Beispiel #1
0
function process_uploaded_files($tid, $pid, &$total_uploaded)
{
    global $pun_config, $lang_common, $lang_fu, $db, $file_limit, $message;
    $result = null;
    if (!isset($_FILES['attach']['error']) or !check_mod_config()) {
        return $result;
    }
    $total_uploaded = 0;
    $dest = $pun_config['file_upload_path'];
    $thmb = $pun_config['file_thumb_path'];
    $allowed_ext = $pun_config['file_allowed_ext'];
    $allowed_ext = explode(',', $allowed_ext);
    $image_ext = $pun_config['file_image_ext'];
    $image_ext = explode(',', $image_ext);
    // Upload all files
    $i = 0;
    $thumb_from = $thumb_to = array();
    foreach ($_FILES['attach']['error'] as $key => $error) {
        $i++;
        if ($error == UPLOAD_ERR_OK) {
            if ($file_limit <= 0) {
                break;
            }
            // Grab the tmp file location, and the original file name
            $mime = $_FILES['attach']['type'][$key];
            $tmp_name = $_FILES['attach']['tmp_name'][$key];
            // there are some PHP exploits with fake filenames
            // file_exists() is not secure in this case!
            if (!is_uploaded_file($tmp_name)) {
                continue;
            }
            $orig_name = $_FILES['attach']['name'][$key];
            $size = filesize($tmp_name);
            $file_ext = strtolower(get_file_extension($orig_name));
            // Skip files with banned extensions
            if (!in_array($file_ext, $allowed_ext) || !$file_ext) {
                $result .= $orig_name . ' ' . $lang_fu['Extension Banned'] . '.<br />';
                continue;
            }
            // Skip files larger then max file size
            if ($size > $pun_config['file_max_size']) {
                $result .= $orig_name . ' ' . $lang_fu['Size Too Big'] . '.<br />';
                continue;
            }
            if (in_array($file_ext, $image_ext)) {
                // Skip files that have larger then allowed dimensions
                list($width, $height, $type, $attr) = getimagesize($tmp_name);
                if (!$width || !$height) {
                    $result .= $orig_name . ' ' . $lang_fu['Not Image'] . '.<br />';
                    continue;
                }
                if ($width > $pun_config['file_max_width'] || $height > $pun_config['file_max_height']) {
                    $result .= $orig_name . ' ' . $lang_fu['Dim Too Big'] . '.<br />';
                    continue;
                }
                $dim = $width . 'x' . $height;
            } else {
                $dim = null;
            }
            // save file to upload directory
            $store_name = generate_unique_filename(PUN_ROOT . $dest, '.ext');
            move_uploaded_file($tmp_name, PUN_ROOT . $dest . $store_name);
            chmod($dest . $store_name, 0666);
            // NOTE: post author and attachment author may differ (if attach in edit)
            $attach_poster = $GLOBALS['pun_user']['id'];
            $now = time();
            $db->query('INSERT INTO ' . $db->prefix . 'attachments (poster_id, topic_id, post_id, uploaded, filename, mime, location, size, image_dim) VALUES (\'' . $attach_poster . '\', \'' . $tid . '\', \'' . $pid . '\', ' . $now . ', \'' . $db->escape($orig_name) . '\', \'' . $db->escape($mime) . '\', \'' . $db->escape($dest . $store_name) . '\', \'' . $size . '\', \'' . $dim . '\')') or error('Unable to insert attachment record into database.', __FILE__, __LINE__, $db->error());
            $aid = $db->insert_id();
            $thumb_from[] = '::thumb$' . $i . '::';
            $thumb_to[] = '::thumb' . $aid . '::';
            $total_uploaded++;
            $file_limit--;
        } else {
            switch ($error) {
                case UPLOAD_ERR_INI_SIZE:
                    $result .= 'File #' . $i . ' - ERROR: exceeds the upload_max_filesize<br />';
                    break;
                case UPLOAD_ERR_FORM_SIZE:
                    $result .= 'File #' . $i . ' - ERROR: exceeds the form MAX_FILE_SIZE<br />';
                    break;
                case UPLOAD_ERR_PARTIAL:
                    $result .= 'File #' . $i . ' - ERROR: partially uploaded<br />';
                    break;
                case UPLOAD_ERR_NO_FILE:
                    // no file specified in input field
                    break;
                default:
                    $result .= 'File #' . $i . ' - ERROR: ' . $error . '<br />';
                    break;
            }
        }
    }
    if ($total_uploaded) {
        $result .= '<br />' . $lang_fu['Uploaded'] . ' ' . $total_uploaded . ' ' . $lang_fu['files'] . '<br /><br />';
    }
    // translate #i to ::thumbNN::
    if (strpos($message, '::thumb$') !== false) {
        $message = str_replace($thumb_from, $thumb_to, $message);
        $db->query('UPDATE ' . $db->prefix . 'posts SET message=\'' . $db->escape($message) . '\' WHERE id=' . $pid) or error('Unable to update post', __FILE__, __LINE__, $db->error());
    }
    return $result;
}
Beispiel #2
0
function get_unique_filename($old_filename)
{
    $file_r = get_root_filename($old_filename);
    $filelist_r = get_filename_list($file_r);
    $filename = generate_unique_filename($file_r, $filelist_r);
    if ($filename != $old_filename) {
        opendb_logger(OPENDB_LOG_INFO, __FILE__, __FUNCTION__, "Upload file already exists - generating a unique filename", array($old_filename, $filename));
    }
    return $filename;
}