Ejemplo n.º 1
0
 /**
  * Create a new document //still needs some finetuning
  * @param array $_course
  * @return string
  */
 public function create_document($_course)
 {
     $course_id = api_get_course_int_id();
     global $charset;
     $dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir'];
     // Please, do not modify this dirname formatting.
     if (strstr($dir, '..')) {
         $dir = '/';
     }
     if ($dir[0] == '.') {
         $dir = substr($dir, 1);
     }
     if ($dir[0] != '/') {
         $dir = '/' . $dir;
     }
     if ($dir[strlen($dir) - 1] != '/') {
         $dir .= '/';
     }
     $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document' . $dir;
     if (empty($_POST['dir']) && empty($_GET['dir'])) {
         //Generates folder
         $result = $this->generate_lp_folder($_course);
         $dir = $result['dir'];
         $filepath = $result['filepath'];
     }
     if (!is_dir($filepath)) {
         $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/';
         $dir = '/';
     }
     // stripslashes() before calling api_replace_dangerous_char() because $_POST['title']
     // is already escaped twice when it gets here.
     $title = api_replace_dangerous_char(stripslashes($_POST['title']));
     $title = FileManager::disable_dangerous_file($title);
     $filename = $title;
     $content = $_POST['content_lp'];
     $tmp_filename = $filename;
     $i = 0;
     while (file_exists($filepath . $tmp_filename . '.html')) {
         $tmp_filename = $filename . '_' . ++$i;
     }
     $filename = $tmp_filename . '.html';
     $content = stripslashes($content);
     $content = str_replace(api_get_path(WEB_COURSE_PATH), api_get_path(REL_PATH) . 'courses/', $content);
     // Change the path of mp3 to absolute.
     // The first regexp deals with ../../../ urls.
     $content = preg_replace("|(flashvars=\"file=)(\\.+/)+|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/', $content);
     // The second regexp deals with audio/ urls.
     $content = preg_replace("|(flashvars=\"file=)([^/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/$2/', $content);
     // For flv player: To prevent edition problem with firefox, we have to use a strange tip (don't blame me please).
     $content = str_replace('</body>', '<style type="text/css">body{}</style></body>', $content);
     if (!file_exists($filepath . $filename)) {
         if ($fp = @fopen($filepath . $filename, 'w')) {
             fputs($fp, $content);
             fclose($fp);
             $file_size = filesize($filepath . $filename);
             $save_file_path = $dir . $filename;
             $document_id = FileManager::add_document($_course, $save_file_path, 'file', $file_size, $tmp_filename);
             if ($document_id) {
                 api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentAdded', api_get_user_id(), null, null, null, null, api_get_session_id());
                 $new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
                 $new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
                 if ($new_comment || $new_title) {
                     $tbl_doc = Database::get_course_table(TABLE_DOCUMENT);
                     $ct = '';
                     if ($new_comment) {
                         $ct .= ", comment='" . Database::escape_string($new_comment) . "'";
                     }
                     if ($new_title) {
                         $ct .= ", title='" . Database::escape_string(htmlspecialchars($new_title, ENT_QUOTES, $charset)) . "' ";
                     }
                     $sql_update = "UPDATE " . $tbl_doc . " SET " . substr($ct, 1) . " WHERE c_id = " . $course_id . " AND id = " . $document_id;
                     Database::query($sql_update);
                 }
             }
             return $document_id;
         }
     }
 }
Ejemplo n.º 2
0
/**
 * Check if a document width the choosen filename allready exists
 */
function document_exists($filename)
{
    global $filepath;
    $filename = addslashes(trim($filename));
    $filename = Security::remove_XSS($filename);
    $filename = api_replace_dangerous_char($filename);
    $filename = FileManager::disable_dangerous_file($filename);
    return !file_exists($filepath . $filename . '.html');
}
Ejemplo n.º 3
0
    $webcamdir = $params['webcamdir'];
    $webcamuserid = $params['webcamuserid'];
} else {
    api_not_allowed();
    die;
}
if ($webcamuserid != api_get_user_id() || api_get_user_id() == 0 || $webcamuserid == 0) {
    api_not_allowed();
    die;
}
//clean
$webcamname = Security::remove_XSS($webcamname);
$webcamname = Database::escape_string($webcamname);
$webcamname = addslashes(trim($webcamname));
$webcamname = api_replace_dangerous_char($webcamname, 'strict');
$webcamname = FileManager::disable_dangerous_file($webcamname);
$webcamdir = Security::remove_XSS($webcamdir);
//security extension
$ext = explode('.', $webcamname);
$ext = strtolower($ext[sizeof($ext) - 1]);
if ($ext != 'jpg') {
    die;
}
//Do not use here check Fileinfo method because return: text/plain                //CHECK THIS BEFORE COMMIT
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document';
$saveDir = $dirBaseDocuments . $webcamdir;
$current_session_id = api_get_session_id();
$groupId = $_SESSION['_gid'];
//avoid duplicates
$webcamname_to_save = $webcamname;
$title_to_save = str_replace('_', ' ', $webcamname);
Ejemplo n.º 4
0
/**
This function changes the name of a certain file.
It needs no global variables, it takes all info from parameters.
It returns nothing.
@todo check if this function is used
*/
function change_name($base_work_dir, $source_file, $rename_to, $dir, $doc)
{
    $file_name_for_change = $base_work_dir . $dir . $source_file;
    //api_display_debug_info("call FileManager::my_rename: params $file_name_for_change, $rename_to");
    $rename_to = FileManager::disable_dangerous_file($rename_to);
    // Avoid renaming to .htaccess file
    $rename_to = FileManager::my_rename($file_name_for_change, stripslashes($rename_to));
    // fileManage API
    if ($rename_to) {
        if (isset($dir) && $dir != '') {
            $source_file = $dir . $source_file;
            $new_full_file_name = dirname($source_file) . '/' . $rename_to;
        } else {
            $source_file = '/' . $source_file;
            $new_full_file_name = '/' . $rename_to;
        }
        FileManager::update_db_info('update', $source_file, $new_full_file_name);
        // fileManage API
        $name_changed = get_lang('ElRen');
        $info_message = get_lang('fileModified');
        $GLOBALS['file_name'] = $rename_to;
        $GLOBALS['doc'] = $rename_to;
        return $info_message;
    } else {
        $dialogBox = get_lang('FileExists');
        // TODO: This variable is not used.
        /* Return to step 1 */
        $rename = $source_file;
        unset($source_file);
    }
}
Ejemplo n.º 5
0
//Only teacher and all users into their group and any user into his/her shared folder
if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_folder(api_get_user_id(), $curdirpath, $session_id)) {
    // Create directory with $_POST data
    if (isset($_POST['create_dir']) && $_POST['dirname'] != '') {
        // Needed for directory creation
        $post_dir_name = $_POST['dirname'];
        if ($post_dir_name == '../' || $post_dir_name == '.' || $post_dir_name == '..') {
            Display::display_error_message(get_lang('CannotCreateDir'));
        } else {
            if (!empty($_POST['dir_id'])) {
                $document_data = DocumentManager::get_document_data_by_id($_POST['dir_id'], api_get_course_id());
                $curdirpath = $document_data['path'];
            }
            $added_slash = $curdirpath == '/' ? '' : '/';
            $dir_name = $curdirpath . $added_slash . api_replace_dangerous_char($post_dir_name);
            $dir_name = FileManager::disable_dangerous_file($dir_name);
            $dir_check = $base_work_dir . $dir_name;
            if (!is_dir($dir_check)) {
                $created_dir = FileManager::create_unexisting_directory($_course, api_get_user_id(), api_get_session_id(), $to_group_id, $to_user_id, $base_work_dir, $dir_name, $post_dir_name);
                if ($created_dir) {
                    Display::display_confirmation_message('<span title="' . $created_dir . '">' . get_lang('DirCr') . '</span>', false);
                    // Uncomment if you want to enter the created dir
                    //$curdirpath = $created_dir;
                    //$curdirpathurl = urlencode($curdirpath);
                } else {
                    Display::display_error_message(get_lang('CannotCreateDir'));
                }
            } else {
                Display::display_error_message(get_lang('CannotCreateDir'));
            }
        }
Ejemplo n.º 6
0
    $wamidir = $params['wamidir'];
    $wamiuserid = $params['wamiuserid'];
} else {
    api_not_allowed();
    die;
}
if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid == 0) {
    api_not_allowed();
    die;
}
//clean
$waminame = Security::remove_XSS($waminame);
$waminame = Database::escape_string($waminame);
$waminame = addslashes(trim($waminame));
$waminame = api_replace_dangerous_char($waminame, 'strict');
$waminame = FileManager::disable_dangerous_file($waminame);
$wamidir = Security::remove_XSS($wamidir);
$content = file_get_contents('php://input');
//security extension
$ext = explode('.', $waminame);
$ext = strtolower($ext[sizeof($ext) - 1]);
if ($ext != 'wav') {
    die;
}
//Do not use here check Fileinfo method because return: text/plain
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document';
$saveDir = $dirBaseDocuments . $wamidir;
$current_session_id = api_get_session_id();
$groupId = $_SESSION['_gid'];
//avoid duplicates
$waminame_to_save = $waminame;
Ejemplo n.º 7
0
 // Create the audio folder if it does not exist yet.
 $_course = api_get_course_info();
 $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/';
 if (!is_dir($filepath . 'audio')) {
     mkdir($filepath . 'audio', api_get_permissions_for_new_directories());
     $audio_id = FileManager::add_document($_course, '/audio', 'folder', 0, 'audio');
     api_item_property_update($_course, TOOL_DOCUMENT, $audio_id, 'FolderCreated', api_get_user_id(), null, null, null, null, api_get_session_id());
 }
 // Check if file already exits into document/audio/
 $file_name = $_FILES[$key]['name'];
 $file_name = stripslashes($file_name);
 // Add extension to files without one (if possible).
 $file_name = FileManager::add_ext_on_mime($file_name, $_FILES[$key]['type']);
 $clean_name = api_replace_dangerous_char($file_name);
 // No "dangerous" files.
 $clean_name = FileManager::disable_dangerous_file($clean_name);
 $check_file_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/audio/' . $clean_name;
 // If the file exists we generate a new name.
 if (file_exists($check_file_path)) {
     $filename_components = explode('.', $clean_name);
     // Gettting the extension of the file.
     $file_extension = $filename_components[count($filename_components) - 1];
     // Adding something random to prevent overwriting.
     $filename_components[count($filename_components) - 1] = time();
     // Reconstructing the new filename.
     $clean_name = implode($filename_components) . '.' . $file_extension;
     // Using the new name in the $_FILES superglobal.
     $_FILES[$key]['name'] = $clean_name;
 }
 // Upload the file in the documents tool
 $file_path = FileManager::handle_uploaded_document($_course, $_FILES[$key], api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document', '/audio', api_get_user_id(), '', '', '', '', false);
Ejemplo n.º 8
0
 /**
  * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in
  * a non-executable form (for PHP and htaccess, this is still vulnerable to
  * other languages' files extensions)
  * @param   string  Unfiltered filename
  * @param   string  Filtered filename
  */
 public static function filter_filename($filename)
 {
     return FileManager::disable_dangerous_file($filename);
 }
Ejemplo n.º 9
0
/**
 * Upload a submitted user production.
 *
 * @param    $user_id    User id
 * @return    The filename of the new production or FALSE if the upload has failed
 */
function upload_user_production($user_id)
{
    $image_path = UserManager::get_user_picture_path_by_id($user_id, 'system', true);
    $production_repository = $image_path['dir'] . $user_id . '/';
    if (!file_exists($production_repository)) {
        @mkdir($production_repository, api_get_permissions_for_new_directories(), true);
    }
    $filename = api_replace_dangerous_char($_FILES['production']['name']);
    $filename = FileManager::disable_dangerous_file($filename);
    if (FileManager::filter_extension($filename)) {
        if (@move_uploaded_file($_FILES['production']['tmp_name'], $production_repository . $filename)) {
            return $filename;
        }
    }
    return false;
    // this should be returned if anything went wrong with the upload
}