Add ALLOWED_CHARACTERS configuration option

This allows to set allowed characters for custom filenames without having them in the KEYSPACE, to avoid generating random filenames containing them. This is useful if you want to allow dashes, per example. Version bumped to 1.1.0
Xenthys · Jul 23, 2018 · 5473072 · 5473072
1 parent cf6de17
commit 5473072
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -97,6 +97,7 @@ The `info` endpoint implements several JSON fields, which can be returned or not
 | `keyspace`           | No    | Unspecified | String           | Keyspace used by the API (configuration)                             |
 | `name_length`        | No    | Unspecified | Integer          | Size of random names (configuration)                                 |
 | `allowed_extensions` | No    | Unspecified | Array of Strings | List of allowed file extensions (configuration)                      |
+| `allowed_characters` | No    | Unspecified | String           | Additional allowed characters, for custom filenames (configuration)  |
 | `custom_names`       | No    | Unspecified | Boolean          | Whether custom filenames are globally allowed or not (configuration) |
 | `files_count`        | No    | Unspecified | Integer          | Amount of files (matching allowed extensions) in the current folder  |
 | `files`              | Yes   | Unspecified | Array of Strings | List of files (matching allowed extensions) in the current folder    |

diff --git a/script.php b/script.php
@@ -86,6 +86,12 @@
 // This isn't a comprehensive list of dangerous characters
 define('KEYSPACE', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
 
+// Characters listed here will be allowed within
+// custom filenames, but won't be used to generate
+// random ones (which is what the KEYSPACE is for)
+// It has the same limitations than the KEYSPACE
+define('ALLOWED_CHARACTERS', '-_');
+
 // Allow admin users to use custom filenames
 // containing any character, thus ignoring the
 // above keyspace entirely, which can be a huge
@@ -99,7 +105,7 @@
 \*****************************/
 
 
-define('VERSION', '1.0.1');
+define('VERSION', '1.1.0');
 define('SOURCE', 'https://github.com/Xenthys/ShareXen');
 
 $data = [
@@ -335,11 +341,6 @@ function error_die($data, $code, $reason = 'unknown_error', $debug = '')
 	end_request($data, $code, 'error');
 }
 
-if (!defined('KEYSPACE'))
-{
-	define('KEYSPACE', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
-}
-
 function get_deletion_hash($name)
 {
 	$salt = defined('DELETION_SALT')?DELETION_SALT:0;
@@ -388,6 +389,11 @@ function user_is_admin($data)
 	return ($uid <= MAX_ADMIN_ID);
 }
 
+if (!defined('KEYSPACE'))
+{
+	define('KEYSPACE', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789');
+}
+
 function random_str($length = NAME_LENGTH, $keyspace = KEYSPACE)
 {
 	$pieces = [];
@@ -430,6 +436,11 @@ function generate_all_urls(&$data, $deletion = true)
 	}
 }
 
+if (!defined('ALLOWED_CHARACTERS'))
+{
+	define('ALLOWED_CHARACTERS', '');
+}
+
 function check_filename($name, $data)
 {
 	if (!$name)
@@ -439,8 +450,8 @@ function check_filename($name, $data)
 
 	$name = strval($name);
 
-	$regex = '/^['.preg_quote(KEYSPACE, '/').
-		']+\.('.implode('|', EXTS).')$/';
+	$chars = preg_quote(KEYSPACE.ALLOWED_CHARACTERS, '/');
+	$regex = '/^['.$chars.']+\.('.implode('|', EXTS).')$/';
 
 	if (defined('ADMIN_IGNORE_KEYSPACE') &&
 		ADMIN_IGNORE_KEYSPACE && user_is_admin($data))
@@ -669,6 +680,7 @@ function info_endpoint(&$data)
 		$data['keyspace'] = KEYSPACE;
 		$data['name_length'] = NAME_LENGTH;
 		$data['allowed_extensions'] = EXTS;
+		$data['allowed_characters'] = ALLOWED_CHARACTERS;
 
 		$custom = defined('ALLOW_CUSTOM_NAMES');
 		$custom = $custom && ALLOW_CUSTOM_NAMES;