1 files changed, 67 insertions, 0 deletions
diff --git a/src/controller/FileUploadController.php b/src/controller/FileUploadController.php
new file mode 100644
index 0000000..f53f5c2
--- /dev/null
+++ b/src/controller/FileUploadController.php
@@ -0,0 +1,67 @@
+<?php
+// src/controller/FileUploadController.php
+declare(strict_types=1);
+class FileUploadController
+{
+        static public function checkFileDownload(array $file): bool
+        {
+                $extensions_white_list = ['pdf', 'rtf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp']; // = extensions_white_list côté javascript
+                $mime_type_white_list = ['application/pdf', 'application/rtf', 'text/rtf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.oasis.opendocument.text', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.oasis.opendocument.presentation'];
+                
+                // 1/ extension
+                $extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
+                if(!in_array($extension, $extensions_white_list, true)){
+                        return false;
+            }
+                
+                // 2/ fichier obtenu par HTTP POST (théoriquement inutile si le routeur est solide, mais ça ne mange pas de pain)
+                if(!is_uploaded_file($file['tmp_name'])){
+                        return false;
+                }
+                // 3/ objet $finfo valide (dépend du paramètre FILEINFO_MIME_TYPE)
+            $finfo = new finfo(FILEINFO_MIME_TYPE);
+                if($finfo === false){
+                return false;
+            }
+                
+                // 4/ contrôle du "vrai" type mime (finfo_file lit les 1ers octets des fichiers pour y trouver des "signatures", très fiable sauf avec les conteneurs: doc, zip...)
+            $real_type = finfo_file($finfo, $file['tmp_name']);
+            return in_array($real_type, $mime_type_white_list, true);
+        }
+        static public function fileUploadTinyMce(): void
+        {
+                if(isset($_FILES['file'])){
+                $dest = 'user_data/media/';
+                if(!is_dir($dest)){ // Vérifier si le répertoire existe, sinon le créer
+                    mkdir($dest, 0755, true);
+                }
+                
+                $name = Security::secureFileName(pathinfo($_FILES['file']['name'], PATHINFO_FILENAME)); // retirer caractères spéciaux et changer espaces en underscores
+                $extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)); 
+                $file_path = $dest . $name . '_' . uniqid() . '.' . $extension; // nom unique
+                
+                if(self::checkFileDownload($_FILES['file'])){
+                        if(move_uploaded_file($_FILES['file']['tmp_name'], $file_path)){
+                                        echo json_encode(['location' => $file_path]);
+                                }
+                                else{
+                                        http_response_code(500);
+                                        echo json_encode(['message' => 'Erreur enregistrement du fichier.']);
+                                }
+                }
+                else{
+                        http_response_code(400);
+                                echo json_encode(['message' => 'Erreur 400: fichier non valide.']);
+                        }
+            }
+            else{
+                http_response_code(400);
+                echo json_encode(['message' => 'Erreur 400: Bad Request']);
+            }
+            die;
+        }
+}
+\ No newline at end of file

diff --git a/src/controller/FileUploadController.php b/src/controller/FileUploadController.php new file mode 100644 index 0000000..f53f5c2 --- /dev/null +++ b/src/controller/FileUploadController.php
@@ -0,0 +1,67 @@
	1	<?php
	2	// src/controller/FileUploadController.php
	3
	4	declare(strict_types=1);
	5
	6	class FileUploadController
	7	{
	8	static public function checkFileDownload(array $file): bool
	9	{
	10	$extensions_white_list = ['pdf', 'rtf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp']; // = extensions_white_list côté javascript
	11	$mime_type_white_list = ['application/pdf', 'application/rtf', 'text/rtf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/vnd.ms-powerpoint', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.oasis.opendocument.text', 'application/vnd.oasis.opendocument.spreadsheet', 'application/vnd.oasis.opendocument.presentation'];
	12
	13	// 1/ extension
	14	$extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
	15	if(!in_array($extension, $extensions_white_list, true)){
	16	return false;
	17	}
	18
	19	// 2/ fichier obtenu par HTTP POST (théoriquement inutile si le routeur est solide, mais ça ne mange pas de pain)
	20	if(!is_uploaded_file($file['tmp_name'])){
	21	return false;
	22	}
	23
	24	// 3/ objet $finfo valide (dépend du paramètre FILEINFO_MIME_TYPE)
	25	$finfo = new finfo(FILEINFO_MIME_TYPE);
	26	if($finfo === false){
	27	return false;
	28	}
	29
	30	// 4/ contrôle du "vrai" type mime (finfo_file lit les 1ers octets des fichiers pour y trouver des "signatures", très fiable sauf avec les conteneurs: doc, zip...)
	31	$real_type = finfo_file($finfo, $file['tmp_name']);
	32	return in_array($real_type, $mime_type_white_list, true);
	33	}
	34
	35	static public function fileUploadTinyMce(): void
	36	{
	37	if(isset($_FILES['file'])){
	38	$dest = 'user_data/media/';
	39	if(!is_dir($dest)){ // Vérifier si le répertoire existe, sinon le créer
	40	mkdir($dest, 0755, true);
	41	}
	42
	43	$name = Security::secureFileName(pathinfo($_FILES['file']['name'], PATHINFO_FILENAME)); // retirer caractères spéciaux et changer espaces en underscores
	44	$extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
	45	$file_path = $dest . $name . '_' . uniqid() . '.' . $extension; // nom unique
	46
	47	if(self::checkFileDownload($_FILES['file'])){
	48	if(move_uploaded_file($_FILES['file']['tmp_name'], $file_path)){
	49	echo json_encode(['location' => $file_path]);
	50	}
	51	else{
	52	http_response_code(500);
	53	echo json_encode(['message' => 'Erreur enregistrement du fichier.']);
	54	}
	55	}
	56	else{
	57	http_response_code(400);
	58	echo json_encode(['message' => 'Erreur 400: fichier non valide.']);
	59	}
	60	}
	61	else{
	62	http_response_code(400);
	63	echo json_encode(['message' => 'Erreur 400: Bad Request']);
	64	}
	65	die;
	66	}
	67	} \ No newline at end of file