From 6838ca93c303e96f035232cbdb45caf1efcb687b Mon Sep 17 00:00:00 2001
From: Sergio Brighenti <sergio@brighenti.me>
Date: Sun, 15 Sep 2019 16:00:12 +0200
Subject: [PATCH] lock file

---
 CHANGELOG.md                             |  5 +++
 app/Controllers/UploadController.php     |  8 +++-
 app/Controllers/UserController.php       |  2 +-
 app/helpers.php                          | 56 ++++++++++++++++++++----
 bin/migrate                              |  2 +-
 bootstrap/app.php                        |  1 +
 composer.json                            |  2 +-
 install/index.php                        |  2 +-
 resources/templates/dashboard/admin.twig |  2 +-
 resources/templates/dashboard/home.twig  |  2 +-
 10 files changed, 66 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 18b0b35..4648684 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## v2.6.4
++ Filter on displayable images.
++ Fixed during upload error on php compiled for 32 bit.
++ The generated random strings are now more human readable.
+
 ## v2.6.3
 + Fixed #67.
 + Fixed bad preload statement.
diff --git a/app/Controllers/UploadController.php b/app/Controllers/UploadController.php
index adc53dd..eb71a2d 100644
--- a/app/Controllers/UploadController.php
+++ b/app/Controllers/UploadController.php
@@ -62,7 +62,7 @@ class UploadController extends Controller
 		}
 
 		do {
-			$code = uniqid();
+			$code = humanRandomString();
 		} while ($this->database->query('SELECT COUNT(*) AS `count` FROM `uploads` WHERE `code` = ?', $code)->fetch()->count > 0);
 
 		/** @var \Psr\Http\Message\UploadedFileInterface $file */
@@ -114,8 +114,12 @@ class UploadController extends Controller
 				$size = $filesystem->getSize($media->storage_path);
 
 				$type = explode('/', $media->mimetype)[0];
+				if ($type === 'image' && !isDisplayableImage($media->mimetype)) {
+					$type = 'application';
+					$media->mimetype = 'application/octet-stream';
+				}
 				if ($type === 'text') {
-					if ($size <= (200 * 1024)) {// less than 200 KB
+					if ($size <= (200 * 1024)) { // less than 200 KB
 						$media->text = $filesystem->read($media->storage_path);
 					} else {
 						$type = 'application';
diff --git a/app/Controllers/UserController.php b/app/Controllers/UserController.php
index 71a0644..d868602 100644
--- a/app/Controllers/UserController.php
+++ b/app/Controllers/UserController.php
@@ -81,7 +81,7 @@ class UserController extends Controller
 		}
 
 		do {
-			$userCode = substr(md5(microtime()), rand(0, 26), 5);
+			$userCode = humanRandomString(5);
 		} while ($this->database->query('SELECT COUNT(*) AS `count` FROM `users` WHERE `user_code` = ?', $userCode)->fetch()->count > 0);
 
 		$token = $this->generateNewToken();
diff --git a/app/helpers.php b/app/helpers.php
index 4f61174..b67699b 100644
--- a/app/helpers.php
+++ b/app/helpers.php
@@ -1,9 +1,8 @@
 <?php
 
-use League\Flysystem\Adapter\Local;
-use League\Flysystem\Filesystem;
-
-require __DIR__ . '/../vendor/autoload.php';
+if (!defined('HUMAN_RANDOM_CHARS')) {
+	define('HUMAN_RANDOM_CHARS', 'bcdfghjklmnpqrstvwxyzBCDFGHJKLMNPQRSTVWXYZaeiouAEIOU');
+}
 
 if (!function_exists('humanFileSize')) {
 	/**
@@ -20,22 +19,63 @@ if (!function_exists('humanFileSize')) {
 	}
 }
 
+if (!function_exists('humanRandomString')) {
+	/**
+	 * @param int $length
+	 * @return string
+	 */
+	function humanRandomString(int $length = 13): string
+	{
+		$result = '';
+		$numberOffset = round($length * 0.2);
+		for ($x = 0; $x < $length - $numberOffset; $x++) {
+			$result .= ($x % 2) ? HUMAN_RANDOM_CHARS[rand(42, 51)] : HUMAN_RANDOM_CHARS[rand(0, 41)];
+		}
+		for ($x = 0; $x < $numberOffset; $x++) {
+			$result .= rand(0, 9);
+		}
+		return $result;
+	}
+}
+
+if (!function_exists('isDisplayableImage')) {
+	/**
+	 * @param string $mime
+	 * @return bool
+	 */
+	function isDisplayableImage(string $mime): bool
+	{
+		return in_array($mime, [
+			'image/apng',
+			'image/bmp',
+			'image/gif',
+			'image/x-icon',
+			'image/jpeg',
+			'image/png',
+			'image/svg',
+			'image/svg+xml',
+			'image/tiff',
+			'image/webp',
+		]);
+	}
+}
+
 if (!function_exists('stringToBytes')) {
 	/**
 	 * @param $str
-	 * @return int|string
+	 * @return float
 	 */
-	function stringToBytes(string $str): int
+	function stringToBytes(string $str): float
 	{
 		$val = trim($str);
 		if (is_numeric($val)) {
-			return (int)$val;
+			return (float)$val;
 		}
 
 		$last = strtolower($val[strlen($val) - 1]);
 		$val = substr($val, 0, -1);
 
-		$val = (int)$val;
+		$val = (float)$val;
 		switch ($last) {
 			case 'g':
 				$val *= 1024;
diff --git a/bin/migrate b/bin/migrate
index 17d9460..e05ef46 100644
--- a/bin/migrate
+++ b/bin/migrate
@@ -85,7 +85,7 @@ foreach ($files as $file) {
 }
 
 if (isset($argv[1]) && $argv[1] === '--install') {
-	DB::doQuery("INSERT INTO `users` (`email`, `username`, `password`, `is_admin`, `user_code`) VALUES ('admin@example.com', 'admin', ?, 1, ?)", [password_hash('admin', PASSWORD_DEFAULT), substr(md5(microtime()), rand(0, 26), 5)]);
+	DB::doQuery("INSERT INTO `users` (`email`, `username`, `password`, `is_admin`, `user_code`) VALUES ('admin@example.com', 'admin', ?, 1, ?)", [password_hash('admin', PASSWORD_DEFAULT), humanRandomString(5)]);
 }
 
 if (file_exists(__DIR__ . '/../install')) {
diff --git a/bootstrap/app.php b/bootstrap/app.php
index 4e67f4b..752cd9c 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -159,6 +159,7 @@ $container['view'] = function ($container) use (&$config) {
 	$view->getEnvironment()->addFunction(new TwigFunction('asset', 'asset'));
 	$view->getEnvironment()->addFunction(new TwigFunction('mime2font', 'mime2font'));
 	$view->getEnvironment()->addFunction(new TwigFunction('queryParams', 'queryParams'));
+	$view->getEnvironment()->addFunction(new TwigFunction('isDisplayableImage', 'isDisplayableImage'));
 	return $view;
 };
 
diff --git a/composer.json b/composer.json
index 624cf34..5670ff3 100644
--- a/composer.json
+++ b/composer.json
@@ -1,6 +1,6 @@
 {
   "name": "sergix44/xbackbone",
-  "version": "2.6.3",
+  "version": "2.6.4",
   "description": "A lightweight ShareX PHP backend",
   "type": "project",
   "require": {
diff --git a/install/index.php b/install/index.php
index 2f45cfc..f5272b1 100644
--- a/install/index.php
+++ b/install/index.php
@@ -305,7 +305,7 @@ $app->post('/', function (Request $request, Response $response) use (&$config) {
 
 	// if not installed, create the default admin account
 	if (!$installed) {
-		DB::doQuery("INSERT INTO `users` (`email`, `username`, `password`, `is_admin`, `user_code`) VALUES (?, 'admin', ?, 1, ?)", [$request->getParam('email'), password_hash($request->getParam('password'), PASSWORD_DEFAULT), substr(md5(microtime()), rand(0, 26), 5)]);
+		DB::doQuery("INSERT INTO `users` (`email`, `username`, `password`, `is_admin`, `user_code`) VALUES (?, 'admin', ?, 1, ?)", [$request->getParam('email'), password_hash($request->getParam('password'), PASSWORD_DEFAULT), humanRandomString(5)]);
 	}
 
 	// post install cleanup
diff --git a/resources/templates/dashboard/admin.twig b/resources/templates/dashboard/admin.twig
index 24d4e7f..0a8d51d 100644
--- a/resources/templates/dashboard/admin.twig
+++ b/resources/templates/dashboard/admin.twig
@@ -30,7 +30,7 @@
                                     {% for media in medias %}
                                         <tr id="media_{{ media.id }}">
                                             <td class="text-center">
-                                                {% if media.mimetype starts with 'image' %}
+                                                {% if isDisplayableImage(media.mimetype) %}
                                                     {% if media.username is not null %}
                                                         <img src="{{ urlFor('/' ~ media.user_code ~ '/' ~ media.code ~ '.' ~ media.extension ~ '/raw?width=256&height=128') }}" class="img-fluid rounded admin-img">
                                                     {% else %}
diff --git a/resources/templates/dashboard/home.twig b/resources/templates/dashboard/home.twig
index 43d6129..84aa0d5 100644
--- a/resources/templates/dashboard/home.twig
+++ b/resources/templates/dashboard/home.twig
@@ -12,7 +12,7 @@
                 {% for media in medias %}
                     <div class="col-md-4" id="media_{{ media.id }}">
                         <div class="card mb-4 shadow-sm">
-                            {% if media.mimetype starts with 'image' %}
+                            {% if isDisplayableImage(media.mimetype) %}
                                 <img class="card-img" src="{{ urlFor('/' ~ media.user_code ~ '/' ~ media.code ~ '.' ~ media.extension ~ '/raw?width=286&height=219') }}" alt="Card image">
                             {% else %}
                                 <div class="text-center" style="font-size: 178px;"><i class="far {{ mime2font(media.mimetype) }} mb-4 mt-4"></i></div>