72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { |
72 if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') { |
73 $upload_file_size = $_SERVER['CONTENT_LENGTH']; |
73 $upload_file_size = $_SERVER['CONTENT_LENGTH']; |
74 $upload_token = $_GET['v']; |
74 $upload_token = $_GET['v']; |
75 |
75 |
76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); |
76 $calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET); |
77 if($upload_token !== $calculated_token) { |
77 if(function_exists('hash_equals')) { |
78 header('HTTP/1.0 403 Forbidden'); |
78 if(hash_equals($calculated_token, $upload_token) !== TRUE) { |
79 exit; |
79 error_log("Token mismatch: calculated $calculated_token got $upload_token"); |
|
80 header('HTTP/1.0 403 Forbidden'); |
|
81 exit; |
|
82 } |
80 } |
83 } |
81 |
84 else { |
|
85 if($upload_token !== $calculated_token) { |
|
86 error_log("Token mismatch: calculated $calculated_token got $upload_token"); |
|
87 header('HTTP/1.0 403 Forbidden'); |
|
88 exit; |
|
89 } |
|
90 } |
82 /* Open a file for writing */ |
91 /* Open a file for writing */ |
83 $store_file = fopen($store_file_name, 'x'); |
92 $store_file = fopen($store_file_name, 'x'); |
84 |
93 |
85 if($store_file === FALSE) { |
94 if($store_file === FALSE) { |
86 header('HTTP/1.0 409 Conflict'); |
95 header('HTTP/1.0 409 Conflict'); |