sakisafe/http/upload.cgi

#!/usr/bin/perl
# This file is part of lainsafe.

# lainsafe is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# lainsafe is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with lainsafe.  If not, see <https://www.gnu.org/licenses/>.

use CGI;
use CGI::Carp qw(fatalsToBrowser);
my $q = CGI->new;

my $filename = $q->param('file');
# TODO: fix 502

my $upload_dir = "files/";
print $q->header();
$size    = $ENV{CONTENT_LENGTH};

# Configuration

our $MAX_SIZE = 1024*1024*10; # Change for your size
our $MAX_SIZE_MB = $MAX_SIZE / 1024 / 1024; # Don't change this
our @not_allowed_extensions = qw(sh out exe);

if($filename eq "")
{
    print("What are you looking for?");
    exit;
}

if($size > $MAX_SIZE)
{
    print("Max size for a file is $MAX_SIZE_MB MBs");
    exit;
}

my $extension = $filename;
$extension =~ s/.*\.//; # tar.gz sucks with this

# Generate random string
my @chars = ("A".."Z", "a".."z");
my $string;
$string .= $chars[rand @chars] for 1..8;

my $upload_filehandle = $q->upload("file");

$filename = $string . "." . $extension;
my $allowed_extension = 1;

foreach(@not_allowed_extensions)
{
    if($filename =~ /\.$_$/i)
    {
        $allowed_extension = 0;
        last;
    }

}

if($allowed_extension)
{

    open(FILE,">$upload_dir/$filename");
    binmode(FILE);

    while(<$upload_filehandle>)
    {
        print FILE;
    }

    close FILE;

    print $ENV{HTTP_REFERER} . "$upload_dir$filename";
}

else
{
    print "The file extension .$extension is not allowed in this instance.";
}