function of_sanitize_upload($input) { $output = ''; $filetype = nxt_check_filetype($input); if ($filetype["ext"]) { $output = $input; } return $output; }
/** * Attempt to determine the real file type of a file. * If unable to, the file name extension will be used to determine type. * * If it's determined that the extension does not match the file's real type, * then the "proper_filename" value will be set with a proper filename and extension. * * Currently this function only supports validating images known to getimagesize(). * * @since 3.0.0 * * @param string $file Full path to the image. * @param string $filename The filename of the image (may differ from $file due to $file being in a tmp directory) * @param array $mimes Optional. Key is the file extension with value as the mime type. * @return array Values for the extension, MIME, and either a corrected filename or false if original $filename is valid */ function nxt_check_filetype_and_ext($file, $filename, $mimes = null) { $proper_filename = false; // Do basic extension validation and MIME mapping $nxt_filetype = nxt_check_filetype($filename, $mimes); extract($nxt_filetype); // We can't do any further validation without a file to work with if (!file_exists($file)) { return compact('ext', 'type', 'proper_filename'); } // We're able to validate images using GD if ($type && 0 === strpos($type, 'image/') && function_exists('getimagesize')) { // Attempt to figure out what type of image it actually is $imgstats = @getimagesize($file); // If getimagesize() knows what kind of image it really is and if the real MIME doesn't match the claimed MIME if (!empty($imgstats['mime']) && $imgstats['mime'] != $type) { // This is a simplified array of MIMEs that getimagesize() can detect and their extensions // You shouldn't need to use this filter, but it's here just in case $mime_to_ext = apply_filters('getimagesize_mimes_to_exts', array('image/jpeg' => 'jpg', 'image/png' => 'png', 'image/gif' => 'gif', 'image/bmp' => 'bmp', 'image/tiff' => 'tif')); // Replace whatever is after the last period in the filename with the correct extension if (!empty($mime_to_ext[$imgstats['mime']])) { $filename_parts = explode('.', $filename); array_pop($filename_parts); $filename_parts[] = $mime_to_ext[$imgstats['mime']]; $new_filename = implode('.', $filename_parts); if ($new_filename != $filename) { $proper_filename = $new_filename; } // Mark that it changed // Redefine the extension / MIME $nxt_filetype = nxt_check_filetype($new_filename, $mimes); extract($nxt_filetype); } } } // Let plugins try and validate other types of files // Should return an array in the style of array( 'ext' => $ext, 'type' => $type, 'proper_filename' => $proper_filename ) return apply_filters('nxt_check_filetype_and_ext', compact('ext', 'type', 'proper_filename'), $file, $filename, $mimes); }
function show_noaccess_image($nxt_query) { $locale = apply_filters('membership_locale', get_locale()); if (file_exists(membership_dir("membershipincludes/images/noaccess/noaccess-{$locale}.png"))) { $file = membership_dir("membershipincludes/images/noaccess/noaccess-{$locale}.png"); $trueurl = membership_url("membershipincludes/images/noaccess/noaccess-{$locale}.png"); } elseif (file_exists(membership_dir("membershipincludes/images/noaccess/noaccess.png"))) { $file = membership_dir("membershipincludes/images/noaccess/noaccess.png"); $trueurl = membership_url("membershipincludes/images/noaccess/noaccess.png"); } if (!empty($file)) { if (!is_file($file)) { status_header(404); die('404 — File not found.'); } $mime = nxt_check_filetype($file); if (false === $mime['type'] && function_exists('mime_content_type')) { $mime['type'] = mime_content_type($file); } if ($mime['type']) { $mimetype = $mime['type']; } else { $mimetype = 'image/' . substr($trueurl, strrpos($trueurl, '.') + 1); } header('Content-type: ' . $mimetype); // always send this if (false === strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS')) { header('Content-Length: ' . filesize($file)); } $last_modified = gmdate('D, d M Y H:i:s', filemtime($file)); $etag = '"' . md5($last_modified) . '"'; header("Last-Modified: {$last_modified} GMT"); header('ETag: ' . $etag); header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 100000000) . ' GMT'); // Support for Conditional GET $client_etag = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : false; if (!isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) { $_SERVER['HTTP_IF_MODIFIED_SINCE'] = false; } $client_last_modified = trim($_SERVER['HTTP_IF_MODIFIED_SINCE']); // If string is empty, return 0. If not, attempt to parse into a timestamp $client_modified_timestamp = $client_last_modified ? strtotime($client_last_modified) : 0; // Make a timestamp for our most recent modification... $modified_timestamp = strtotime($last_modified); if ($client_last_modified && $client_etag ? $client_modified_timestamp >= $modified_timestamp && $client_etag == $etag : $client_modified_timestamp >= $modified_timestamp || $client_etag == $etag) { status_header(304); exit; } // If we made it this far, just serve the file readfile($file); } }
require_once dirname(dirname(__FILE__)) . '/nxt-load.php'; if (!is_multisite()) { die('Multisite support not enabled'); } ms_file_constants(); error_reporting(0); if ($current_blog->archived == '1' || $current_blog->spam == '1' || $current_blog->deleted == '1') { status_header(404); die('404 — File not found.'); } $file = rtrim(BLOGUPLOADDIR, '/') . '/' . str_replace('..', '', $_GET['file']); if (!is_file($file)) { status_header(404); die('404 — File not found.'); } $mime = nxt_check_filetype($file); if (false === $mime['type'] && function_exists('mime_content_type')) { $mime['type'] = mime_content_type($file); } if ($mime['type']) { $mimetype = $mime['type']; } else { $mimetype = 'image/' . substr($file, strrpos($file, '.') + 1); } header('Content-Type: ' . $mimetype); // always send this if (false === strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS')) { header('Content-Length: ' . filesize($file)); } // Optional support for X-Sendfile and X-Accel-Redirect if (nxtMU_ACCEL_REDIRECT) {
/** * If fetching attachments is enabled then attempt to create a new attachment * * @param array $post Attachment post details from WXR * @param string $url URL to fetch attachment from * @return int|nxt_Error Post ID on success, nxt_Error otherwise */ function process_attachment($post, $url) { if (!$this->fetch_attachments) { return new nxt_Error('attachment_processing_error', __('Fetching attachments is not enabled', 'nxtclass-importer')); } // if the URL is absolute, but does not contain address, then upload it assuming base_site_url if (preg_match('|^/[\\w\\W]+$|', $url)) { $url = rtrim($this->base_url, '/') . $url; } $upload = $this->fetch_remote_file($url, $post); if (is_nxt_error($upload)) { return $upload; } if ($info = nxt_check_filetype($upload['file'])) { $post['post_mime_type'] = $info['type']; } else { return new nxt_Error('attachment_processing_error', __('Invalid file type', 'nxtclass-importer')); } $post['guid'] = $upload['url']; // as per nxt-admin/includes/upload.php $post_id = nxt_insert_attachment($post, $upload['file']); nxt_update_attachment_metadata($post_id, nxt_generate_attachment_metadata($post_id, $upload['file'])); // remap resized image URLs, works by stripping the extension and remapping the URL stub. if (preg_match('!^image/!', $info['type'])) { $parts = pathinfo($url); $name = basename($parts['basename'], ".{$parts['extension']}"); // PATHINFO_FILENAME in PHP 5.2 $parts_new = pathinfo($upload['url']); $name_new = basename($parts_new['basename'], ".{$parts_new['extension']}"); $this->url_remap[$parts['dirname'] . '/' . $name] = $parts_new['dirname'] . '/' . $name_new; } return $post_id; }