function handle_upload($replacement_image_info)
{
global $projectid, $image;
global $projects_dir;
// Check the error code.
$error_code = $replacement_image_info['error'];
if ($error_code != UPLOAD_ERR_OK) {
return sprintf(_('Error code = %d.'), $error_code) . "\n" . "(" . get_upload_err_msg($error_code) . ")";
}
// Check that the extensions match.
$curr_ext = pathinfo($image, PATHINFO_EXTENSION);
$repl_ext = pathinfo($replacement_image_info['name'], PATHINFO_EXTENSION);
if ($curr_ext != $repl_ext) {
return sprintf(_("Replacement file's extension (%s) does not match current file's extension (%s)."), $repl_ext, $curr_ext);
}
// $replacement_image_info['type'] might be relevant, but is it trustworthy?
// Check $replacement_image_info['size']?
$image_path = "{$projects_dir}/{$projectid}/{$image}";
$r = move_uploaded_file($replacement_image_info['tmp_name'], $image_path);
if ($r) {
return '';
} else {
return _('The uploaded file cannot be moved into the project directory for some reason.');
}
}
function do_upload()
{
global $curr_abspath, $hce_curr_displaypath, $antivirus_executable;
global $pguser, $despecialed_username;
set_time_limit(14400);
// Disable gzip compression so we can flush the buffer after each step
// in the process to give the user some progress details. Not that this
// doesn't necessarily work for all browsers.
apache_setenv('no-gzip', '1');
$file_info = @$_FILES['the_file'];
// If a user hits the "Upload" button without first selecting a file,
// it appears that most browsers send a request containing a file whose
// name and content are empty. But I think it's also legal for a browser
// to send a request that doesn't contain a file at all (in which case
// $file_info would be null. Check both possibilities.
if (is_null($file_info) || $file_info['name'] == '') {
fatal_error(_("You must select a file to upload."));
}
// $file_info has 'name' 'type' 'size' 'tmp_name' 'error'
if ($file_info['error'] != UPLOAD_ERR_OK) {
fatal_error(get_upload_err_msg($file_info['error']));
}
show_message('info', _("File uploaded successfully."));
if ($file_info['size'] == 0) {
fatal_error(_("File is empty."));
}
if (!is_valid_filename($file_info['name'], "zip")) {
fatal_error(sprintf(_("Invalid filename: %s."), $file_info['name']));
// (Alternatively, we could construct a name that *was* okay,
// and use that instead.)
}
// Okay so far, now let's run some tests on the content of the file.
echo "<p>" . _("Examining the uploaded file...") . "</p>\n";
flush();
$temporary_path = $file_info['tmp_name'];
// Assuming that TMPDIR or upload_tmp_dir is set sensibly,
// we don't have to worry about weird characters in $temporary_path.
// Verify that what was uploaded is actually a zip archive
$zip_test_result = array();
$zip_retval = 0;
// /usr/bin/file
// -b: brief output
// -i: input file
// --: don't parse any further arguments starting with -/-- as options
$cmd = "/usr/bin/file -b -i -- " . escapeshellcmd($temporary_path);
exec($cmd, $zip_test_result, $zip_retval);
list($file_type) = explode(';', $zip_test_result[0], 2);
if ($file_type == 'application/x-zip' || $file_type == 'application/zip') {
show_message('info', _("OK: Valid zip file."));
} else {
fatal_error(_("File is not a valid zip file: removing it."));
}
// XXX /usr/bin/file only looks at the first few bytes of the file.
// Maybe we should check the whole file's integrity with 'unzip -t'.
// if an antivirus scanner is installed and configured, scan the file
if ($antivirus_executable) {
echo "<p>" . _("Running a virus scan on the file, please wait...") . "</p>\n";
flush();
// perform '$antivirus_executable -- <FILENAME>' and expect return
// value = 0. we use -- to not parse any further arguments starting
// with -/-- as options
$av_test_result = array();
$av_retval = 0;
$cmd = "{$antivirus_executable} -- " . escapeshellcmd($temporary_path);
exec($cmd, $av_test_result, $av_retval);
if ($av_retval == 0) {
show_message('info', _("OK: AV pass."));
} else {
if ($av_retval == 1) {
show_message('error', _("AV FAIL: The scan reported an infection. The upload has been discarded."));
show_message('error', $av_test_result[0]);
show_message('info', _("You should perform a complete virus scan on your computer as soon as possible."));
// Log the infected upload so that we can track user/frequency
$reporting_string = "DPSCANS: Infected upload: " . $av_test_result[0];
error_log($reporting_string);
show_return_link();
exit;
} else {
fatal_error(_("Undefined AV error message for return value: ") . $av_retval);
}
}
}
// The file passes all tests!
if (get_access_mode($pguser) === 'common') {
$file_prefix = $despecialed_username . "_";
} else {
$file_prefix = "";
}
$target_name = $file_prefix . $file_info['name'];
$target_path = "{$curr_abspath}/{$target_name}";
// XXX
// If there's already something at $temporary_path,
// this will silently overwrite it.
// That might or might not be the user's intent.
if (!@move_uploaded_file($temporary_path, $target_path)) {
fatal_error(_("Webserver failed to copy uploaded file from temporary location to upload folder."));
}
echo "<p>" . sprintf(_('File %1$s successfully uploaded to folder %2$s.'), html_safe($target_name), $hce_curr_displaypath), "</p>\n";
// Log the file upload
// In part so that we can possibly clean up with some automation later
$reporting_string = "DPSCANS: File uploaded to " . $target_path;
error_log($reporting_string);
show_return_link();
}
function do_upload($locale)
{
global $dyn_locales_dir;
if (chdir("{$dyn_locales_dir}/{$locale}/LC_MESSAGES/") == FALSE) {
die("Unable to change to messages directory.");
}
if (file_exists("messages.po")) {
$save = "messages_" . strftime("%Y%m%d%H%M%S", filemtime("messages.po")) . ".po";
}
assert(isset($_FILES['userfile']));
$upload_info = $_FILES['userfile'];
$error_code = $upload_info['error'];
// If the upload failed, print error and go no further.
if ($error_code != UPLOAD_ERR_OK) {
echo sprintf(_("Error code = %d."), $error_code) . "<br>\n" . "(" . get_upload_err_msg($error_code) . ")<br>";
return;
}
// If a translation already exists, try to make a backup and give up if we can't
if (file_exists("messages.po") && !@copy("messages.po", $save)) {
echo "<p>" . _("Could not save a copy of the previous file.") . " " . _("New file was not uploaded.") . "</p>";
return;
}
// Try to move the upload file into place.
if (!move_uploaded_file($_FILES['userfile']['tmp_name'], "messages.po")) {
echo "<p>" . _("The file upload failed.") . "</p>";
return;
}
$po_file = new POFile("{$dyn_locales_dir}/{$locale}/LC_MESSAGES/messages.po");
try {
$po_file->compile();
echo "<p>" . _("File successfully uploaded and compiled.") . "</p>";
} catch (Exception $exception) {
echo "<p>" . _("Uploaded file contains the following errors:") . "</p>\n";
echo "<pre>";
foreach (explode("\n", $exception->getMessage()) as $v) {
echo html_safe($v) . "\n";
}
echo "</pre><br>";
if (file_exists("messages.po")) {
echo "<p>" . _("(Reverting to previous file.)") . "</p>\n";
@copy($save, "messages.po");
}
}
}