diff --git a/inc/config.php b/inc/config.php index 64fdba92..4858274d 100644 --- a/inc/config.php +++ b/inc/config.php @@ -1314,6 +1314,6 @@ // is the absolute maximum, because MySQL cannot handle table names greater than 64 characters. $config['board_regex'] = '[0-9a-zA-Z$_\x{0080}-\x{FFFF}]{1,58}'; - // Complex regular expression to catch URLs. - $config['url_regex'] = '/' . '(https?|ftp):\/\/' . '(([\w\-]+\.)+[a-zA-Z]{2,6}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' . '(:\d+)?' . '(\/([\w\-~.#\/?=&;:+%!*\[\]@$\'()+,|\^]+)?)?' . '/'; + // Regex for URLs. + $config['url_regex'] = '@^(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))$@'; diff --git a/post.php b/post.php index 074aa0dc..cfec5430 100644 --- a/post.php +++ b/post.php @@ -268,6 +268,46 @@ if (isset($_POST['delete'])) { $_POST['subject'] = ''; } + if ($config['allow_upload_by_url'] && isset($_POST['file_url']) && !empty($_POST['file_url'])) { + $post['file_url'] = $_POST['file_url']; + if (!preg_match($config['url_regex'], $post['file_url'])) + error($config['error']['invalidimg']); + + + $post['extension'] = strtolower(mb_substr($post['file_url'], mb_strrpos($post['file_url'], '.') + 1)); + if (!in_array($post['extension'], $config['allowed_ext']) && !in_array($post['extension'], $config['allowed_ext_files'])) + error($config['error']['unknownext']); + + $post['file_tmp'] = tempnam($config['tmp'], 'url'); + register_shutdown_function('unlink', $post['file_tmp']); + + $fp = fopen($post['file_tmp'], 'w'); + + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $post['file_url']); + curl_setopt($curl, CURLOPT_FAILONERROR, true); + curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false); + curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5); + curl_setopt($curl, CURLOPT_TIMEOUT, 15); + curl_setopt($curl, CURLOPT_USERAGENT, 'Tinyboard'); + curl_setopt($curl, CURLOPT_BINARYTRANSFER, true); + curl_setopt($curl, CURLOPT_FILE, $fp); + + if (curl_exec($curl) === false) + error($config['error']['nomove']); + + curl_close($curl); + + fclose($fp); + + $_FILES['file'] = array( + 'name' => basename($post['file_url']), + 'tmp_name' => $post['file_tmp'], + 'error' => 0, + 'size' => filesize($post['file_tmp']) + ); + } + // Check for a file if ($post['op'] && !isset($post['no_longer_require_an_image_for_op'])) { if (!isset($_FILES['file']['tmp_name']) || $_FILES['file']['tmp_name'] == '' && $config['force_image_op']) @@ -545,7 +585,10 @@ if (isset($_POST['delete'])) { } if (!isset($dont_copy_file) || !$dont_copy_file) { - if (!@move_uploaded_file($upload, $post['file'])) + if (isset($post['file_tmp'])) { + if (!@rename($upload, $post['file'])) + error($config['error']['nomove']); + } elseif (!@move_uploaded_file($upload, $post['file'])) error($config['error']['nomove']); } } diff --git a/templates/main.js b/templates/main.js index 71dcd92a..78054a3b 100644 --- a/templates/main.js +++ b/templates/main.js @@ -175,7 +175,7 @@ function dopost(form) { saved[document.location] = form.elements['body'].value; sessionStorage.body = JSON.stringify(saved); - return form.elements['body'].value != "" || form.elements['file'].value != ""; + return form.elements['body'].value != "" || form.elements['file'].value != "" || (form.elements.file_url && form.elements['file_url'].value != ""); } function citeReply(id) { diff --git a/templates/post_form.html b/templates/post_form.html index 4d7a37b7..7c8894c1 100644 --- a/templates/post_form.html +++ b/templates/post_form.html @@ -73,6 +73,13 @@ + {% if config.allow_upload_by_url %} +
+
+ : + +
+ {% endif %} {{ antibot.html() }}