function saveForwardAttachments($id, $module, $file_details) { global $log; $log->debug("Entering into saveForwardAttachments({$id},{$module},{$file_details}) method."); global $adb, $current_user; global $upload_badext; require_once 'modules/Webmails/MailBox.php'; $mailbox = $_REQUEST["mailbox"]; $MailBox = new MailBox($mailbox); $mail = $MailBox->mbox; $binFile = sanitizeUploadFileName($file_details['name'], $upload_badext); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filepart = $file_details['part']; $transfer = $file_details['transfer']; $file = imap_fetchbody($mail, $_REQUEST['mailid'], $filepart); if ($transfer == 'BASE64') { $file = imap_base64($file); } elseif ($transfer == 'QUOTED-PRINTABLE') { $file = imap_qprint($file); } $current_id = $adb->getUniqueID("vtiger_crmentity"); $date_var = date('Y-m-d H:i:s'); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } $upload_file_path = decideFilePath(); file_put_contents($upload_file_path . $current_id . "_" . $filename, $file); $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?,?,?,?,?,?,?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $this->column_fields['description'], $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); $adb->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?,?,?,?,?)"; $params2 = array($current_id, $filename, $this->column_fields['description'], $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && $_REQUEST['fileid'] != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid = ? and attachmentsid = ?'; $adb->pquery($delquery, array($id, $_REQUEST['fileid'])); } } $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); return true; $log->debug("exiting from saveforwardattachment function."); }
/** * Save the Mail Attachments to DB * @global PearDataBase Instance $adb * @global Users Instance $current_user * @global Array $upload_badext * @param String $filename - name of the file * @param Text $filecontent * @return Array with attachment information */ function __SaveAttachmentFile($filename, $filecontent) { require_once 'modules/Settings/MailScanner/core/MailAttachmentMIME.php'; global $adb, $current_user, $upload_badext; $dirname = decideFilePath(); $usetime = $adb->formatDate(date('ymdHis'), true); $binFile = sanitizeUploadFileName($filename, $upload_badext); $attachid = $adb->getUniqueId('vtiger_crmentity'); $saveasfile = "{$dirname}/{$attachid}" . "_" . $binFile; $fh = fopen($saveasfile, 'wb'); fwrite($fh, $filecontent); fclose($fh); $mimetype = MailAttachmentMIME::detect($saveasfile); $adb->pquery("INSERT INTO vtiger_crmentity(crmid, smcreatorid, smownerid,\n\t\t\t\tmodifiedby, setype, description, createdtime, modifiedtime, presence, deleted)\n\t\t\t\tVALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", array($attachid, $current_user->id, $current_user->id, $current_user->id, "MailManager Attachment", $binFile, $usetime, $usetime, 1, 0)); $adb->pquery("INSERT INTO vtiger_attachments SET attachmentsid=?, name=?, description=?, type=?, path=?", array($attachid, $binFile, $binFile, $mimetype, $dirname)); $attachInfo = array('attachid' => $attachid, 'path' => $dirname, 'name' => $binFile, 'type' => $mimetype, 'size' => filesize($saveasfile)); return $attachInfo; }
/** Function to upload the file to the server and add the file details in the attachments table * @param $id -- user id:: Type varchar * @param $module -- module name:: Type varchar * @param $file_details -- file details array:: Type array */ function uploadAndSaveFile($id, $module, $file_details) { $log = vglobal('log'); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); $current_user = vglobal('current_user'); global $upload_badext; $date_var = date('Y-m-d H:i:s'); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } $saveFile = 'true'; //only images are allowed for these modules if ($module == 'Users') { $saveFile = validateImageFile($file_details); } if ($saveFile == 'false') { return; } $file = $file_details['name']; $binFile = sanitizeUploadFileName($file, $upload_badext); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; $current_id = $this->db->getUniqueID("vtiger_crmentity"); //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath($module); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); if ($saveFile == 'true') { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?,?,?,?,?,?,?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $this->column_fields['description'], $this->db->formatDate($date_var, true), $this->db->formatDate($date_var, true)); $this->db->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?,?,?,?,?)"; $params2 = array($current_id, $filename, $this->column_fields['description'], $filetype, $upload_file_path); $result = $this->db->pquery($sql2, $params2); if ($id != '') { $delquery = 'delete from vtiger_salesmanattachmentsrel where smid = ?'; $this->db->pquery($delquery, array($id)); } $sql3 = 'insert into vtiger_salesmanattachmentsrel values(?,?)'; $this->db->pquery($sql3, array($id, $current_id)); //we should update the imagename in the users table $this->db->pquery("update vtiger_users set imagename=? where id=?", array($filename, $id)); } else { $log->debug("Skip the save attachment process."); } $log->debug("Exiting from uploadAndSaveFile({$id},{$module},{$file_details}) method."); return; }
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details) { global $log; $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); global $adb, $current_user; global $upload_badext; $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $save_file = 'true'; //only images are allowed for Image Attachmenttype $mimeType = mime_content_type($file_details['tmp_name']); $mimeTypeContents = explode('/', $mimeType); // For contacts and products we are sending attachmentType as value if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') { $save_file = validateImageFile($file_details); } if ($save_file == 'false') { return false; } $binFile = sanitizeUploadFileName($file_name, $upload_badext); $current_id = $adb->getUniqueID("vtiger_crmentity"); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); $save_file = 'true'; //only images are allowed for these modules //SalesPlatform.ru begin //if ($module == 'Contacts' || $module == 'Products') { // $save_file = validateImageFile($file_details); //} //SalesPlatform.ru end if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module if ($module == 'Contacts' || $module == 'Products') { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Image", $this->column_fields['description'], $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } else { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $this->column_fields['description'], $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } $adb->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?, ?, ?, ?, ?)"; $params2 = array($current_id, $filename, $this->column_fields['description'], $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid = ? and attachmentsid = ?'; $delparams = array($id, vtlib_purify($_REQUEST['fileid'])); $adb->pquery($delquery, $delparams); } } if ($module == 'Documents') { $query = "delete from vtiger_seattachmentsrel where crmid = ?"; $qparams = array($id); $adb->pquery($query, $qparams); } if ($module == 'Contacts') { $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid=? and attachmentsid=?'; $adb->pquery($delquery, array($id, $attachmentsid)); $crm_delquery = "delete from vtiger_crmentity where crmid=?"; $adb->pquery($crm_delquery, array($attachmentsid)); $sql5 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql5, array($id, $current_id)); } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details, $attachmentname = '', $direct_import = false) { global $log; $fparams = print_r($file_details, true); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$fparams}) method."); global $adb, $current_user; global $upload_badext; $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $binFile = sanitizeUploadFileName($file_name, $upload_badext); $current_id = $adb->getUniqueID("vtiger_crmentity"); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); //upload the file in server if ($direct_import) { $upload_status = copy($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); } else { $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . "_" . $binFile); } if ($upload_status) { $description_val = empty($this->column_fields['description']) ? '' : $this->column_fields['description']; if ($module == 'Contacts' || $module == 'Products') { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Image", $description_val, $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } else { $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->id, $ownerid, $module . " Attachment", $description_val, $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); } $adb->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?, ?, ?, ?, ?)"; $params2 = array($current_id, $filename, $description_val, $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && isset($_REQUEST['fileid']) && $_REQUEST['fileid'] != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid = ? and attachmentsid = ?'; $delparams = array($id, vtlib_purify($_REQUEST['fileid'])); $adb->pquery($delquery, $delparams); } } if ($module == 'Documents') { $query = "delete from vtiger_seattachmentsrel where crmid = ?"; $qparams = array($id); $adb->pquery($query, $qparams); } if ($module == 'Contacts' || property_exists($this, 'HasDirectImageField') && $this->HasDirectImageField) { if ($module == 'Contacts') { $imageattachment = 'Image'; } else { $imageattachment = 'Attachment'; } $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel\n\t\t\t\t inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid\n\t\t\t\t inner join vtiger_attachments on vtiger_crmentity.crmid=vtiger_attachments.attachmentsid\n\t\t\t\t where vtiger_crmentity.setype='{$module} {$imageattachment}'\n\t\t\t\t and vtiger_attachments.name=?\n\t\t\t\t and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($attachmentname, $id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $delquery = 'delete from vtiger_seattachmentsrel where crmid=? and attachmentsid=?'; $adb->pquery($delquery, array($id, $attachmentsid)); $crm_delquery = "delete from vtiger_crmentity where crmid=?"; $adb->pquery($crm_delquery, array($attachmentsid)); $sql5 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql5, array($id, $current_id)); } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } } else { $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($id, $current_id)); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }
function save_module($module) { global $log, $adb, $upload_badext; $insertion_mode = $this->mode; if (isset($this->parentid) && $this->parentid != '') { $relid = $this->parentid; } //inserting into vtiger_senotesrel if (isset($relid) && $relid != '') { $this->insertintonotesrel($relid, $this->id); } $filetype_fieldname = $this->getFileTypeFieldName(); $filename_fieldname = $this->getFile_FieldName(); if ($this->column_fields[$filetype_fieldname] == 'I') { if ($_FILES[$filename_fieldname]['name'] != '') { $errCode = $_FILES[$filename_fieldname]['error']; if ($errCode == 0) { foreach ($_FILES as $fileindex => $files) { if ($files['name'] != '' && $files['size'] > 0) { $filename = $_FILES[$filename_fieldname]['name']; $filename = from_html(preg_replace('/\\s+/', '_', $filename)); $filetype = $_FILES[$filename_fieldname]['type']; $filesize = $_FILES[$filename_fieldname]['size']; $filelocationtype = 'I'; $binFile = sanitizeUploadFileName($filename, $upload_badext); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters } } } } elseif ($this->mode == 'edit') { $fileres = $adb->pquery("select filetype, filesize,filename,filedownloadcount,filelocationtype from vtiger_notes where notesid=?", array($this->id)); if ($adb->num_rows($fileres) > 0) { $filename = $adb->query_result($fileres, 0, 'filename'); $filetype = $adb->query_result($fileres, 0, 'filetype'); $filesize = $adb->query_result($fileres, 0, 'filesize'); $filedownloadcount = $adb->query_result($fileres, 0, 'filedownloadcount'); $filelocationtype = $adb->query_result($fileres, 0, 'filelocationtype'); } } elseif ($this->column_fields[$filename_fieldname]) { $filename = $this->column_fields[$filename_fieldname]; $filesize = $this->column_fields['filesize']; $filetype = $this->column_fields['filetype']; $filelocationtype = $this->column_fields[$filetype_fieldname]; $filedownloadcount = 0; } else { $filelocationtype = 'I'; $filetype = ''; $filesize = 0; $filedownloadcount = null; } } else { if ($this->column_fields[$filetype_fieldname] == 'E') { $filelocationtype = 'E'; $filename = $this->column_fields[$filename_fieldname]; // If filename does not has the protocol prefix, default it to http:// // Protocol prefix could be like (https://, smb://, file://, \\, smb:\\,...) if (!empty($filename) && !preg_match('/^\\w{1,5}:\\/\\/|^\\w{0,3}:?\\\\\\\\/', trim($filename), $match)) { $filename = "http://{$filename}"; } $filetype = ''; $filesize = 0; $filedownloadcount = null; } } $query = "UPDATE vtiger_notes SET filename = ? ,filesize = ?, filetype = ? , filelocationtype = ? , filedownloadcount = ? WHERE notesid = ?"; $re = $adb->pquery($query, array(decode_html($filename), $filesize, $filetype, $filelocationtype, $filedownloadcount, $this->id)); //Inserting into attachments table if ($filelocationtype == 'I') { $this->insertIntoAttachment($this->id, 'Documents'); } else { $query = "delete from vtiger_seattachmentsrel where crmid = ?"; $qparams = array($this->id); $adb->pquery($query, $qparams); } //set the column_fields so that its available in the event handlers $this->column_fields['filename'] = $filename; $this->column_fields['filesize'] = $filesize; $this->column_fields['filetype'] = $filetype; $this->column_fields['filedownloadcount'] = $filedownloadcount; }
* The Original Code is: vtiger CRM Open Source * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. ********************************************************************************/ require_once 'include/utils/utils.php'; global $upload_badext; $uploaddir = $root_directory . "/test/upload/"; // set this to wherever // Arbitrary File Upload Vulnerability fix - Philip if (isset($_REQUEST['binFile_hidden'])) { $file = vtlib_purify($_REQUEST['binFile_hidden']); } else { $file = $_FILES['binFile']['name']; } $binFile = sanitizeUploadFileName($file, $upload_badext); $_FILES["binFile"]["name"] = $binFile; $strDescription = vtlib_purify($_REQUEST['txtDescription']); // Vulnerability fix ends if (move_uploaded_file($_FILES["binFile"]["tmp_name"], $uploaddir . $_FILES["binFile"]["name"])) { $binFile = $_FILES['binFile']['name']; //$filename = basename($binFile); $filename = ltrim(basename(" " . $binFile)); //allowed filenames start with UTF-8 characters $filetype = $_FILES['binFile']['type']; $filesize = $_FILES['binFile']['size']; $error_flag = ""; $filetype_array = explode("/", $filetype); $file_type_value = strtolower($filetype_array[1]); if ($filesize != 0) { $merge_ext = array('msword', 'doc', 'document', 'rtf', 'odt', 'vnd.oasis.opendocument.text', 'octet-stream', 'vnd.oasi');
/** function to add attachment for a ticket ie., the passed contents will be write in a file and the details will be stored in database * @param array $input_array - array which contains the following values => int $id - customer ie., contact id int $sessionid - session id int $ticketid - ticket id string $filename - file name to be attached with the ticket string $filetype - file type int $filesize - file size string $filecontents - file contents as base64 encoded format * return void */ function add_ticket_attachment($input_array) { $adb = PearDatabase::getInstance(); $log = vglobal('log'); global $root_directory, $upload_badext; $log->debug("Entering customer portal function add_ticket_attachment"); $adb->println("INPUT ARRAY for the function add_ticket_attachment"); $adb->println($input_array); $id = $input_array['id']; $sessionid = $input_array['sessionid']; $ticketid = $input_array['ticketid']; $filename = $input_array['filename']; $filetype = $input_array['filetype']; $filesize = $input_array['filesize']; $filecontents = $input_array['filecontents']; if (!validateSession($id, $sessionid)) { return null; } //decide the file path where we should upload the file in the server $upload_filepath = decideFilePath(); $attachmentid = $adb->getUniqueID("vtiger_crmentity"); //fix for space in file name $filename = sanitizeUploadFileName($filename, $upload_badext); $new_filename = $attachmentid . '_' . $filename; $data = base64_decode($filecontents); $description = 'CustomerPortal Attachment'; //write a file with the passed content $handle = @fopen($upload_filepath . $new_filename, 'w'); fputs($handle, $data); fclose($handle); //Now store this file information in db and relate with the ticket $date_var = $adb->formatDate(date('Y-m-d H:i:s'), true); $crmquery = "insert into vtiger_crmentity (crmid,setype,description,createdtime) values(?,?,?,?)"; $crmresult = $adb->pquery($crmquery, array($attachmentid, 'HelpDesk Attachment', $description, $date_var)); $attachmentquery = "insert into vtiger_attachments(attachmentsid,name,description,type,path) values(?,?,?,?,?)"; $attachmentreulst = $adb->pquery($attachmentquery, array($attachmentid, $filename, $description, $filetype, $upload_filepath)); $relatedquery = "insert into vtiger_seattachmentsrel values(?,?)"; $relatedresult = $adb->pquery($relatedquery, array($ticketid, $attachmentid)); $user_id = getDefaultAssigneeId(); require_once 'modules/Documents/Documents.php'; $focus = new Documents(); $focus->column_fields['notes_title'] = $filename; $focus->column_fields['filename'] = $filename; $focus->column_fields['filetype'] = $filetype; $focus->column_fields['filesize'] = $filesize; $focus->column_fields['filelocationtype'] = 'I'; $focus->column_fields['filedownloadcount'] = 0; $focus->column_fields['filestatus'] = 1; $focus->column_fields['assigned_user_id'] = $user_id; $focus->column_fields['folderid'] = 1; $focus->parent_id = $ticketid; $focus->save('Documents'); $related_doc = 'insert into vtiger_seattachmentsrel values (?,?)'; $res = $adb->pquery($related_doc, array($focus->id, $attachmentid)); $tic_doc = 'insert into vtiger_senotesrel values(?,?)'; $res = $adb->pquery($tic_doc, array($ticketid, $focus->id)); $log->debug("Exiting customer portal function add_ticket_attachment"); }
/** * Function Sends/Saves mass emails * @param <Vtiger_Request> $request */ public function massSave(Vtiger_Request $request) { global $upload_badext; $adb = PearDatabase::getInstance(); $moduleName = $request->getModule(); $currentUserModel = Users_Record_Model::getCurrentUserModel(); $recordIds = $this->getRecordsListFromRequest($request); $documentIds = $request->get('documentids'); // This is either SENT or SAVED $flag = $request->get('flag'); $result = Vtiger_Util_Helper::transformUploadedFiles($_FILES, true); $_FILES = $result['file']; $recordId = $request->get('record'); if (!empty($recordId)) { $recordModel = Vtiger_Record_Model::getInstanceById($recordId, $moduleName); $recordModel->set('mode', 'edit'); } else { $recordModel = Vtiger_Record_Model::getCleanInstance($moduleName); $recordModel->set('mode', ''); } $parentEmailId = $request->get('parent_id', null); $attachmentsWithParentEmail = array(); if (!empty($parentEmailId) && !empty($recordId)) { $parentEmailModel = Vtiger_Record_Model::getInstanceById($parentEmailId); $attachmentsWithParentEmail = $parentEmailModel->getAttachmentDetails(); } $existingAttachments = $request->get('attachments', array()); if (empty($recordId)) { if (is_array($existingAttachments)) { foreach ($existingAttachments as $index => $existingAttachInfo) { $existingAttachInfo['tmp_name'] = $existingAttachInfo['name']; $existingAttachments[$index] = $existingAttachInfo; if (array_key_exists('docid', $existingAttachInfo)) { $documentIds[] = $existingAttachInfo['docid']; unset($existingAttachments[$index]); } } } } else { //If it is edit view unset the exising attachments //remove the exising attachments if it is in edit view $attachmentsToUnlink = array(); $documentsToUnlink = array(); foreach ($attachmentsWithParentEmail as $i => $attachInfo) { $found = false; foreach ($existingAttachments as $index => $existingAttachInfo) { if ($attachInfo['fileid'] == $existingAttachInfo['fileid']) { $found = true; break; } } //Means attachment is deleted if (!$found) { if (array_key_exists('docid', $attachInfo)) { $documentsToUnlink[] = $attachInfo['docid']; } else { $attachmentsToUnlink[] = $attachInfo; } } unset($attachmentsWithParentEmail[$i]); } //Make the attachments as empty for edit view since all the attachments will already be there $existingAttachments = array(); if (!empty($documentsToUnlink)) { $recordModel->deleteDocumentLink($documentsToUnlink); } if (!empty($attachmentsToUnlink)) { $recordModel->deleteAttachment($attachmentsToUnlink); } } // This will be used for sending mails to each individual $toMailInfo = $request->get('toemailinfo'); $to = $request->get('to'); if (is_array($to)) { $to = implode(',', $to); } $recordModel->set('description', $request->get('description')); $recordModel->set('subject', $request->get('subject')); $recordModel->set('toMailNamesList', $request->get('toMailNamesList')); $recordModel->set('saved_toid', $to); $recordModel->set('ccmail', $request->get('cc')); $recordModel->set('bccmail', $request->get('bcc')); $recordModel->set('assigned_user_id', $currentUserModel->getId()); $recordModel->set('email_flag', $flag); $recordModel->set('documentids', $documentIds); $recordModel->set('toemailinfo', $toMailInfo); foreach ($toMailInfo as $recordId => $emailValueList) { if ($recordModel->getEntityType($recordId) == 'Users') { $parentIds .= $recordId . '@-1|'; } else { $parentIds .= $recordId . '@1|'; } } $recordModel->set('parent_id', $parentIds); //save_module still depends on the $_REQUEST, need to clean it up $_REQUEST['parent_id'] = $parentIds; $success = false; $viewer = $this->getViewer($request); if ($recordModel->checkUploadSize($documentIds)) { $recordModel->save(); //To Handle existing attachments $current_user = Users_Record_Model::getCurrentUserModel(); $ownerId = $recordModel->get('assigned_user_id'); $date_var = date("Y-m-d H:i:s"); if (is_array($existingAttachments)) { foreach ($existingAttachments as $index => $existingAttachInfo) { $file_name = $existingAttachInfo['attachment']; $path = $existingAttachInfo['path']; $fileId = $existingAttachInfo['fileid']; $oldFileName = $file_name; //SEND PDF mail will not be having file id if (!empty($fileId)) { $oldFileName = $existingAttachInfo['fileid'] . '_' . $file_name; } $oldFilePath = $path . '/' . $oldFileName; $binFile = sanitizeUploadFileName($file_name, $upload_badext); $current_id = $adb->getUniqueID("vtiger_crmentity"); $filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters $filetype = $existingAttachInfo['type']; $filesize = $existingAttachInfo['size']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath(); $newFilePath = $upload_file_path . $current_id . "_" . $binFile; copy($oldFilePath, $newFilePath); $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?, ?, ?, ?, ?, ?, ?)"; $params1 = array($current_id, $current_user->getId(), $ownerId, $moduleName . " Attachment", $recordModel->get('description'), $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); $adb->pquery($sql1, $params1); $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values(?, ?, ?, ?, ?)"; $params2 = array($current_id, $filename, $recordModel->get('description'), $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($recordModel->getId(), $current_id)); } } $success = true; if ($flag == 'SENT') { $status = $recordModel->send(); if ($status === true) { // This is needed to set vtiger_email_track table as it is used in email reporting $recordModel->setAccessCountValue(); } else { $success = false; $message = $status; } } } else { $message = vtranslate('LBL_MAX_UPLOAD_SIZE', $moduleName) . ' ' . vtranslate('LBL_EXCEEDED', $moduleName); } $viewer->assign('SUCCESS', $success); $viewer->assign('MESSAGE', $message); $loadRelatedList = $request->get('related_load'); if (!empty($loadRelatedList)) { $viewer->assign('RELATED_LOAD', true); } $viewer->view('SendEmailResult.tpl', $moduleName); }
/** Function to get the status of the file upload * @returns boolean */ function confirm_upload() { global $log; $log->debug("Eentering confirm_upload() method ..."); global $root_directory; global $upload_dir; global $upload_maxsize; global $upload_badext; if (!is_uploaded_file($_FILES[$this->field_name]['tmp_name'])) { $log->debug("Exiting confirm_upload method ..."); return false; } else { if ($_FILES[$this->field_name]['size'] > $upload_maxsize) { die("ERROR: uploaded file was too big: max filesize:{$upload_maxsize}"); } } if (!is_writable($root_directory . '/' . $upload_dir)) { die("ERROR: cannot write to directory: {$root_directory}/{$upload_dir} for uploads"); } require_once 'include/utils/utils.php'; $this->stored_file_name = sanitizeUploadFileName($_FILES[$this->field_name]['name'], $upload_badext); $log->debug("Exiting confirm_upload method ..."); return true; }
/** * Creates an Attachments * @global PearDataBase $adb * @global Array $upload_badext * @global Users $current_user */ function saveAttachment() { global $adb, $upload_badext, $current_user; $uploadPath = decideFilePath(); $fileName = $this->getName(); if (!empty($fileName)) { $attachid = $adb->getUniqueId('vtiger_crmentity'); //sanitize the filename $binFile = sanitizeUploadFileName($fileName, $upload_badext); $fileName = ltrim(basename(" " . $binFile)); $saveAttachment = $this->save($uploadPath . $attachid . "_" . $fileName); if ($saveAttachment) { $description = $fileName; $date_var = $adb->formatDate(date('YmdHis'), true); $usetime = $adb->formatDate($date_var, true); $adb->pquery("INSERT INTO vtiger_crmentity(crmid, smcreatorid, smownerid,\n\t\t\t\tmodifiedby, setype, description, createdtime, modifiedtime, presence, deleted)\n\t\t\t\tVALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", array($attachid, $current_user->id, $current_user->id, $current_user->id, "Documents Attachment", $description, $usetime, $usetime, 1, 0)); $mimetype = MailAttachmentMIME::detect($uploadPath . $attachid . "_" . $fileName); $adb->pquery("INSERT INTO vtiger_attachments SET attachmentsid=?, name=?, description=?, type=?, path=?", array($attachid, $fileName, $description, $mimetype, $uploadPath)); return $attachid; } } return false; }
/** * This function is used to upload the attachment in the server and save that attachment information in db. * @param int $id - entity id to which the file to be uploaded * @param string $module - the current module name * @param array $file_details - array which contains the file information(name, type, size, tmp_name and error) * return void */ function uploadAndSaveFile($id, $module, $file_details, $attachmentType = 'Attachment') { $log = LoggerManager::getInstance(); $log->debug("Entering into uploadAndSaveFile({$id},{$module},{$file_details}) method."); $adb = PearDatabase::getInstance(); $current_user = vglobal('current_user'); $date_var = date("Y-m-d H:i:s"); //to get the owner id $ownerid = $this->column_fields['assigned_user_id']; if (!isset($ownerid) || $ownerid == '') { $ownerid = $current_user->id; } if (isset($file_details['original_name']) && $file_details['original_name'] != null) { $file_name = $file_details['original_name']; } else { $file_name = $file_details['name']; } $saveFile = 'true'; //only images are allowed for Image Attachmenttype $mimeType = Vtiger_Functions::getMimeContentType($file_details['tmp_name']); $mimeTypeContents = explode('/', $mimeType); // For contacts and products we are sending attachmentType as value if ($attachmentType == 'Image' || $file_details['size'] && $mimeTypeContents[0] == 'image') { $saveFile = validateImageFile($file_details); } if ($saveFile == 'false') { return false; } $binFile = sanitizeUploadFileName($file_name, AppConfig::main('upload_badext')); $current_id = $adb->getUniqueID('vtiger_crmentity'); $filename = ltrim(basename(' ' . $binFile)); //allowed filename like UTF-8 characters $filetype = $file_details['type']; $filesize = $file_details['size']; $filetmp_name = $file_details['tmp_name']; //get the file path inwhich folder we want to upload the file $upload_file_path = decideFilePath($module); //upload the file in server $upload_status = move_uploaded_file($filetmp_name, $upload_file_path . $current_id . '_' . $binFile); $save_file = 'true'; //only images are allowed for these modules if ($module == 'Contacts' || $module == 'Products') { $save_file = validateImageFile($file_details); } if ($save_file == 'true' && $upload_status == 'true') { //This is only to update the attached filename in the vtiger_notes vtiger_table for the Notes module $params = ['crmid' => $current_id, 'smcreatorid' => $current_user->id, 'smownerid' => $ownerid, 'setype' => $module . " Image", 'description' => $this->column_fields['description'], 'createdtime' => $adb->formatDate($date_var, true), 'modifiedtime' => $adb->formatDate($date_var, true)]; if ($module == 'Contacts' || $module == 'Products') { $params['setype'] = $module . " Image"; } else { $params['setype'] = $module . " Attachment"; } $adb->insert('vtiger_crmentity', $params); $params = ['attachmentsid' => $current_id, 'name' => $filename, 'description' => $this->column_fields['description'], 'type' => $filetype, 'path' => $upload_file_path]; $adb->insert('vtiger_attachments', $params); if ($_REQUEST['mode'] == 'edit') { if ($id != '' && vtlib_purify($_REQUEST['fileid']) != '') { $delparams = [$id, vtlib_purify($_REQUEST['fileid'])]; $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', $delparams); } } if ($module == 'Documents') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ?', [$id]); } if ($module == 'Contacts') { $att_sql = "select vtiger_seattachmentsrel.attachmentsid from vtiger_seattachmentsrel inner join vtiger_crmentity on vtiger_crmentity.crmid=vtiger_seattachmentsrel.attachmentsid where vtiger_crmentity.setype='Contacts Image' and vtiger_seattachmentsrel.crmid=?"; $res = $adb->pquery($att_sql, array($id)); $attachmentsid = $adb->query_result($res, 0, 'attachmentsid'); if ($attachmentsid != '') { $adb->delete('vtiger_seattachmentsrel', 'crmid = ? AND attachmentsid = ?', [$id, $attachmentsid]); $adb->delete('vtiger_crmentity', 'crmid = ?', [$attachmentsid]); $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } } else { $adb->insert('vtiger_seattachmentsrel', ['crmid' => $id, 'attachmentsid' => $current_id]); } return true; } else { $log->debug("Skip the save attachment process."); return false; } }
function AddEmailAttachment($emailid, $filedata, $filename, $filesize, $filetype, $username, $session) { if (!validateSession($username, $session)) { return null; } if (empty($emailid)) { return null; } global $adb; require_once 'modules/Users/Users.php'; require_once 'include/utils/utils.php'; $filename = vtlib_purifyForSql(sanitizeUploadFileName(str_replace('..', '_', $filename), $upload_badext)); // Avoid relative file path attacks. $date_var = date('Y-m-d H:i:s'); $seed_user = new Users(); $user_id = $seed_user->retrieve_user_id($username); $crmid = $adb->getUniqueID("vtiger_crmentity"); $upload_file_path = decideFilePath(); $handle = fopen($upload_file_path . $crmid . "_" . $filename, "wb"); fwrite($handle, base64_decode($filedata), $filesize); fclose($handle); $sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values (?,?,?,?,?,?,?)"; $params1 = array($crmid, $user_id, $user_id, 'Emails Attachment', ' ', $adb->formatDate($date_var, true), $adb->formatDate($date_var, true)); $entityresult = $adb->pquery($sql1, $params1); $filetype = "application/octet-stream"; if ($entityresult != false) { $sql2 = "insert into vtiger_attachments(attachmentsid, name, description, type, path) values (?,?,?,?,?)"; $params2 = array($crmid, $filename, ' ', $filetype, $upload_file_path); $result = $adb->pquery($sql2, $params2); $sql3 = 'insert into vtiger_seattachmentsrel values(?,?)'; $adb->pquery($sql3, array($emailid, $crmid)); return $crmid; } else { //$server->setError("Invalid username and/or password"); return ""; } }
$nologo_specified = "false"; } else { if ($errorCode == 3) { $error_flag = "4"; $savefrontlogo = "false"; $nologo_specified = "false"; } } } } if (isset($_FILES) and isset($_FILES['binFaviconFile']) and !empty($_FILES['binFaviconFile']['name'])) { $binFaviconFile = $_FILES['binFaviconFile']['name']; if (isset($_REQUEST['binFaviconFile_hidden'])) { $favicon_filename = sanitizeUploadFileName(vtlib_purify($_REQUEST['binFaviconFile_hidden']), $upload_badext); } else { $binFaviconFile = sanitizeUploadFileName($binFaviconFile, $upload_badext); $favicon_filename = ltrim(basename(" " . $binFaviconFile)); } $favicon_filetype = $_FILES['binFaviconFile']['type']; $favicon_filesize = $_FILES['binFaviconFile']['size']; $font_filetype_array = explode("/", $favicon_filetype); $favicon_file_type_val = strtolower($font_filetype_array[1]); if ($favicon_filesize != 0) { if (in_array($favicon_file_type_val, $image_extensions_allowed)) { //Checking whether the file is an image or not $savefaviconlogo = "true"; } else { $savefaviconlogo = "false"; $error_flag = "1"; } } else {
/** * Save the Mail Attachments to DB * @global PearDataBase Instance $db * @global Users Instance $currentUserModel * @global Array $upload_badext * @param String $filename - name of the file * @param Text $filecontent * @return Array with attachment information */ public function __SaveAttachmentFile($filename, $filecontent) { require_once 'modules/Settings/MailConverter/handlers/MailAttachmentMIME.php'; $db = PearDatabase::getInstance(); $currentUserModel = Users_Record_Model::getCurrentUserModel(); $filename = imap_utf8($filename); $dirname = decideFilePath(); $usetime = $db->formatDate(date('ymdHis'), true); $binFile = sanitizeUploadFileName($filename, vglobal('upload_badext')); $attachid = $db->getUniqueId('vtiger_crmentity'); $saveasfile = "{$dirname}/{$attachid}" . "_" . $binFile; $fh = fopen($saveasfile, 'wb'); fwrite($fh, $filecontent); fclose($fh); $mimetype = MailAttachmentMIME::detect($saveasfile); $db->pquery("INSERT INTO vtiger_crmentity(crmid, smcreatorid, smownerid,\n\t\t\t\tmodifiedby, setype, description, createdtime, modifiedtime, presence, deleted)\n\t\t\t\tVALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", array($attachid, $currentUserModel->getId(), $currentUserModel->getId(), $currentUserModel->getId(), "MailManager Attachment", $binFile, $usetime, $usetime, 1, 0)); $db->pquery("INSERT INTO vtiger_attachments SET attachmentsid=?, name=?, description=?, type=?, path=?", array($attachid, $binFile, $binFile, $mimetype, $dirname)); $attachInfo = array('attachid' => $attachid, 'path' => $dirname, 'name' => $binFile, 'type' => $mimetype, 'size' => filesize($saveasfile)); return $attachInfo; }