1 files changed, 31 insertions, 2 deletions

diff --git a/emotes/upload.php b/emotes/upload.php
index d931c05..54d5a15 100644
--- a/emotes/upload.php
+++ b/emotes/upload.php
@@ -28,6 +28,9 @@ $db = new PDO(CONFIG['database']['url'], CONFIG['database']['user'], CONFIG['dat
 
 function abort_upload(string $path, PDO $db, string $id)
 {
+    if (isset($image, $image['manually_downloaded'])) {
+        unlink($image['tmp_name']);
+    }
     $stmt = $db->prepare("DELETE FROM emotes WHERE id = ?");
     $stmt->execute([$id]);
     $db = null;
@@ -396,11 +399,37 @@ if ($is_manual && !isset($_FILES["file-1x"], $_FILES["file-2x"], $_FILES["file-3
     exit;
 }
 
-if (!$is_manual && !isset($_FILES["file"])) {
+if (
+    !$is_manual &&
+    !isset($_FILES["file"]) &&
+    (!isset($_POST['file']) && CONFIG['emote']['urlupload'])
+) {
     generate_alert("/emotes/upload.php", "No file set");
     exit;
 }
 
+// downloading a file
+$image = $_FILES["file"] ?? null;
+if (!$image && isset($_POST["file"]) && CONFIG['emote']['urlupload']) {
+    $path = '/tmp/' . generate_random_string(16);
+
+    $ch = curl_init($_POST["file"]);
+    $fp = fopen($path, 'wb');
+
+    curl_setopt($ch, CURLOPT_FILE, $fp);
+    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+
+    curl_exec($ch);
+
+    curl_close($ch);
+    fclose($fp);
+
+    $image = [
+        'tmp_name' => $path,
+        'manually_downloaded' => true
+    ];
+}
+
 $code = str_safe($_POST["code"] ?? "", CONFIG['emote']['maxnamelength']);
 
 if ($code == "" || !preg_match(CONFIG['emote']['nameregex'], $code)) {
@@ -460,7 +489,6 @@ if ($is_manual) {
         exit;
     }
 } else {
-    $image = $_FILES["file"];
     // resizing the image
     if ($err = create_image_bundle($image["tmp_name"], $path, $max_width, $max_height)) {
         generate_alert("/emotes/upload.php", "Error occurred while processing images ($err)", 500);
@@ -471,6 +499,7 @@ if ($is_manual) {
     if (CONFIG['emote']['storeoriginal']) {
         $ext = get_file_extension($image["tmp_name"]) ?? "";
         move_uploaded_file($image["tmp_name"], "$path/original.$ext");
+        unlink($image["tmp_name"]);
     }
 }