diff options
| -rwxr-xr-x | .gitignore | 2 | ||||
| -rw-r--r-- | www/functions/func_download.php | 12 | ||||
| -rw-r--r-- | www/functions/func_folder.php | 4 | ||||
| -rwxr-xr-x | www/functions/func_invite.php | 2 | ||||
| -rwxr-xr-x | www/functions/func_login.php | 5 | ||||
| -rwxr-xr-x | www/index.php | 20 |
6 files changed, 20 insertions, 25 deletions
@@ -6,6 +6,8 @@ upl.php downl.php gitpull* pepper.txt +func_mail.php +generate_downlink.php tmp/ files/ diff --git a/www/functions/func_download.php b/www/functions/func_download.php index b62e13f..64c5d90 100644 --- a/www/functions/func_download.php +++ b/www/functions/func_download.php @@ -64,16 +64,18 @@ function check_file_hash($db, $file_id, $download_hash){ return DOWNLOAD_FALSE_ID; } - $check_hash_db = $db->query("SELECT folder, share, download_link FROM files WHERE id=" . SQLite3::escapeString($file_id).";"); + $check_hash_db = $db->query("SELECT owner, folder, share, download_link FROM files WHERE id=" . SQLite3::escapeString($file_id).";"); $check_hash_ar = $check_hash_db->fetchArray(SQLITE3_NUM); - if($check_hash_ar[0] != "FILE"){ + if($check_hash_ar[1] != "FILE"){ return DOWNLOAD_NOT_FILE; } - if($check_hash_ar[1] != "PUBLIC"){ - if($check_hash_ar[2] != $download_hash){ - return DOWNLOAD_PRIVATE_FILE; + if($check_hash_ar[2] != "PUBLIC"){ + if($_SESSION["userid"] != $check_hash_ar[0]){ + if($check_hash_ar[3] != $download_hash){ + return DOWNLOAD_PRIVATE_FILE; + } } } diff --git a/www/functions/func_folder.php b/www/functions/func_folder.php index 636b743..044fd8e 100644 --- a/www/functions/func_folder.php +++ b/www/functions/func_folder.php @@ -133,7 +133,7 @@ function generate_download_link($file_id){ $db = $GLOBALS["db"]; - $folder_owner_db = $db->query("SELECT owner FROM fiiles where id=".$file_id.";"); + $folder_owner_db = $db->query("SELECT owner FROM files where id=".$file_id.";"); $folder_owner_ar = $folder_owner_db->fetchArray(SQLITE3_NUM); if($folder_owner_ar[0] != $_SESSION["userid"]){ @@ -155,7 +155,7 @@ function generate_download_link($file_id){ UPDATE files SET download_link='".$key."' WHERE id=".$file_id."; COMMIT; ")){ - return key; + return $key; } else { return DATABASE; } diff --git a/www/functions/func_invite.php b/www/functions/func_invite.php index 00a678d..cf123cf 100755 --- a/www/functions/func_invite.php +++ b/www/functions/func_invite.php @@ -49,7 +49,7 @@ function invite($db){ COMMIT;") ){ - $subject="Welcome, you were invited to the new virtual filesystem.\nYour key is" . $key . "\nVisit files.iamfabulous.de/register to complete your registration."; + $subject="Welcome, you were invited to the new virtual filesystem.\nYour key is " . $key . "\nVisit files.iamfabulous.de/register to complete your registration."; mail($email, "Invite", $subject, "From: mail@iamfabulous.de"); diff --git a/www/functions/func_login.php b/www/functions/func_login.php index 121849c..a4d4696 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -55,7 +55,6 @@ function brutforce_protection($db){ $_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1; if($_SESSION["login_attempts"] <= 0){ - $_SESSION["banned"] = true; $remote_ip = $_SERVER["REMOTE_ADDR"]; $session_id = session_id(); $time = $_SERVER["REQUEST_TIME"]; @@ -81,8 +80,8 @@ function check_if_banned($db){ $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h if($check_ar[0] < $accepted_time){ - return true; // not longer banned + return false; // not longer banned } else { - return false; // still banned + return true; // still banned } } diff --git a/www/index.php b/www/index.php index be63506..841cf12 100755 --- a/www/index.php +++ b/www/index.php @@ -9,23 +9,15 @@ if(!isset($_SESSION["login"])){ $_SESSION["login"] = false; } -if(!isset($_SESSION["banned"])){ - $_SESSION["banned"] = false; -} - -if($_SESSION["banned"]){ - if(check_if_banned($db)){ - $_SESSION["banned"] = false; - } else { - echo "You are banned. ;_;"; - exit; - } -} - if(!isset($_SESSION["login_attempts"])){ $_SESSION["login_attempts"] = 6; } +if(check_if_banned($db)){ + echo "You are banned. ;_;"; + exit; +} + if(empty($_GET)){ if(!$_SESSION["login"]){ print_login(constant("EMPTY")); @@ -114,7 +106,7 @@ if(empty($_GET)){ case("download"): if(!isset($_GET["hash"])){ - $download_hash = ""; + $download_hash = "empty"; } else { $download_hash = $_GET["hash"]; } |