public static function onUpload(Module_PageBuilder $module)
{
if (false !== ($error = GWF_Form::validateCSRF_WeakS())) {
return $error;
}
if (false === ($file = GWF_Upload::getFile('file'))) {
return GWF_HTML::err('ERR_MISSING_UPLOAD');
}
$back = '';
# TODO: There are more unsafe languages!
# But we want to keep the file extension.
# Not really a big deal, unless you have malicious admin users.
$name = $file['name'];
// $name = str_replace(array('/', '\\'), '', $name);
// $forbidden = array('.php',/* '.pl', '.py', '.asp'*/);
// foreach ($forbidden as $ext)
// {
// if (Common::endsWith($name, $ext))
// if (Common::endsWith($name, '.php'))
// {
// $name .= '.html';
// $back .= $module->error('err_file_ext');
// return $back;
// }
// }
# This is evil, sometimes even with foo.php.html
if (stripos($name, '.php') !== false) {
return $module->error('err_file_ext');
}
# We do a sanity check here
if (!preg_match('#^[a-z0-9_][a-z0-9_\\.]{0,62}$#iD', $name)) {
$back .= $module->error('err_file_name');
return $back;
}
# Copy the file
$path = 'dbimg/content/' . $name;
$epath = htmlspecialchars($path);
if (Common::isFile($path)) {
return $back . $module->error('err_upload_exists');
}
if (false === GWF_Upload::moveTo($file, $path)) {
return $back . GWF_HTML::err('ERR_WRITE_FILE', array($epath));
}
# Is bbcode mode?
$bbcode = (Common::getPostInt('type', 0) & (GWF_Page::HTML | GWF_Page::SMARTY)) === 0;
# Append to page content as image or anchor.
$_POST['content'] .= self::fileToContent($name, $path, $bbcode);
return $module->message('msg_file_upped', array($epath));
}
private static function validateMissingVars($context, GWF_Form $form, $validator)
{
$errors = array();
$check_sent = $form->getMethod() === GWF_Form::METHOD_POST ? $_POST : $_GET;
$check_need = array();
// var_dump($_POST);
foreach ($form->getFormData() as $key => $data) {
if (in_array($data[0], self::$SKIPPERS, true)) {
unset($check_sent[$key]);
continue;
}
switch ($data[0]) {
case GWF_Form::VALIDATOR:
break;
case GWF_Form::SELECT_A:
unset($check_sent[$key]);
break;
case GWF_Form::TIME:
$check_need[] = $key . 'h';
$check_need[] = $key . 'i';
break;
case GWF_Form::DATE:
case GWF_Form::DATE_FUTURE:
switch ($data[4]) {
case 14:
$check_need[] = $key . 's';
case 12:
$check_need[] = $key . 'i';
case 10:
$check_need[] = $key . 'h';
case 8:
$check_need[] = $key . 'd';
case 6:
$check_need[] = $key . 'm';
case 4:
$check_need[] = $key . 'y';
break;
default:
die('Date field is invalid in form!');
}
break;
case GWF_Form::SUBMITS:
case GWF_Form::SUBMIT_IMGS:
foreach (array_keys($data[1]) as $key) {
// if (false !== ($i = array_search($key, $check_sent, true))) {
// unset ($check_sent[$i]);
// }
unset($check_sent[$key]);
}
break;
case GWF_Form::FILE:
if (false === GWF_Upload::getFile($key)) {
$check_need[] = $key;
}
break;
case GWF_Form::INT:
case GWF_Form::STRING:
if (Common::endsWith($key, ']')) {
$key = Common::substrUntil($key, '[');
if (!in_array($key, $check_need)) {
$check_need[] = $key;
}
break;
}
default:
$check_need[] = $key;
break;
}
}
// var_dump($check_need);
foreach ($check_need as $key) {
if (!isset($check_sent[$key])) {
$errors[] = GWF_HTML::lang('ERR_MISSING_VAR', array(htmlspecialchars($key)));
} else {
unset($check_sent[$key]);
}
}
foreach ($check_sent as $key => $value) {
$errors[] = GWF_HTML::lang('ERR_POST_VAR', array(htmlspecialchars($key)));
}
return count($errors) === 0 ? false : $errors;
}
