-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathupload.php
96 lines (78 loc) · 3.55 KB
/
upload.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* repo upload form
* this is used by external apps as an endpoint to publish scorm zip files into
* it only accepts files if the authorization header is set to the expected value
* requires authorization header to be passed through
* i.e. nginx = fastcgi_param HTTP_AUTHORIZATION $http_authorization;
* apache = SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
*
* @package respository_coursesuite
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
// come one, come all
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: PUT, POST, GET');
header('Access-Control-Allow-Headers: X-Requested-With, X-Filename, Authorization');
require_once('../../config.php');
defined('MOODLE_INTERNAL') || die();
$apikey = get_config('coursesuite', 'apikey');
$bearer = null;
if (isset($_SERVER['Authorization'])) {
$bearer = trim($_SERVER["Authorization"]);
} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$bearer = trim($_SERVER["HTTP_AUTHORIZATION"]);
} else if (isset($_SERVER['HTTP_BEARER'])) { // Apache
$bearer = trim($_SERVER["HTTP_BEARER"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
if (isset($requestHeaders['Authorization'])) {
$bearer = trim($requestHeaders['Authorization']);
}
}
// debug: $bearer = $apikey;
if (empty($bearer)) die("-1");
// is the bearer specified the correct format?
$bearer = str_ireplace('Bearer: ', '', $bearer);
if (!preg_match('/^[a-f0-9]{32}$/', $bearer)) die("-2");
// does the bearer match the saved apikey?
if (strcasecmp($bearer,$apikey) !== 0) die("-3");
// save the incoming file into the repository folder
$dest = $CFG->dataroot . '/repository/coursesuite/';
$method = $_SERVER['REQUEST_METHOD'];
$raw = print_r($_SERVER, true);
if ($method == 'POST') { // direct from app
foreach ($_FILES as $file) {
$out = $dest . basename($file["name"]);
if (file_exists($out)) unlink($out); // overwrite
move_uploaded_file($file["tmp_name"], $out);
$uploads = "post " . $file["tmp_name"] . " to " . $out;
}
} elseif ($method == 'PUT') { // generally from curl proxy, e.g. publish.php
$filename = basename($_SERVER['HTTP_X_FILENAME']); // don't accept paths
$dest .= $filename;
if (file_exists($dest)) unlink($dest); // overwrite
$uploads = "put " . $filename . " to " . $dest;
$in = fopen('php://input','r');
$out = fopen($dest,'w');
stream_copy_to_stream($in,$out);
// file_put_contents($dest, file_get_contents('php://input'));
}
// $log = implode(PHP_EOL, ["method=$method", "apikey=$apikey", "bearer=$bearer", "files=$raw", "uploads=$uploads",""]);
// file_put_contents($dest . "upload_log.txt", $log, FILE_APPEND);
exit();