new file mode 100644

@@ -0,0 +1,226 @@

+<?php

+/**

+ *  Copyright (C) 2022, 2024  Double Bastion LLC

+ *

+ *  This file is part of Roundpin, which is licensed under the

+ *  GNU Affero General Public License Version 3.0. The license terms

+ *  are detailed in the "LICENSE.txt" file located in the root directory.

+ */

+

+session_start();

+

+if (isset($_POST['sipusername']) && $_POST['sipusername'] != '' && isset($_POST['encextenpass']) && $_POST['encextenpass'] != '' && isset($_POST['vcextension']) && 

+    $_POST['vcextension'] != '') {

+

+  define('ACCESSCONST', TRUE);

+

+  require('db-connect.php');

+

+  $vconfExtension = $_POST['sipusername'];

+  $extenPassEnc = $_POST['encextenpass'];

+

+  $vcExtension = $_POST['vcextension'];

+  $resmessage = '';

+

+  // Check if the received external user extension, the corresponding encrypted password and the extension of the conference, match the data in the 'external_users' table

+  $query = $mysqli->prepare("SELECT id, exten_for_external, exten_for_ext_pass, conf_extension FROM external_users WHERE exten_for_external = ? AND exten_for_ext_pass = ? AND conf_extension = ?");

+  $query->bind_param("sss", $vconfExtension, $extenPassEnc, $vcExtension);

+  $query->execute();

+  $extqueryres = $query->get_result()->fetch_array();

+

+  if (!$extqueryres) {

+

+      http_response_code(400);

+      exit();

+

+  } else {

+

+	  try {

+

+	    // Check for undefined error, multiple files, $_FILES corruption

+	    if (!isset($_FILES['uploadedFileVC']['error']) || is_array($_FILES['uploadedFileVC']['error'])) {

+		throw new RuntimeException('Invalid parameters.');

+	    }

+

+	    // Check $_FILES['upfile']['error'] value

+	    switch ($_FILES['uploadedFileVC']['error']) {

+		case UPLOAD_ERR_OK:

+		     break;

+		case UPLOAD_ERR_NO_FILE:

+		     throw new RuntimeException('No file sent.');

+		case UPLOAD_ERR_INI_SIZE:

+		     throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');

+		case UPLOAD_ERR_FORM_SIZE:

+		     throw new RuntimeException('The file size limit was exceeded! Please choose a file with a smaller size!');

+		default:

+		     throw new RuntimeException('Unknown error.');

+	    }

+

+	    // Check file size (in bytes)

+	    if ($_FILES['uploadedFileVC']['size'] > 786432000) {

+		throw new RuntimeException('Uploaded file size exceeds the limit of 750 MB.');

+	    }

+

+	    // Check MIME Type

+	    $finfo = new finfo(FILEINFO_MIME_TYPE);

+	    if (false === $ext = array_search($finfo->file($_FILES['uploadedFileVC']['tmp_name']),

+		array(

+		'aac' => 'audio/aac',

+		'abw' => 'application/x-abiword',

+		'arc' => 'application/x-freearc',

+		'avi' => 'video/x-msvideo',

+		'azw' => 'application/vnd.amazon.ebook',

+		'bin' => 'application/octet-stream',

+                'bmp' => 'image/x-ms-bmp',

+		'bz' => 'application/x-bzip',

+		'bz2' => 'application/x-bzip2',

+		'cda' => 'application/x-cdf',

+		'csh' => 'application/x-csh',

+		'css' => 'text/css',

+		'csv' => 'text/csv',

+		'doc' => 'application/msword',

+		'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',

+		'eot' => 'application/vnd.ms-fontobject',

+		'epub' => 'application/epub+zip',

+		'gz' => 'application/gzip',

+		'gif' => 'image/gif',

+		'htm' => 'text/html',

+		'html' => 'text/html',

+		'ico' => 'image/vnd.microsoft.icon',

+		'ics' => 'text/calendar',

+		'jar' => 'application/java-archive',

+		'jpeg' => 'image/jpeg',

+		'jpg' => 'image/jpeg',

+		'json' => 'application/json',

+		'jsonld' => 'application/ld+json',

+		'mid' => 'audio/midi',

+		'midi' => 'audio/midi',

+		'mp3' => 'audio/mpeg',

+		'mp4' => 'video/mp4',

+		'mpeg' => 'video/mpeg',

+		'mpkg' => 'application/vnd.apple.installer+xml',

+		'odp' => 'application/vnd.oasis.opendocument.presentation',

+		'ods' => 'application/vnd.oasis.opendocument.spreadsheet',

+		'odt' => 'application/vnd.oasis.opendocument.text',

+		'oga' => 'audio/ogg',

+		'ogv' => 'video/ogg',

+		'ogx' => 'application/ogg',

+		'opus' => 'audio/opus',

+		'otf' => 'font/otf',

+		'png' => 'image/png',

+		'pdf' => 'application/pdf',

+		'ppt' => 'application/vnd.ms-powerpoint',

+		'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',

+		'rar' => 'application/vnd.rar',

+		'rtf' => 'application/rtf',

+		'sh' => 'application/x-sh',

+		'swf' => 'application/x-shockwave-flash',

+		'tar' => 'application/x-tar',

+		'tif' => 'image/tiff',

+		'tiff' => 'image/tiff',

+		'ts' => 'video/mp2t',

+		'ttf' => 'font/ttf',

+		'txt' => 'text/plain',

+		'vsd' => 'application/vnd.visio',

+		'wav' => 'audio/wav',

+		'weba' => 'audio/webm',

+		'webm' => 'video/webm',

+		'webp' => 'image/webp',

+		'woff' => 'font/woff',

+		'woff2' => 'font/woff2',

+		'xhtml' => 'application/xhtml+xml',

+		'xls' => 'application/vnd.ms-excel',

+		'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',

+		'xml' => 'text/xml',

+		'xul' => 'application/vnd.mozilla.xul+xml',

+		'zip' => 'application/zip',

+		'3gp' => 'video/3gpp',

+		'3g2' => 'video/3gpp2',

+		'7z' => 'application/x-7z-compressed',

+		),

+		true

+	    )) {

+		throw new RuntimeException('Invalid file format.');

+	    }

+

+	    // Check if the uploaded file contains PHP or JavaScript code tags

+	    $upFileContent = file_get_contents($_FILES['uploadedFileVC']['tmp_name']);

+	    if ((strpos($upFileContent, "<?php") !== false) || (strpos($upFileContent, "<script") !== false)) { throw new RuntimeException('Invalid file type.'); }

+

+	    // Create the directories if they don't exist

+	    if (!is_dir('../textchat/' . $vcExtension)) {

+		mkdir('../textchat/' . $vcExtension, 0700);

+	    }

+

+	    if (!is_dir('../textchat/' . $vcExtension . '/uploads')) {

+		mkdir('../textchat/' . $vcExtension . '/uploads', 0700);

+	    }

+

+	    // Check if the name of the uploaded file is valid

+	    $nameWithoutExt = pathinfo($_FILES["uploadedFileVC"]["name"], PATHINFO_FILENAME);

+

+	    if (preg_match('/^[a-zA-Z0-9\-\_\.]+$/', $nameWithoutExt)) {

+

+		// Check if the name of the uploaded file is larger than 50 bytes

+		if (strlen(basename($_FILES["uploadedFileVC"]["name"])) <= 50) {

+

+		    // Check if a file with the same name already exists in the 'uploads' directory of that respective user

+		    if (!file_exists('../textchat/' . $vcExtension . '/uploads/' . basename($_FILES["uploadedFileVC"]["name"]))) {

+

+		        $upload_dir = '../textchat/' . $vcExtension . '/uploads/';

+		        $targetfile = $upload_dir . basename($_FILES["uploadedFileVC"]["name"]);

+

+		        // Scan the uploaded file with ClamAV if ClamAV is installed

+		        if (file_exists('/usr/bin/clamdscan')) {

+

+		            $clamdisrunning = exec("systemctl show -p ActiveState --value clamav-daemon");

+

+		            if ($clamdisrunning == 'active') {

+

+				$safePath = escapeshellarg($_FILES["uploadedFileVC"]['tmp_name']);

+		                $runclamdscan = 'clamdscan --fdpass --quiet ' . $safePath . '';

+				$resout = '';

+				$rescheck = 1;

+				exec($runclamdscan, $resout, $rescheck);

+

+				if ($rescheck == 0) {

+

+		                    if (move_uploaded_file($_FILES["uploadedFileVC"]["tmp_name"], $targetfile)) {

+		                        chmod($targetfile, 0600);

+		                    } else {

+		                        throw new RuntimeException('There was an error while uploading the file.');

+		                    }

+

+		                } else { unlink($safePath); throw new RuntimeException('The file contains a virus or other type of malware.'); }

+

+		            } else { throw new RuntimeException("The ClavAV antivirus is installed but clamav-daemon is not active and the uploaded file couldn't be scanned! Please check the status of clamav-daemon!"); }

+

+		        } else {

+

+		                if (move_uploaded_file($_FILES["uploadedFileVC"]["tmp_name"], $targetfile)) {

+		                    chmod($targetfile, 0600);

+		                } else { throw new RuntimeException('There was an error while uploading the file.'); }

+		        }

+

+		    } else { throw new RuntimeException('A file with the same name, ' . basename($_FILES["uploadedFileVC"]["name"]) . ', has been already sent. Please send a different file or rename your file before sending it.'); }

+

+		} else { throw new RuntimeException('The name of the uploaded file is too long. File name length should not exceed 50 (Latin) characters. You can give a shorter name to your file and try again.'); }

+

+	    } else { throw new RuntimeException('The name of the uploaded file is not valid. File names should contain only alphanumeric characters, hyphens, underscores and dots.'); }

+

+	  } catch (RuntimeException $e) {

+

+		  $resmessage = $e->getMessage();

+	  }

+

+  }

+

+  $respdata = ['error' => $resmessage];

+

+  echo json_encode($respdata);

+

+} else {

+       header("Location: ../login.php");

+}

+

+?>