gitea-admin
/
DevWEB
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser upload.php

This commit is contained in:
gitea-admin 2026-01-08 21:06:13 +00:00
parent 1d9c33c851
commit c319b3b8aa
1 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
upload.php
View File

@ -10,26 +10,62 @@ $stmt->execute([$ip]);
$last = $stmt->fetch(); $last = $stmt->fetch();
if ($last && strtotime($last['created_at']) > time() - 60) { if ($last && strtotime($last['created_at']) > time() - 60) {
die("Rate limit exceeded (1 post/minute)"); die("Attendez 1 minute avant de reposter!");
} }
$imageName = null; $imageName = null;
if (!empty($_FILES['image']['name'])) { if (!empty($_FILES['image']['name'])) {
if ($_FILES['image']['size'] > 2 * 1024 * 1024) {
die("Image too large"); if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die("Error de sauvegarde d'image");
} }
$ext = strtolower(pathinfo($_FILES['image']['name'], PATHINFO_EXTENSION)); if ($_FILES['image']['size'] < 2 * 1024 * 1024) {
if (!in_array($ext, ['png', 'jpeg', 'jpg'])) { die("Erreur, Image trop petite.");
die("Invalid file type");
} }
$imageName = uniqid() . '.' . $ext; /* Verify MIME type using finfo */
move_uploaded_file($_FILES['image']['tmp_name'], "uploads/$imageName"); $finfo = new finfo(FILEINFO_MIME_TYPE);
$mime = $finfo->file($_FILES['image']['tmp_name']);
$allowedMimes = [
'image/png' => 'png',
'image/jpeg' => 'jpg'
];
if (!array_key_exists($mime, $allowedMimes)) {
die("Type d'image invalid");
}
/* Verify image structure */
$imageInfo = getimagesize($_FILES['image']['tmp_name']);
if ($imageInfo === false) {
die("Le fichier n'est pas une image valide");
}
/* Re-encode image to destroy polyglots */
$ext = $allowedMimes[$mime];
$imageName = bin2hex(random_bytes(16)) . '.' . $ext;
$uploadPath = __DIR__ . "/uploads/" . $imageName;
if ($mime === 'image/png') {
$img = imagecreatefrompng($_FILES['image']['tmp_name']);
imagepng($img, $uploadPath);
} else {
$img = imagecreatefromjpeg($_FILES['image']['tmp_name']);
imagejpeg($img, $uploadPath, 90);
}
imagedestroy($img);
} }
/* Store comment */
$stmt = $pdo->prepare("INSERT INTO posts (message, image, ip) VALUES (?, ?, ?)"); $stmt = $pdo->prepare("INSERT INTO posts (message, image, ip) VALUES (?, ?, ?)");
$stmt->execute([$_POST['message'], $imageName, $ip]); $stmt->execute([
htmlspecialchars($_POST['message'], ENT_QUOTES, 'UTF-8'),
$imageName,
$ip
]);
header("Location: index.php"); header("Location: index.php");