function __construct()
{
parent::__construct();
$this->var = new StdClass();
$csrf_protection = true;
$this->load->library('customautoloader');
// check if DB is up to date
if (!($this->input->is_cli_request() && $this->uri->segment(1) === "tools")) {
if (!$this->db->table_exists('migrations')) {
throw new \exceptions\PublicApiException("general/db/not-initialized", "Database not initialized. Can't find migrations table. Please run the migration script. (php index.php tools update_database)");
} else {
$this->config->load("migration", true);
$target_version = $this->config->item("migration_version", "migration");
// TODO: wait 20 seconds for an update so requests don't get lost for short updates?
$row = $this->db->get('migrations')->row();
$current_version = $row ? $row->version : 0;
if ($current_version != $target_version) {
throw new \exceptions\PublicApiException("general/db/wrong-version", "Database version is {$current_version}, we want {$target_version}. Please run the migration script. (php index.php tools update_database)");
}
}
}
$old_path = getenv("PATH");
putenv("PATH={$old_path}:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin");
mb_internal_encoding('UTF-8');
$this->load->helper(array('form', 'filebin'));
if ($this->uri->segment(1) == "api") {
is_cli_client(true);
}
if ($this->input->post("apikey") !== false || is_cli_client()) {
/* This relies on the authentication code always verifying the supplied
* apikey. If the key is not verified/logged in an attacker could simply
* add an empty "apikey" field to the CSRF form to circumvent the
* protection. If we always log in if a key is supplied we can ensure
* that an attacker (and the victim since they get a cookie) can only
* access the attacker's account.
*/
$csrf_protection = false;
}
$uri_start = $this->uri->rsegment(1) . "/" . $this->uri->rsegment(2);
$csrf_whitelisted_handlers = array("always" => array("file/do_upload", "file/do_paste"), "cli_client" => array("file/do_delete", "file/delete", "file/do_multipaste", "file/upload_history", "user/create_apikey", "file/get_max_size"));
if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) {
$csrf_protection = false;
}
if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) {
$csrf_protection = false;
}
if ($csrf_protection && !$this->input->is_cli_request()) {
// 2 functions for accessing config options, really?
$this->config->set_item('csrf_protection', true);
config_item("csrf_protection", true);
$this->security->__construct();
$this->security->csrf_verify();
}
if ($this->config->item("environment") == "development") {
$this->output->enable_profiler(true);
}
$this->data['title'] = "FileBin";
$this->load->model("muser");
$this->data["user_logged_in"] = $this->muser->logged_in();
}
function create_apikey()
{
$this->muser->require_access();
$userid = $this->muser->get_userid();
$comment = $this->input->post("comment");
$comment = $comment === false ? "" : $comment;
$access_level = $this->input->post("access_level");
if ($access_level === false) {
$access_level = "apikey";
}
$key = \service\user::create_apikey($userid, $comment, $access_level);
if (is_cli_client()) {
echo "{$key}\n";
} else {
redirect("user/apikeys");
}
}
function delete()
{
$this->muser->require_access("apikey");
if (!is_cli_client()) {
throw new \exceptions\InsufficientPermissionsException("file/delete/unlisted-client", "Not a listed cli client, please use the history to delete uploads");
}
$id = $this->uri->segment(3);
$this->data["id"] = $id;
$userid = $this->muser->get_userid();
foreach (array($this->mfile, $this->mmultipaste) as $model) {
if ($model->id_exists($id)) {
if ($model->get_owner($id) !== $userid) {
echo "You don't own this file\n";
return;
}
if ($model->delete_id($id)) {
echo "{$id} has been deleted.\n";
} else {
echo "Deletion failed. Unknown error\n";
}
return;
}
}
throw new \exceptions\NotFoundException("file/delete/unknown-id", "Unknown ID '{$id}'.", array("id" => $id));
}
<?php
if (is_cli_client() && !isset($force_full_html)) {
return;
}
?>
</div><!-- .container -->
<div id="push"></div>
</div> <!-- #wrap -->
<footer class="footer" id="footer">
<div class="container muted credits">
<p>Site code licensed under <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank">AGPL v3</a>.</p>
<p><a href="http://glyphicons.com">Glyphicons Free</a> licensed under <a href="http://creativecommons.org/licenses/by/3.0/">CC BY 3.0</a>.</p>
<ul class="footer-links">
<li><a href="http://git.server-speed.net/users/flo/filebin/">Source</a></li>
<li class="muted">·</li>
<li><a href="<?php
echo site_url("file/contact");
?>
">Contact</a></li>
</ul>
</div>
</footer>
<?php
$CI =& get_instance();
if ($CI->config->item("environment") == "development" && property_exists($CI, "email")) {
echo $CI->email->print_debugger();
}
?>
</body>
<?php
// fancy error page only works if we can load helpers
if (class_exists("CI_Controller") && !isset($GLOBALS["is_error_page"])) {
if (!isset($title)) {
$title = "Error";
}
$GLOBALS["is_error_page"] = true;
$CI =& get_instance();
$CI->load->helper("filebin");
$CI->load->helper("url");
if ($CI->input->is_cli_request()) {
is_cli_client(true);
}
if (is_cli_client()) {
$message = str_replace("</p>", "</p>\n", $message);
$message = strip_tags($message);
echo "{$heading}: {$message}\n";
exit;
}
include APPPATH . 'views/header.php';
?>
<div class="error">
<h1><?php
echo $heading;
?>
</h1>
<?php
echo $message;
?>
</div>
function stateful_client()
{
$CI =& get_instance();
if ($CI->input->post("apikey")) {
return false;
}
if (is_cli_client()) {
return false;
}
return true;
}
function require_access($wanted_level = "full")
{
if ($this->input->post("apikey") !== false) {
$this->apilogin($this->input->post("apikey"));
}
if (is_cli_client()) {
$this->login_cli_client();
}
if ($this->logged_in()) {
return $this->check_access_level($wanted_level);
}
throw new \exceptions\NotAuthenticatedException("api/not-authenticated", "Not authenticated. FileBin requires you to have an account, please go to the homepage for more information.");
}
