OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	01/14/2024 11:47:41 AM	rwxr-xr-x
📄 chk.login.php	936 bytes	12/18/2021 04:01:00 AM	rwxr-xr-x
📄 get.section.article.php	41.34 KB	01/14/2024 11:25:58 AM	rw-r--r--
📄 get.section.author.php	12.17 KB	12/28/2021 03:21:00 AM	rwxr-xr-x
📄 get.section.category.php	9.29 KB	12/18/2021 04:01:00 AM	rwxr-xr-x
📄 get.section.general.php	32.43 KB	02/21/2023 05:59:26 AM	rwxr-xr-x
📄 get.section.issue.php	16.68 KB	12/28/2021 02:59:00 AM	rwxr-xr-x
📄 get.section.tag.php	8.79 KB	12/18/2021 04:29:00 AM	rwxr-xr-x
📄 get.section.user.php	14.23 KB	12/18/2021 04:13:00 AM	rwxr-xr-x
📄 get.section.volume.php	12 KB	12/18/2021 04:01:00 AM	rwxr-xr-x
📄 logout.php	93 bytes	12/18/2021 04:01:00 AM	rwxr-xr-x
📄 upload.php	2.3 KB	12/20/2021 11:28:00 PM	rwxr-xr-x

Editing: upload.php

<?
  session_start();

if (isset($_SESSION['articleId'])) {
   $gArticleId = $_SESSION['articleId'];
  } else {
   die();
  }

/*******************************************************
   * Only these origins will be allowed to upload images *
   ******************************************************/
  $accepted_origins = array("http://localhost", "https://139.59.41.116", "http://139.59.41.116");

/*********************************************
   * Change this line to set the upload folder *
   *********************************************/
  $imageFolder = "data/articles/$gArticleId/";

$chkFolder = "../../data/articles/$gArticleId";
  if (!file_exists($chkFolder)) {
   mkdir($chkFolder, 0777, true);
  }
  
  reset ($_FILES);
  $temp = current($_FILES);
  if (is_uploaded_file($temp['tmp_name'])){
    if (isset($_SERVER['HTTP_ORIGIN'])) {
      // same-origin requests won't set an origin. If the origin is set, it must be valid.
      if (in_array($_SERVER['HTTP_ORIGIN'], $accepted_origins)) {
        header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
      } else {
        header("HTTP/1.1 403 Origin Denied");
        return;
      }
    }

// Sanitize input
    if (preg_match("/([^\w\s\d\-_~,;:\[\].])|([\.]{2,})/", $temp['name'])) {
        header("HTTP/1.1 400 Invalid file name.");
        return;
    }

// Verify extension
    if (!in_array(strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)), array("gif", "jpg", "png"))) {
        header("HTTP/1.1 400 Invalid extension.");
        return;
    }

// Accept upload if there was no origin, or if it is an accepted origin
    // $filetowrite = $imageFolder . $temp['name'];

$fileRaw = hash('ripemd160', time().mt_rand(10,1000)) . '.' . pathinfo($temp['name'], PATHINFO_EXTENSION);
    $fileWrite = '../../' . $imageFolder . $fileRaw;
    $fileShow = $imageFolder . $fileRaw;

move_uploaded_file($temp['tmp_name'], $fileWrite);

// Respond to the successful upload with JSON.
    // Use a location key to specify the path to the saved image resource.
    // { location : '/your/uploaded/image/file'}
    echo json_encode(array('location' => $fileShow));
  } else {
    // Notify editor that the upload failed
    header("HTTP/1.1 500 Server Error");
  }
?>