Beispiel #1
0
 function testNameContainsDot()
 {
     $r = new Rule_FRSFileName();
     $this->assertFalse($r->isValid('../coin'));
     $this->assertFalse(util_is_valid_filename('../coin'));
     $this->assertFalse($r->isValid('zata/../toto'));
     $this->assertFalse(util_is_valid_filename('zata/../toto'));
 }
Beispiel #2
0
        }
    }
}
// Add file(s) to the release
if (getStringFromRequest('step2')) {
    $userfile = getUploadedFile('userfile');
    $userfile_name = $userfile['name'];
    $type_id = getIntFromRequest('type_id');
    $release_date = getStringFromRequest('release_date');
    $release_date = strtotime($release_date);
    $processor_id = getStringFromRequest('processor_id');
    // Build a Unix time value from the supplied Y-m-d value
    $group_unix_name = group_getunixname($group_id);
    $ftp_filename = getStringFromRequest('ftp_filename');
    if ($userfile && is_uploaded_file($userfile['tmp_name']) || $sys_use_ftpuploads && $ftp_filename) {
        if ($sys_use_ftpuploads && $ftp_filename && util_is_valid_filename($ftp_filename) && is_file($upload_dir . '/' . $ftp_filename)) {
            //file was uploaded already via ftp
            //use setuid prog to chown it
            //$cmd = escapeshellcmd("$sys_ftp_upload_chowner $ftp_filename");
            //exec($cmd,$output);
            $userfile_name = $ftp_filename;
            $userfile = $upload_dir . '/' . $ftp_filename;
            //echo $cmd.'***'.$output.'***'.$userfile;
        }
        //
        //  Now create the new FRSFile in the db
        //
        $frsf = new FRSFile($frsr);
        if (!$frsf || !is_object($frsf)) {
            exit_error('Error', 'Could Not Get FRSFile');
        } elseif ($frsf->isError()) {
Beispiel #3
0
 /**
  * Retuns if the filename is valid or not
  *
  * @param String $name
  *
  * @return Boolean
  */
 function isValidFileName($name)
 {
     return util_is_valid_filename($name);
 }
Beispiel #4
0
 /**
  *	create - create a new file in this FRSFileRelease/FRSPackage.
  *
  *	@param	string	The name of this file.
  *	@param	string	The location of this file in the local file system.
  *	@param	int	The type_id of this file from the frs-file-types table.
  *	@param	int	The processor_id of this file from the frs-processor-types table.
  *	@param	int	The release_date of this file in unix time (seconds).
  *	@return	boolean success.
  */
 function create($name, $file_location, $type_id, $processor_id, $release_time = false)
 {
     if (strlen($name) < 3) {
         $this->setError(_('FRSFile Name Must Be At Least 3 Characters'));
         return false;
     }
     if (!util_is_valid_filename($name)) {
         $this->setError(_('Filename can only be alphanumeric and "-" "_" "." characters.'));
         return false;
     }
     //
     //	Can't really use is_uploaded_file() or move_uploaded_file()
     //	since we want this to be generalized code
     //	This is potentially exploitable if you do not validate
     //	before calling this function
     //
     if (!is_file($file_location) || !file_exists($file_location)) {
         $this->setError(_('FRSFile Appears to be invalid'));
         return false;
     }
     $perm =& $this->FRSRelease->FRSPackage->Group->getPermission(session_get_user());
     if (!$perm || !is_object($perm) || !$perm->isReleaseTechnician()) {
         $this->setPermissionDeniedError();
         return false;
     }
     //
     //	Filename must be unique in this release
     //
     $resfile = db_query("SELECT filename \n\t\t\tFROM frs_file\n\t\t\tWHERE \n\t\t\tfilename='{$name}'\n\t\t\tAND release_id='" . $this->FRSRelease->getId() . "'");
     if (!$resfile || db_numrows($resfile) > 0) {
         $this->setError(_('That filename already exists in this project space') . ' ' . db_error());
         return false;
     }
     $path_name = $GLOBALS['sys_upload_dir'] . '/' . $this->FRSRelease->FRSPackage->Group->getUnixName();
     if (!is_dir($path_name)) {
         mkdir($path_name, 0755);
     } else {
         if (fileperms($path_name) != 0x4755) {
             chmod($path_name, 0755);
         }
     }
     $path_name = $path_name . '/' . $this->FRSRelease->FRSPackage->getFileName();
     if (!is_dir($path_name)) {
         mkdir($path_name, 0755);
     } else {
         if (fileperms($path_name) != 0x4755) {
             chmod($path_name, 0755);
         }
     }
     $path_name = $path_name . '/' . $this->FRSRelease->getFileName();
     if (!is_dir($path_name)) {
         mkdir($path_name, 0755);
     } else {
         if (fileperms($path_name) != 0x4755) {
             chmod($path_name, 0755);
         }
     }
     $file_location = escapeshellcmd($file_location);
     $newfilelocation = $GLOBALS['sys_upload_dir'] . '/' . $this->FRSRelease->FRSPackage->Group->getUnixName() . '/' . $this->FRSRelease->FRSPackage->getFileName() . '/' . $this->FRSRelease->getFileName() . '/';
     //exec("/bin/mkdir $newfilelocation",$out);
     //print_r($out);
     //exec("/bin/mkdir $newfilelocation",$out);
     //print_r($out);
     $cmd = "/bin/mv {$file_location} {$newfilelocation}{$name}";
     exec($cmd, $out);
     //echo $cmd;
     //print_r($out);
     if (!file_exists("{$newfilelocation}{$name}")) {
         $this->setError(_('File cannot be moved to the permanent location') . ': ' . $newfilelocation . $name);
         return false;
     }
     if (!$release_time) {
         $release_time = time();
     }
     $file_size = filesize("{$newfilelocation}{$name}");
     $sql = "INSERT INTO frs_file(release_id,filename,release_time,\n\t\t\t\ttype_id,processor_id,file_size,post_date)\n\t\t\tVALUES ('" . $this->FRSRelease->getId() . "','{$name}','{$release_time}',\n\t\t\t\t'{$type_id}','{$processor_id}','{$file_size}','" . time() . "')";
     db_begin();
     $result = db_query($sql);
     if (!$result) {
         db_rollback();
         $this->setError('FRSFile::create() Error Adding Release: ' . db_error());
         return false;
     }
     $this->file_id = db_insertid($result, 'frs_file', 'file_id');
     if (!$this->fetchData($this->file_id)) {
         return false;
     } else {
         db_commit();
         return true;
     }
 }
Beispiel #5
0
 /**
  *	create - create a new FRSPackage in the database.
  *
  *	@param	string	The name of this package.
  *	@param	boolean	Whether it's public or not. 1=public 0=private.
  *	@return	boolean success.
  */
 function create($name, $is_public = 1)
 {
     global $sys_apache_user, $sys_apache_group;
     if (strlen($name) < 3) {
         $this->setError(_('FRSPackage Name Must Be At Least 3 Characters'));
         return false;
     }
     if (!util_is_valid_filename($name)) {
         $this->setError(_('FRSPackage::Update: Package Name can only be alphanumeric'));
     }
     $perm =& $this->Group->getPermission(session_get_user());
     if (!$perm || !is_object($perm) || !$perm->isReleaseTechnician()) {
         $this->setPermissionDeniedError();
         return false;
     }
     $res = db_query("SELECT * FROM frs_package WHERE group_id='" . $this->Group->getID() . "'\n\t\t\tAND name='" . htmlspecialchars($name) . "'");
     if (db_numrows($res)) {
         $this->setError('FRSPackage::create() Error Adding Package: Name Already Exists');
         return false;
     }
     $sql = "INSERT INTO frs_package(group_id,name,status_id,is_public)\n\t\t\tVALUES ('" . $this->Group->getId() . "','" . htmlspecialchars($name) . "','1','{$is_public}')";
     db_begin();
     $result = db_query($sql);
     if (!$result) {
         db_rollback();
         $this->setError('FRSPackage::create() Error Adding Package: ' . db_error());
         return false;
     }
     $this->package_id = db_insertid($result, 'frs_package', 'package_id');
     if (!$this->fetchData($this->package_id)) {
         db_rollback();
         return false;
     } else {
         //make groupdir if it doesn't exist
         $groupdir = $GLOBALS['sys_upload_dir'] . '/' . $this->Group->getUnixName();
         if (!is_dir($groupdir)) {
             @mkdir($groupdir);
         }
         $newdirlocation = $GLOBALS['sys_upload_dir'] . '/' . $this->Group->getUnixName() . '/' . $this->getFileName();
         exec("/bin/mkdir {$newdirlocation}", $out);
         // this 2 should normally silently fail (because it´s called with the apache user) but if it´s root calling the create() method, then the owner and group for the directory should be changed
         @chown($newdirlocation, $sys_apache_user);
         @chgrp($newdirlocation, $sys_apache_group);
         db_commit();
         return true;
     }
 }
Beispiel #6
0
/**
 *	ls - lists a specified directory and returns an array of files
 *	@param	string	the path of the directory to list
 *	@param	boolean	whether to filter out directories and illegal filenames
 *	@return	array	array of file names.
 */
function &ls($dir, $filter = false)
{
    exec('ls -c1 ' . $dir, $out);
    if ($filter) {
        for ($i = 0; $i < count($out); $i++) {
            if (util_is_valid_filename($out[$i]) && is_file($dir . '/' . $out[$i])) {
                $filtered[] = $out[$i];
            }
        }
        return $filtered;
    } else {
        return $out;
    }
}
Beispiel #7
0
         exec("/usr/local/bin/tmpfilemove {$userfile} {$userfile_name}", $exec_res);
         if ($exec_res[0]) {
             echo '<H3>' . $exec_res[0], $exec_res[1] . '</H3><P>';
         }
     }
 }
 $feedback .= ' Adding File ';
 //see if this release belongs to this project
 $res1 = db_query("SELECT frs_package.package_id FROM frs_package,frs_release " . "WHERE frs_package.group_id='{$group_id}' " . "AND frs_release.release_id='{$release_id}' " . "AND frs_release.package_id=frs_package.package_id");
 if (!$res1 || db_numrows($res1) < 1) {
     //release not found for this project
     $feedback .= " | Not Your Release Or Release Doesn't Exist ";
 } else {
     $now = time();
     //see if filename is legal before adding it
     if (!util_is_valid_filename($file_name)) {
         $feedback .= " | Illegal FileName: {$file_name} ";
     } else {
         //see if they already have a file by this name
         $res1 = db_query("SELECT frs_package.package_id FROM frs_package,frs_release,frs_file " . "WHERE frs_package.group_id='{$group_id}' " . "AND frs_release.release_id=frs_file.release_id " . "AND frs_release.package_id=frs_package.package_id " . "AND frs_file.filename='{$file_name}'");
         if (!$res1 || db_numrows($res1) < 1) {
             /*
             	move the file to the project's fileserver directory
             */
             clearstatcache();
             if (is_file($FTPINCOMING_DIR . '/' . $file_name) && file_exists($FTPINCOMING_DIR . '/' . $file_name)) {
                 //move the file to a its project page using a setuid program
                 exec("/usr/local/bin/fileforge-3 {$file_name} " . $group_unix_name, $exec_res);
                 if ($exec_res[0]) {
                     echo '<h3>' . $exec_res[0], $exec_res[1] . '</H3><P>';
                 }
Beispiel #8
0
     $fname = $userfile['name'];
     $move = true;
 } elseif ($userfile && $userfile['error'] != UPLOAD_ERR_OK && $userfile['error'] != UPLOAD_ERR_NO_FILE) {
     switch ($userfile['error']) {
         case UPLOAD_ERR_INI_SIZE:
         case UPLOAD_ERR_FORM_SIZE:
             $feedback = _('The uploaded file exceeds the maximum file size. Contact to the site admin to upload this big file, or use an alternate upload method (if available).');
             break;
         case UPLOAD_ERR_PARTIAL:
             $feedback = _('The uploaded file was only partially uploaded.');
             break;
         default:
             $feedback = _('Unknown file upload error.');
             break;
     }
 } elseif (forge_get_config('use_manual_uploads') && $manual_filename && util_is_valid_filename($manual_filename) && is_file($incoming . '/' . $manual_filename)) {
     $incoming = forge_get_config('groupdir_prefix') . "/{$group_unix_name}/incoming";
     $infile = $incoming . '/' . $manual_filename;
     $fname = $manual_filename;
     $move = false;
 } else {
     $feedback = _('Unknown file upload error.');
 }
 if (!$feedback) {
     if (!$move) {
         $tmp = tempnam('', '');
         copy($infile, $tmp);
         $infile = $tmp;
     }
     $feedback = logo_create($infile, $wgUploadDirectory);
 }