bludit/bl-kernel/ajax/upload-profile-picture.php

<?php defined('BLUDIT') or die('Bludit CMS.');
header('Content-Type: application/json');

// $_POST
// ----------------------------------------------------------------------------
// (string) $_POST['username']
$username = empty($_POST['username']) ? false : $_POST['username'];
// ----------------------------------------------------------------------------

if ($username===false) {
	ajaxResponse(1, 'Error in username.');
}

if (!isset($_FILES['profilePictureInputFile'])) {
	ajaxResponse(1, 'Error trying to upload the profile picture.');
}

// File extension
$allowedExtensions = array('gif', 'png', 'jpg', 'jpeg', 'svg');
$fileExtension = pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
if (!in_array($fileExtension, $allowedExtensions) ) {
	$message = 'File type is not supported. Allowed types: '.implode(', ',$allowedExtensions);
	Log::set($message, LOG_TYPE_ERROR);
	ajaxResponse(1, $message);
}

// Tmp filename
$tmpFilename = $username.'.'.$fileExtension;

// Final filename
$filename = $username.'.png';

// Check path traversal
if (Text::stringContains($username, '/', false)) {
	$message = 'Path traversal detected.';
	Log::set($message, LOG_TYPE_ERROR);
	ajaxResponse(1, $message);
}

// Move from temporary directory to uploads folder
rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);

// Resize and convert to png
$image = new Image();
$image->setImage(PATH_TMP.$tmpFilename, PROFILE_IMG_WIDTH, PROFILE_IMG_HEIGHT, 'crop');
$image->saveImage(PATH_UPLOADS_PROFILES.$filename, PROFILE_IMG_QUALITY, false, true);

// Remove the tmp file
unlink(PATH_TMP.$tmpFilename);

// Permissions
chmod(PATH_UPLOADS_PROFILES.$filename, 0644);

ajaxResponse(0, 'Image uploaded.', array(
	'filename'=>$filename,
	'absoluteURL'=>DOMAIN_UPLOADS_PROFILES.$filename,
	'absolutePath'=>PATH_UPLOADS_PROFILES.$filename
));

?>