path = __DIR__ . '/'; } public function auth(): bool { if (ANONYMOUS_WRITE && ANONYMOUS_READ) { return true; } if ($this->user) { return true; } $user = $_SERVER['PHP_AUTH_USER'] ?? null; $password = $_SERVER['PHP_AUTH_PW'] ?? null; $hash = $this->users[$user]['password'] ?? null; if (!$hash) { return false; } if (!password_verify($password, $hash)) { return false; } $this->user = $user; return true; } static protected function glob(string $path, string $pattern = '', int $flags = 0): array { $path = preg_replace('/[\*\?\[\]]/', '\\\\$0', $path); return glob($path . $pattern, $flags); } public function canRead(string $uri): bool { if (in_array($uri, INTERNAL_FILES)) { return false; } if (preg_match('/\.(?:php\d?|phtml|phps)$|^\./i', $uri)) { return false; } if (ANONYMOUS_READ) { return true; } if (!$this->auth()) { return false; } $restrict = $this->users[$this->user]['restrict'] ?? []; if (!is_array($restrict) || empty($restrict)) { return true; } foreach ($restrict as $match) { if (0 === strpos($uri, $match)) { return true; } } return false; } public function canWrite(string $uri): bool { if (!$this->auth() && !ANONYMOUS_WRITE) { return false; } if (!$this->canRead($uri)) { return false; } if (ANONYMOUS_WRITE) { return true; } if (!$this->auth() || empty($this->users[$this->user]['write'])) { return false; } $restrict = $this->users[$this->user]['restrict_write'] ?? []; if (!is_array($restrict) || empty($restrict)) { return true; } foreach ($restrict as $match) { if (0 === strpos($uri, $match)) { return true; } } return false; } public function canOnlyCreate(string $uri): bool { $restrict = $this->users[$this->user]['restrict_write'] ?? []; if (in_array($uri, $restrict, true)) { return true; } $restrict = $this->users[$this->user]['restrict'] ?? []; if (in_array($uri, $restrict, true)) { return true; } return false; } public function list(string $uri, ?array $properties): iterable { if (!$this->canRead($uri . '/')) { //throw new WebDAV_Exception('Access forbidden', 403); } $dirs = self::glob($this->path . $uri, '/*', \GLOB_ONLYDIR); $dirs = array_map('basename', $dirs); $dirs = array_filter($dirs, fn($a) => $this->canRead(ltrim($uri . '/' . $a, '/') . '/')); natcasesort($dirs); $files = self::glob($this->path . $uri, '/*'); $files = array_map('basename', $files); $files = array_diff($files, $dirs); // Remove PHP files and dot-files from listings $files = array_filter($files, fn($a) => $this->canRead(ltrim($uri . '/' . $a, '/'))); natcasesort($files); $files = array_flip(array_merge($dirs, $files)); $files = array_map(fn($a) => null, $files); return $files; } public function get(string $uri): ?array { if (!$this->canRead($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } $path = $this->path . $uri; if (!file_exists($path)) { return null; } return ['path' => $path]; } public function exists(string $uri): bool { return file_exists($this->path . $uri); } public function get_file_property(string $uri, string $name, int $depth) { $target = $this->path . $uri; switch ($name) { case 'DAV::getcontentlength': return is_dir($target) ? null : filesize($target); case 'DAV::getcontenttype': // ownCloud app crashes if mimetype is provided for a directory // https://github.com/owncloud/android/issues/3768 return is_dir($target) ? null : mime_content_type($target); case 'DAV::resourcetype': return is_dir($target) ? 'collection' : ''; case 'DAV::getlastmodified': if (!$uri && $depth == 0 && is_dir($target)) { $mtime = self::getDirectoryMTime($target); } else { $mtime = filemtime($target); } if (!$mtime) { return null; } return new \DateTime('@' . $mtime); case 'DAV::ishidden': return basename($target)[0] == '.'; case 'DAV::getetag': $hash = filemtime($target) . filesize($target); return md5($hash . $target); case 'DAV::lastaccessed': return new \DateTime('@' . fileatime($target)); case 'DAV::creationdate': return new \DateTime('@' . filectime($target)); case 'http://owncloud.org/ns:permissions': $permissions = 'G'; if (is_dir($target)) { $uri .= '/'; } if (is_writeable($target) && $this->canWrite($uri)) { // If the directory is one of the restricted paths, // then we can only do stuff INSIDE, and not delete/rename the directory itself if ($this->canOnlyCreate($uri)) { $permissions .= 'CK'; } else { $permissions .= 'DNVWCK'; } } return $permissions; case Server::PROP_DIGEST_MD5: if (!is_file($target)) { return null; } return md5_file($target); default: break; } return null; } public function properties(string $uri, ?array $properties, int $depth): ?array { $target = $this->path . $uri; if (!file_exists($target)) { return null; } if (null === $properties) { $properties = Server::BASIC_PROPERTIES; } $out = []; foreach ($properties as $name) { $v = $this->get_file_property($uri, $name, $depth); if (null !== $v) { $out[$name] = $v; } } return $out; } public function put(string $uri, $pointer, ?string $hash, ?int $mtime): bool { if (preg_match(self::PUT_IGNORE_PATTERN, basename($uri))) { return false; } if (!$this->canWrite($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } $target = $this->path . $uri; $parent = dirname($target); if (is_dir($target)) { throw new WebDAV_Exception('Target is a directory', 409); } if (!file_exists($parent)) { mkdir($parent, 0770, true); } $new = !file_exists($target); $delete = false; $size = 0; $quota = disk_free_space($this->path); $tmp_file = $this->path . '.tmp.' . sha1($target); $out = fopen($tmp_file, 'w'); while (!feof($pointer)) { $bytes = fread($pointer, 8192); $size += strlen($bytes); if ($size > $quota) { $delete = true; break; } fwrite($out, $bytes); } fclose($out); fclose($pointer); if ($delete) { @unlink($tmp_file); throw new WebDAV_Exception('Your quota is exhausted', 403); } elseif ($hash && md5_file($tmp_file) != $hash) { @unlink($tmp_file); throw new WebDAV_Exception('The data sent does not match the supplied MD5 hash', 400); } else { rename($tmp_file, $target); } if ($mtime) { @touch($target, $mtime); } return $new; } public function delete(string $uri): void { if (!$this->canWrite($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } if ($this->canOnlyCreate($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } $target = $this->path . $uri; if (!file_exists($target)) { throw new WebDAV_Exception('Target does not exist', 404); } if (!is_writeable($target)) { throw new WebDAV_Exception('File permissions says that you cannot delete this, sorry.', 403); } if (is_dir($target)) { foreach (self::glob($target, '/*') as $file) { $this->delete(substr($file, strlen($this->path))); } rmdir($target); } else { unlink($target); } } public function copymove(bool $move, string $uri, string $destination): bool { if (!$this->canWrite($uri) || !$this->canWrite($destination) || $this->canOnlyCreate($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } $source = $this->path . $uri; $target = $this->path . $destination; $parent = dirname($target); if (!file_exists($source)) { throw new WebDAV_Exception('File not found', 404); } $overwritten = file_exists($target); if (!is_dir($parent)) { throw new WebDAV_Exception('Target parent directory does not exist', 409); } if (false === $move) { $quota = disk_free_space($this->path); if (filesize($source) > $quota) { throw new WebDAV_Exception('Your quota is exhausted', 403); } } if ($overwritten) { $this->delete($destination); } $method = $move ? 'rename' : 'copy'; if ($method == 'copy' && is_dir($source)) { @mkdir($target, 0770, true); foreach ($iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($source), \RecursiveIteratorIterator::SELF_FIRST) as $item) { if ($item->isDir()) { @mkdir($target . DIRECTORY_SEPARATOR . $iterator->getSubPathname()); } else { copy($item, $target . DIRECTORY_SEPARATOR . $iterator->getSubPathname()); } } } else { $method($source, $target); $this->getResourceProperties($uri)->move($destination); } return $overwritten; } public function copy(string $uri, string $destination): bool { return $this->copymove(false, $uri, $destination); } public function move(string $uri, string $destination): bool { return $this->copymove(true, $uri, $destination); } public function mkcol(string $uri): void { if (!$this->canWrite($uri)) { throw new WebDAV_Exception('Access forbidden', 403); } if (!disk_free_space($this->path)) { throw new WebDAV_Exception('Your quota is exhausted', 403); } $target = $this->path . $uri; $parent = dirname($target); if (file_exists($target)) { throw new WebDAV_Exception('There is already a file with that name', 405); } if (!file_exists($parent)) { throw new WebDAV_Exception('The parent directory does not exist', 409); } mkdir($target, 0770); } static public function getDirectoryMTime(string $path): int { $last = 0; $path = rtrim($path, '/'); foreach (self::glob($path, '/*', GLOB_NOSORT) as $f) { if (is_dir($f)) { $m = self::getDirectoryMTime($f); if ($m > $last) { $last = $m; } } $m = filemtime($f); if ($m > $last) { $last = $m; } } return $last; } } class Server extends \KD2\WebDAV\Server { protected function html_directory(string $uri, iterable $list): ?string { $out = parent::html_directory($uri, $list); if (null !== $out) { $out = str_replace('', sprintf('', rtrim($this->base_uri, '/')), $out); } return $out; } public function route(?string $uri = null): bool { if (!ANONYMOUS_WRITE && !ANONYMOUS_READ && !$this->storage->auth()) { $this->requireAuth(); return true; } return parent::route($uri); } protected function requireAuth(): void { http_response_code(401); header('WWW-Authenticate: Basic realm="Please login"'); echo '

Error 401

You need to login to access this.

'; } public function error(WebDAV_Exception $e) { if ($e->getCode() == 403 && !$this->storage->auth() && count($this->storage->users)) { return; } parent::error($e); } protected string $_log = ''; public function log(string $message, ...$params): void { if (!HTTP_LOG_FILE) { return; } $this->_log .= vsprintf($message, $params) . "\n"; } public function __destruct() { if (!$this->_log) { return; } file_put_contents(HTTP_LOG_FILE, $this->_log, \FILE_APPEND); } } } namespace { use PicoDAV\Server; use PicoDAV\Storage; $uri = strtok($_SERVER['REQUEST_URI'], '?'); $root = substr(__DIR__, strlen($_SERVER['DOCUMENT_ROOT'])); if (false !== strpos($uri, '..')) { http_response_code(404); die('Invalid URL'); } $relative_uri = ltrim(substr($uri, strlen($root)), '/'); if (!empty($_SERVER['SERVER_SOFTWARE']) && stristr($_SERVER['SERVER_SOFTWARE'], 'apache') && !file_exists(__DIR__ . '/.htaccess')) { file_put_contents(__DIR__ . '/.htaccess', /*__HTACCESS__*/); } if ($relative_uri == '.webdav/webdav.js' || $relative_uri == '.webdav/webdav.css') { http_response_code(200); if ($relative_uri == '.webdav/webdav.js') { header('Content-Type: text/javascript', true); } else { header('Content-Type: text/css', true); } $seconds_to_cache = 3600 * 24 * 5; $ts = gmdate("D, d M Y H:i:s", time() + $seconds_to_cache) . " GMT"; header("Expires: " . $ts); header("Pragma: cache"); header("Cache-Control: max-age=" . $seconds_to_cache); $fp = fopen(__FILE__, 'r'); if ($relative_uri == '.webdav/webdav.js') { fseek($fp, __PHP_SIZE__, SEEK_SET); echo fread($fp, __JS_SIZE__); } else { fseek($fp, __PHP_SIZE__ + __JS_SIZE__, SEEK_SET); echo fread($fp, __CSS_SIZE__); } fclose($fp); exit; } const CONFIG_FILE = __DIR__ . '/.picodav.ini'; define('PicoDAV\INTERNAL_FILES', ['.picodav.ini', basename(__FILE__), '.webdav/webdav.js', '.webdav/webdav.css']); const DEFAULT_CONFIG = [ 'ANONYMOUS_READ' => true, 'ANONYMOUS_WRITE' => false, 'HTTP_LOG_FILE' => null, ]; $config = []; $storage = new Storage; if (file_exists(CONFIG_FILE)) { $config = parse_ini_file(CONFIG_FILE, true); $users = array_filter($config, 'is_array'); $config = array_diff_key($config, $users); $config = array_change_key_case($config, \CASE_UPPER); $replace = []; // Encrypt plaintext passwords foreach ($users as $name => $properties) { if (isset($properties['password']) && substr($properties['password'], 0, 1) != '$') { $users[$name]['password'] = $replace[$name] = password_hash($properties['password'], null); } } if (count($replace)) { $lines = file(CONFIG_FILE); $current = null; foreach ($lines as &$line) { if (preg_match('/^\s*\[(\w+)\]\s*$/', $line, $match)) { $current = $match[1]; continue; } if ($current && isset($replace[$current]) && preg_match('/^\s*password\s*=/', $line)) { $line = sprintf("password = %s\n", var_export($replace[$current], true)); } } unset($line, $current); file_put_contents(CONFIG_FILE, implode('', $lines)); } $storage->users = $users; } foreach (DEFAULT_CONFIG as $key => $value) { if (array_key_exists($key, $config)) { $value = $config[$key]; } if (is_bool(DEFAULT_CONFIG[$key])) { $value = boolval($value); } define('PicoDAV\\' . $key, $value); } $dav = new Server; $dav->setStorage($storage); $dav->setBaseURI($root); if (!$dav->route($uri)) { http_response_code(404); die('Invalid URL, sorry'); } exit; }