdir('textchat', 0700);

+    }

+

+    if (!is_dir('textchat/' . $sipUser)) {

+        mkdir('textchat/' . $sipUser, 0700);

+    }

+

+    if (!is_dir('textchat/' . $sipUser . '/uploads')) {

+        mkdir('textchat/' . $sipUser . '/uploads', 0700);

+    }

+

+    // Check if the name of the uploaded file is valid

+    $nameWithoutExt = pathinfo($_FILES["uploadedFile"]["name"], PATHINFO_FILENAME);

+    if (preg_match('/^[a-zA-Z0-9\-\_\.]+$/', $nameWithoutExt)) {

+

+        // Check if a file with the same name already exists in the 'uploads' directory of that respective user

+        if (!file_exists('textchat/' . $sipUser . '/uploads/' . basename($_FILES["uploadedFile"]["name"]))) {

+

+            $upload_dir = 'textchat/' . $sipUser . '/uploads/';

+            $targetfile = $upload_dir . basename($_FILES["uploadedFile"]["name"]);

+

+            // Scan the uploaded file with ClamAV if ClamAV is installed

+            if (file_exists('/usr/bin/clamdscan')) {

+

+                $clamdisrunning = exec("systemctl show -p ActiveState --value clamav-daemon");

+

+                if ($clamdisrunning == 'active') {

+

+		    $safePath = escapeshellarg($_FILES["uploadedFile"]['tmp_name']);

+                    $runclamdscan = 'clamdscan --fdpass --quiet ' . $safePath . '';

+		    $resout = '';

+		    $rescheck = 1;

+		    exec($runclamdscan, $resout, $rescheck);

+

+		    if ($rescheck == 0) {

+

+                        if (move_uploaded_file($_FILES["uploadedFile"]["tmp_name"], $targetfile)) {

+                            chmod($targetfile, 0600);

+                        } else {

+                            throw new RuntimeException('There was an error while uploading the file.');

+                        }

+

+                    } else { unlink($safePath); throw new RuntimeException('The file contains a virus or other type of malware.'); }

+

+                } else { throw new RuntimeException("The ClavAV antivirus is installed but clamav-daemon is not active and the uploaded file couldn't be scanned! Please check the status of clamav-daemon!"); }

+

+            } else {

+

+                    if (move_uploaded_file($_FILES["uploadedFile"]["tmp_name"], $targetfile)) {

+                        chmod($targetfile, 0600);

+                    } else { throw new RuntimeException('There was an error while uploading the file.'); }

+            }

+

+        } else { throw new RuntimeException('A file with the same name, ' . basename($_FILES["uploadedFile"]["name"]) . ', has been already sent. Please send a different file or rename your file before sending it.'); }

+

+    } else { throw new RuntimeException('The name of the uploaded file is not valid.'); }

+

+  } catch (RuntimeException $e) {

+

+        $resmessage = $e->getMessage();

+  }

+

+  $respdata = ['error' => $resmessage];

+

+  echo json_encode($respdata);

+

+} else {

+       header("Location: roundpin-login.php");

+}

+

+?>