file_exists($destFile), 'filename' => $filename); fatalError(400, json_encode($arr)); } else if ($request != "upload") { // check whether it is an upload request fatalError(400, "Invalid request: $request"); } try { // Undefined | Multiple Files | $_FILES Corruption Attack // If this request falls under any of them, treat it invalid. if (!isset($_FILES['fileToUpload']['error']) || is_array($_FILES['fileToUpload']['error'])) { fatalError(400, "Invalid parameters"); } // Check $_FILES['fileToUpload']['error'] value. switch ($_FILES['fileToUpload']['error']) { case UPLOAD_ERR_OK: break; case UPLOAD_ERR_NO_FILE: fatalError(400, 'No file sent'); case UPLOAD_ERR_INI_SIZE: case UPLOAD_ERR_FORM_SIZE: fatalError(400, 'Exceeded form file size limit'); default: fatalError(400, 'Unknown error'); } // Check MIME type $finfo = new finfo(FILEINFO_MIME_TYPE); $mimeType = $finfo->file($_FILES['fileToUpload']['tmp_name']); if (false === array_search( $mimeType, array( 'image/jpeg', 'image/gif', 'video/mp4', 'video/quicktime', 'text/xml', ) )) { fatalError(400, "Unexpected MIME type: " . $mimeType); } $srcFile = $_FILES["fileToUpload"]["tmp_name"]; // check file is JPEG, GIF, MP4 or XML $fileType = strtolower(pathinfo($filename,PATHINFO_EXTENSION)); if ($fileType != "jpg" && $fileType != "gif" && $fileType != "mp4" && $fileType != "xml" ) { fatalError(400, "File type not allowed"); } // check MD5 checksum matches uploaded file if (strcasecmp(md5_file($_FILES["fileToUpload"]["tmp_name"]), $chksum) != 0) { fatalError(400, "MD5 checksum incorrect"); } // read filename and dir from $filename and create dir if it doesn't already exist [ 'basename' => $basename, 'dirname' => $dirname ] = pathinfo($filename); $destFile = "$destdir/$basename"; if (strlen($dirname) > 0) { $dir = "$destdir/$dirname"; if (!file_exists($dir)) { mkdir($dir, 0777, true); } if (file_exists($dir)) { $destFile = "$dir/$basename"; } } // move the uploaded file to the upload folder if (move_uploaded_file($srcFile, $destFile)) { header('Content-Type: text/plain; charset=utf-8'); echo "File: $filename"; } else { logError("move_uploaded_file($srcFile, $destFile) failed"); fatalError(400, "Error copying file to upload folder: $destFile"); } } catch (RuntimeException $e) { fatalError(400, $e->getMessage()); } ?>