diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e62ab3c --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +/vendor/ +/photos/ +/index.php + diff --git a/README.md b/README.md index 3ab948f..b4f6d9e 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ A minimal PhotoBackup API endpoint developed in PHP. + ## Goals 1. **Easy to run.** Minimal configuration and the widest possible server @@ -10,24 +11,53 @@ A minimal PhotoBackup API endpoint developed in PHP. 2. **Easy to review.** All the code is extensively described through [PSR-5][] DocComments and should be easy to read along. +3. **Easy to integrate.** Server is written as both a standalone server and + a Composer-friendly library, so it can be easily integrated into third party + applications. (Composer is not required for standalone use.) + [PSR-5]: https://github.com/phpDocumentor/fig-standards/tree/master/proposed + ## Setting up 1. Download the latest release from GitHub: https://github.com/PhotoBackup/server-php/releases/latest -2. Open `index.php` and change the value of `$Password` to the password you want - to use for PhotoBackup. +2. Copy `index.php.example` to `index.php` (so your configuration will not be + overwritten on upgrade). + +3. Open `index.php` and change the value of `$Password` to the password you want + to use for PhotoBackup. Alternatively you can include external configuration + file located outside document root of your web server (see example in the + `index.php` file). + +4. Upload everything (or at least `index.php`, `class` folder and the `photos` + folder) to your web host. + +5. Make sure your web server can write to the `photos` folder. + +6. Configure the server address in your PhotoBackup client to match the URL for + your `index.php` file. E.g. `http://example.com/photobackup/index.php`. -3. Upload `index.php` and the `photos` folder to your web host. -4. Configure the server address in your PhotoBackup client to match the URL for - your `index.php`-file. E.g. `http://example.com/photobackup/index.php`. +## Upgrade + +Your configuration is stored in the `index.php` file which is not under version +control, therefore you can simply use Git to pull a new version and then upload +everything to your web server. + + +## Use as a Library + +To integrate this server to your application, see the `Server` class in +`class/Server.php`. This server library can be loaded using Composer and its +PSR-4 class loader. In this case simply ignore the `index.php` stuff. + ## License The PhotoBackup PHP server is licensed under the OSI version of the MIT license. It lets you do anything with the code as long as proper attribution is given. Please see LICENSE. + diff --git a/class/Server.php b/class/Server.php new file mode 100644 index 0000000..779dc89 --- /dev/null +++ b/class/Server.php @@ -0,0 +1,254 @@ + + * @copyright (c) 2016, Josef Kufner + * + * @license http://opensource.org/licenses/MIT The MIT License + */ + +namespace PhotoBackup; + +/** + * Server implementation + * + * Configuration options (see member variables): + * - password + * - mediaRoot + * + */ +class Server +{ + + /** + * The password required to upload to this server. + * + * The password is currently stored as clear text here. PHP code is not normally + * readable by third-parties so this should be safe enough. Many applications + * store database credentials in this way as well. A secondary and safer way is + * being considered for the next version. + * + * @var string $password A string (encapsulated by quotes). + */ + protected $password; + + + /** + * The directory where files should be uploaded to. + * + * This directory path is relative to this index.php file and should not end + * with a /. It should point to an existing directory on the server. + * + * @var string $mediaRoot A string (encapsulated by quotes). + */ + protected $mediaRoot; + + + /** + * Simple entry point. + */ + public static function main($configuration) + { + // Throw exceptions on all errors + set_error_handler(function ($errno, $errstr, $errfile, $errline ) { + if (error_reporting()) { + throw new \ErrorException($errstr, 0, $errno, $errfile, $errline); + } + }); + + $app = new self($configuration); + return $app->handleRequest(); + } + + + /** + * Constructor. + * + * Load configuration, otherwise do nothing. + */ + public function __construct($configuration) + { + if (empty($configuration['password']) || !is_string($configuration['password'])) { + throw new \InvalidArgumentException('Password not set.'); + } else { + $this->password = $configuration['password']; + } + + if (empty($configuration['mediaRoot']) || !is_string($configuration['mediaRoot'])) { + throw new \InvalidArgumentException('Media root not set.'); + } else { + $this->mediaRoot = $configuration['mediaRoot']; + } + } + + + /** + * Request handler. + * + * This is original unmodified (except the options checks) + * implementation from old index.php. + */ + public function handleRequest() + { + /** + * Find out if the client is requesting the test page. + */ + $request = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH); + $testing = substr($request, -5) === '/test'; + + /** + * If no data has been POSTed to the server and the client did not request the + * test page, exit imidiately. + */ + if (empty($_POST) && !$testing) { + return; + } + + /** + * Exit with HTTP code 403 if no password has been set on the server, or if the + * client did not submit a password, or the submitted password did not match + * this server's password. + */ + if ( + !isset($_POST['password']) || + $_POST['password'] !== hash('sha512', $this->password) + ) { + $this->httpResponse(403); + return; + } + + /** + * If we were only supposed to test the server, end here. + */ + if ($testing) { + return; + } + + /** + * If the client did not submit a filesize, exit with HTTP code 400. + */ + if (!isset($_POST['filesize'])) { + $this->httpResponse(400); + return; + } + + /** + * If the client did not upload a file, or something went wrong in the upload + * process, exit with HTTP code 401. + */ + if ( + !isset($_FILES['upfile']) || + $_FILES['upfile']['error'] !== UPLOAD_ERR_OK || + !is_uploaded_file($_FILES['upfile']['tmp_name']) + ) { + $this->httpResponse(401); + return; + } + + /** + * If the client submitted filesize did not match the uploaded file's size, exit + * with HTTP code 411. + */ + if (intval($_POST['filesize']) !== $_FILES['upfile']['size']) { + $this->httpResponse(411); + return; + } + + /** + * Sanitize the file name to maximise server operating system compatibility and + * minimize possible attacks against this implementation. + */ + $filename = preg_replace('@\s+@', '-', $_FILES['upfile']['name']); + $filename = preg_replace('@[^0-9a-z._-]@i', '', $filename); + $target = $this->mediaRoot . '/' . $filename; + + /** + * If a file with the same name and size exists, treat the new upload as a + * duplicate and exit. + */ + if ( + file_exists($target) && + filesize($target) === $_POST['filesize'] + ) { + $this->httpResponse(409); + return; + } + + /** + * Move the uploaded file into the target directory. If anything did not work, + * exit with HTTP code 500. + */ + if (!move_uploaded_file($_FILES["upfile"]["tmp_name"], $target)) { + $this->httpResponse(500); + return; + } + + return; + } + + + /** + * Send HTTP response + * + * @param $code HTTP status code to send + * @param $msg Optional message. If not specified a standard message + * will be used. + */ + protected function httpResponse($code, $msg = null) + { + if (isset($_SERVER['SERVER_PROTOCOL'])) { + $protocol = $_SERVER['SERVER_PROTOCOL']; + } else { + $protocol = 'HTTP/1.1'; + } + + if ($msg === null) { + switch ($code) { + case 100: $msg = 'Continue'; break; + case 101: $msg = 'Switching Protocols'; break; + case 200: $msg = 'OK'; break; + case 201: $msg = 'Created'; break; + case 202: $msg = 'Accepted'; break; + case 203: $msg = 'Non-Authoritative Information'; break; + case 204: $msg = 'No Content'; break; + case 205: $msg = 'Reset Content'; break; + case 206: $msg = 'Partial Content'; break; + case 300: $msg = 'Multiple Choices'; break; + case 301: $msg = 'Moved Permanently'; break; + case 302: $msg = 'Found'; break; + case 303: $msg = 'See Other'; break; + case 304: $msg = 'Not Modified'; break; + case 305: $msg = 'Use Proxy'; break; + case 307: $msg = 'Temporary Redirect'; break; + case 400: $msg = 'Bad Request'; break; + case 401: $msg = 'Unauthorized'; break; + case 402: $msg = 'Payment Required'; break; + case 403: $msg = 'Forbidden'; break; + case 404: $msg = 'Not Found'; break; + case 405: $msg = 'Method Not Allowed'; break; + case 406: $msg = 'Not Acceptable'; break; + case 407: $msg = 'Proxy Authentication Required'; break; + case 408: $msg = 'Request Timeout'; break; + case 409: $msg = 'Conflict'; break; + case 410: $msg = 'Gone'; break; + case 411: $msg = 'Length Required'; break; + case 412: $msg = 'Precondition Failed'; break; + case 413: $msg = 'Request Entity Too Large'; break; + case 414: $msg = 'Request-URI Too Long'; break; + case 415: $msg = 'Unsupported Media Type'; break; + case 416: $msg = 'Requested Range Not Satisfiable'; break; + case 417: $msg = 'Expectation Failed'; break; + case 500: $msg = 'Internal Server Error'; break; + case 501: $msg = 'Not Implemented'; break; + case 502: $msg = 'Bad Gateway'; break; + case 503: $msg = 'Service Unavailable'; break; + case 504: $msg = 'Gateway Timeout'; break; + case 505: $msg = 'HTTP Version Not Supported'; break; + default: throw new \InvalidArgumentException('Invalid code'); + } + } + + header("$protocol $code $msg"); + } + +} + diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..4a3845e --- /dev/null +++ b/composer.json @@ -0,0 +1,17 @@ +{ + "name": "photo-backup/server", + "description": "The PHP PhotoBackup server implementation", + "license": "mit", + "authors": [ + { + "name": "Martijn van der Ven", + "email": "martijn@zegnat.net" + } + ], + "require": { + "php": ">=5.4" + }, + "autoload": { + "psr-4": { "PhotoBackup\\": "class/" } + } +} diff --git a/index.php b/index.php deleted file mode 100644 index f2a7e98..0000000 --- a/index.php +++ /dev/null @@ -1,171 +0,0 @@ - - * @copyright 2015 Martijn van der Ven - * @license http://opensource.org/licenses/MIT The MIT License - */ - -/** - * The password required to upload to this server. - * - * The password is currently stored as clear text here. PHP code is not normally - * readable by third-parties so this should be safe enough. Many applications - * store database credentials in this way as well. A secondary and safer way is - * being considered for the next version. - * - * @global string $Password A string (encapsulated by quotes). - */ -$Password = 'example'; - -/** - * The directory where files should be uploaded to. - * - * This directory path is relative to this index.php file and should not end - * with a /. It should point to an existing directory on the server. - * - * @global string $MediaRoot A string (encapsulated by quotes). - */ -$MediaRoot = 'photos'; - -// ----------------------------------------------------------------------------- -// NO CONFIGURATION NECCESSARY BEYOND THIS POINT. -// ----------------------------------------------------------------------------- - -/** - * Establish what HTTP version is being used by the server. - */ -if (isset($_SERVER['SERVER_PROTOCOL'])) { - $protocol = $_SERVER['SERVER_PROTOCOL']; -} else { - $protocol = 'HTTP/1.0'; -} - -/** - * Find out if the client is requesting the test page. - */ -$request = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH); -$testing = substr($request, -5) === '/test'; - -/** - * If no data has been POSTed to the server and the client did not request the - * test page, exit imidiately. - */ -if (empty($_POST) && !$testing) { - exit(); -} - -/** - * If we are testing the server and see that no password has been set, exit with - * HTTP code 401. - */ -if ( - $testing && - ( - !isset($Password) || - !is_string($Password) - ) -) { - header($protocol . ' 401 Unauthorized'); - exit(); -} - -/** - * Exit with HTTP code 403 if no password has been set on the server, or if the - * client did not submit a password, or the submitted password did not match - * this server's password. - */ -if ( - !isset($Password) || - !is_string($Password) || - !isset($_POST['password']) || - $_POST['password'] !== hash('sha512', $Password) -) { - header($protocol . ' 403 Forbidden'); - exit(); -} - -/** - * If the upload destination folder has not been configured, does not exist, or - * is not writable by PHP, exit with HTTP code 500. - */ -if ( - !isset($MediaRoot) || - !is_string($MediaRoot) || - !file_exists($MediaRoot) || - !is_dir($MediaRoot) || - !is_writable($MediaRoot) -) { - header($protocol . ' 500 Internal Server Error'); - exit(); -} - -/** - * If we were only supposed to test the server, end here. - */ -if ($testing) { - exit(); -} - -/** - * If the client did not submit a filesize, exit with HTTP code 400. - */ -if (!isset($_POST['filesize'])) { - header($protocol . ' 400 Bad Request'); - exit(); -} - -/** - * If the client did not upload a file, or something went wrong in the upload - * process, exit with HTTP code 401. - */ -if ( - !isset($_FILES['upfile']) || - $_FILES['upfile']['error'] !== UPLOAD_ERR_OK || - !is_uploaded_file($_FILES['upfile']['tmp_name']) -) { - header($protocol . ' 401 Unauthorized'); - exit(); -} - -/** - * If the client submitted filesize did not match the uploaded file's size, exit - * with HTTP code 411. - */ -if (intval($_POST['filesize']) !== $_FILES['upfile']['size']) { - header($protocol . ' 411 Length Required'); - exit(); -} - -/** - * Sanitize the file name to maximise server operating system compatibility and - * minimize possible attacks against this implementation. - */ -$filename = preg_replace('@\s+@', '-', $_FILES['upfile']['name']); -$filename = preg_replace('@[^0-9a-z._-]@i', '', $filename); -$target = $MediaRoot . '/' . $filename; - -/** - * If a file with the same name and size exists, treat the new upload as a - * duplicate and exit. - */ -if ( - file_exists($target) && - filesize() === $_POST['filesize'] -) { - header($protocol . ' 409 Conflict'); - exit(); -} - -/** - * Move the uploaded file into the target directory. If anything did not work, - * exit with HTTP code 500. - */ -if (!move_uploaded_file($_FILES["upfile"]["tmp_name"], $target)) { - header($protocol . ' 500 Internal Server Error'); - exit(); -} - -exit(); diff --git a/index.php.example b/index.php.example new file mode 100644 index 0000000..0736b5d --- /dev/null +++ b/index.php.example @@ -0,0 +1,58 @@ + + * @copyright 2015 Martijn van der Ven + * @license http://opensource.org/licenses/MIT The MIT License + */ + +$config = array(); + +/** + * The password required to upload to this server. + * + * The password is currently stored as clear text here. PHP code is not normally + * readable by third-parties so this should be safe enough. Many applications + * store database credentials in this way as well. A secondary and safer way is + * being considered for the next version. + * + * @global string $Password A string (encapsulated by quotes). + */ +$config['password'] = ''; + +/** + * The directory where files should be uploaded to. + * + * This directory path is relative to this index.php file and should not end + * with a /. It should point to an existing directory on the server. + * + * @global string $MediaRoot A string (encapsulated by quotes). + */ +$config['mediaRoot'] = 'photos'; + + +// ----------------------------------------------------------------------------- + +/* + * Alternatively you can use this file as a configuration file somewhere + * outside the document root of your web server. In such case uncomment the + * following line: + */ +// return $config; + +/* ... and then replace everything above in the real index.php with the + * following line to load the configuration file: + */ +// $config = require '/path/to/your/config.php'; + + +// ----------------------------------------------------------------------------- +// NO CONFIGURATION NECCESSARY BEYOND THIS POINT. +// ----------------------------------------------------------------------------- + +// Start the server +require __DIR__.'/class/Server.php'; +\PhotoBackup\Server::main($config); +