OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	11/28/2024 11:03:35 AM	rwxrwxr-x
📄 chk.logged.in.php	1.16 KB	01/10/2021 12:30:27 PM	rw-r--r--
📄 chk.login.php	1.31 KB	02/10/2022 03:03:00 PM	rw-r--r--
📄 get.section.account.php	15.11 KB	12/28/2024 08:09:41 AM	rw-r--r--
📄 get.section.analytics.php	28.73 KB	03/02/2025 09:40:12 AM	rw-r--r--
📄 get.section.collection.php	69.19 KB	03/04/2025 05:15:01 AM	rw-r--r--
📄 get.section.community.php	7.71 KB	09/09/2024 09:46:26 AM	rw-r--r--
📄 get.section.create.php	22.41 KB	05/22/2024 11:08:28 AM	rw-r--r--
📄 get.section.curated.php	33.87 KB	03/02/2025 10:52:06 AM	rw-r--r--
📄 get.section.dashboard.php	3.31 KB	02/10/2022 02:58:26 PM	rw-r--r--
📄 get.section.feed.php	6.87 KB	03/09/2023 05:28:34 AM	rw-r--r--
📄 get.section.genai.php	9.87 KB	08/21/2024 07:23:47 AM	rw-r--r--
📄 get.section.genaicreative.php	10.55 KB	08/21/2024 07:23:45 AM	rw-r--r--
📄 get.section.general.php	9.31 KB	08/22/2023 09:34:25 AM	rw-r--r--
📄 get.section.newsletter.php	18.97 KB	08/22/2024 06:42:01 AM	rw-r--r--
📄 get.section.request.article.php	13.34 KB	03/02/2025 06:07:24 AM	rw-r--r--
📄 get.section.settings.php	42.64 KB	03/02/2025 10:13:44 AM	rw-r--r--
📄 get.section.team.php	6.73 KB	05/23/2024 04:45:44 AM	rw-r--r--
📄 get.section.utils.php	4.1 KB	06/26/2021 06:06:51 AM	rw-r--r--
📄 logout.php	428 bytes	08/16/2020 11:22:29 AM	rw-r--r--
📄 sendgrid.php	3.62 KB	03/09/2021 04:01:36 AM	rw-r--r--
📄 upload.php	2.4 KB	08/22/2020 01:33:43 PM	rw-r--r--
📄 zget.section.analytics.php	11.45 KB	03/02/2025 06:25:31 AM	rw-r--r--

Editing: upload.php

session_start();

if (isset($_SESSION['userId'])) {
   $gUserId = $_SESSION['userId'];
  } else {
   die();
  }

/*******************************************************
   * Only these origins will be allowed to upload images *
   ******************************************************/
  $accepted_origins = array("http://localhost", "https://staging.knoblycream.com", "http://staging.knoblycream.com", "https://www.knoblycream.com", "http://www.knoblycream.com", "https://knoblycream.com", "http://knoblycream.com");

/*********************************************
   * Change this line to set the upload folder *
   *********************************************/
  $imageFolder = "data/posts/$gUserId/";

$chkFolder = "../data/posts/$gUserId";
  if (!file_exists($chkFolder)) {
   mkdir($chkFolder, 0777, true);
  }
  
  reset ($_FILES);
  $temp = current($_FILES);
  if (is_uploaded_file($temp['tmp_name'])){
    if (isset($_SERVER['HTTP_ORIGIN'])) {
      // same-origin requests won't set an origin. If the origin is set, it must be valid.
      if (in_array($_SERVER['HTTP_ORIGIN'], $accepted_origins)) {
        header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
      } else {
        header("HTTP/1.1 403 Origin Denied");
        return;
      }
    }

// Sanitize input
    if (preg_match("/([^\w\s\d\-_~,;:\[\].])|([\.]{2,})/", $temp['name'])) {
        header("HTTP/1.1 400 Invalid file name.");
        return;
    }

// Verify extension
    if (!in_array(strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)), array("gif", "jpg", "png"))) {
        header("HTTP/1.1 400 Invalid extension.");
        return;
    }

// Accept upload if there was no origin, or if it is an accepted origin
    // $filetowrite = $imageFolder . $temp['name'];

$fileRaw = hash('ripemd160', time().mt_rand(10,1000)) . '.' . pathinfo($temp['name'], PATHINFO_EXTENSION);
    $fileWrite = '../' . $imageFolder . $fileRaw;
    $fileShow = $imageFolder . $fileRaw;

move_uploaded_file($temp['tmp_name'], $fileWrite);

// Respond to the successful upload with JSON.
    // Use a location key to specify the path to the saved image resource.
    // { location : '/your/uploaded/image/file'}
    echo json_encode(array('location' => $fileShow));
  } else {
    // Notify editor that the upload failed
    header("HTTP/1.1 500 Server Error");
  }
?>