function __construct() { parent::__construct(); $this->var = new StdClass(); $csrf_protection = true; $this->load->library('customautoloader'); // check if DB is up to date if (!($this->input->is_cli_request() && $this->uri->segment(1) === "tools")) { if (!$this->db->table_exists('migrations')) { throw new \exceptions\PublicApiException("general/db/not-initialized", "Database not initialized. Can't find migrations table. Please run the migration script. (php index.php tools update_database)"); } else { $this->config->load("migration", true); $target_version = $this->config->item("migration_version", "migration"); // TODO: wait 20 seconds for an update so requests don't get lost for short updates? $row = $this->db->get('migrations')->row(); $current_version = $row ? $row->version : 0; if ($current_version != $target_version) { throw new \exceptions\PublicApiException("general/db/wrong-version", "Database version is {$current_version}, we want {$target_version}. Please run the migration script. (php index.php tools update_database)"); } } } $old_path = getenv("PATH"); putenv("PATH={$old_path}:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"); mb_internal_encoding('UTF-8'); $this->load->helper(array('form', 'filebin')); if ($this->uri->segment(1) == "api") { is_cli_client(true); } if ($this->input->post("apikey") !== false || is_cli_client()) { /* This relies on the authentication code always verifying the supplied * apikey. If the key is not verified/logged in an attacker could simply * add an empty "apikey" field to the CSRF form to circumvent the * protection. If we always log in if a key is supplied we can ensure * that an attacker (and the victim since they get a cookie) can only * access the attacker's account. */ $csrf_protection = false; } $uri_start = $this->uri->rsegment(1) . "/" . $this->uri->rsegment(2); $csrf_whitelisted_handlers = array("always" => array("file/do_upload", "file/do_paste"), "cli_client" => array("file/do_delete", "file/delete", "file/do_multipaste", "file/upload_history", "user/create_apikey", "file/get_max_size")); if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) { $csrf_protection = false; } if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) { $csrf_protection = false; } if ($csrf_protection && !$this->input->is_cli_request()) { // 2 functions for accessing config options, really? $this->config->set_item('csrf_protection', true); config_item("csrf_protection", true); $this->security->__construct(); $this->security->csrf_verify(); } if ($this->config->item("environment") == "development") { $this->output->enable_profiler(true); } $this->data['title'] = "FileBin"; $this->load->model("muser"); $this->data["user_logged_in"] = $this->muser->logged_in(); }
function create_apikey() { $this->muser->require_access(); $userid = $this->muser->get_userid(); $comment = $this->input->post("comment"); $comment = $comment === false ? "" : $comment; $access_level = $this->input->post("access_level"); if ($access_level === false) { $access_level = "apikey"; } $key = \service\user::create_apikey($userid, $comment, $access_level); if (is_cli_client()) { echo "{$key}\n"; } else { redirect("user/apikeys"); } }
function delete() { $this->muser->require_access("apikey"); if (!is_cli_client()) { throw new \exceptions\InsufficientPermissionsException("file/delete/unlisted-client", "Not a listed cli client, please use the history to delete uploads"); } $id = $this->uri->segment(3); $this->data["id"] = $id; $userid = $this->muser->get_userid(); foreach (array($this->mfile, $this->mmultipaste) as $model) { if ($model->id_exists($id)) { if ($model->get_owner($id) !== $userid) { echo "You don't own this file\n"; return; } if ($model->delete_id($id)) { echo "{$id} has been deleted.\n"; } else { echo "Deletion failed. Unknown error\n"; } return; } } throw new \exceptions\NotFoundException("file/delete/unknown-id", "Unknown ID '{$id}'.", array("id" => $id)); }
<?php if (is_cli_client() && !isset($force_full_html)) { return; } ?> </div><!-- .container --> <div id="push"></div> </div> <!-- #wrap --> <footer class="footer" id="footer"> <div class="container muted credits"> <p>Site code licensed under <a href="http://www.gnu.org/licenses/agpl-3.0.html" target="_blank">AGPL v3</a>.</p> <p><a href="http://glyphicons.com">Glyphicons Free</a> licensed under <a href="http://creativecommons.org/licenses/by/3.0/">CC BY 3.0</a>.</p> <ul class="footer-links"> <li><a href="http://git.server-speed.net/users/flo/filebin/">Source</a></li> <li class="muted">·</li> <li><a href="<?php echo site_url("file/contact"); ?> ">Contact</a></li> </ul> </div> </footer> <?php $CI =& get_instance(); if ($CI->config->item("environment") == "development" && property_exists($CI, "email")) { echo $CI->email->print_debugger(); } ?> </body>
<?php // fancy error page only works if we can load helpers if (class_exists("CI_Controller") && !isset($GLOBALS["is_error_page"])) { if (!isset($title)) { $title = "Error"; } $GLOBALS["is_error_page"] = true; $CI =& get_instance(); $CI->load->helper("filebin"); $CI->load->helper("url"); if ($CI->input->is_cli_request()) { is_cli_client(true); } if (is_cli_client()) { $message = str_replace("</p>", "</p>\n", $message); $message = strip_tags($message); echo "{$heading}: {$message}\n"; exit; } include APPPATH . 'views/header.php'; ?> <div class="error"> <h1><?php echo $heading; ?> </h1> <?php echo $message; ?> </div>
function stateful_client() { $CI =& get_instance(); if ($CI->input->post("apikey")) { return false; } if (is_cli_client()) { return false; } return true; }
function require_access($wanted_level = "full") { if ($this->input->post("apikey") !== false) { $this->apilogin($this->input->post("apikey")); } if (is_cli_client()) { $this->login_cli_client(); } if ($this->logged_in()) { return $this->check_access_level($wanted_level); } throw new \exceptions\NotAuthenticatedException("api/not-authenticated", "Not authenticated. FileBin requires you to have an account, please go to the homepage for more information."); }