/**
* Check if the value is a file name
*
* @param string param name
* @param string error message
* @return boolean true if OK
*/
function param_check_filename($var, $err_msg)
{
if ($error_filename = validate_filename($GLOBALS[$var])) {
param_error($var, $error_filename);
return false;
}
return true;
}
echo dirname($lFile->get_rdfs_rel_path()) . '/';
echo '</td>';
}
/******************* File name: ******************/
if (!$fm_flatmode || $selected_Filelist->get_rds_list_path() === false && dirname($lFile->get_rdfs_rel_path()) == '.' || $selected_Filelist->get_rds_list_path() == dirname($lFile->get_rdfs_rel_path()) . '/') {
// Use a hidden field only for current folder and not for subfolders
// It is used to detect a duplicate file on quick upload
$filename_hidden_field = '<input type="hidden" value="' . $lFile->get_root_and_rel_path() . '" />';
} else {
// Don't use the hidden field for this file because it is from another folder
$filename_hidden_field = '';
}
echo '<td class="fm_filename">' . $filename_hidden_field;
/************* Invalid filename warning: *************/
if (!$lFile->is_dir()) {
if ($error_filename = validate_filename($lFile->get_name())) {
// TODO: Warning icon with hint
echo get_icon('warning', 'imgtag', array('class' => 'filenameIcon', 'title' => $error_filename));
syslog_insert(sprintf('The unrecognized extension is detected for file %s', '<b>' . $lFile->get_name() . '</b>'), 'warning', 'file', $lFile->ID);
}
} elseif ($error_dirname = validate_dirname($lFile->get_name())) {
// TODO: Warning icon with hint
echo get_icon('warning', 'imgtag', array('class' => 'filenameIcon', 'title' => $error_dirname));
syslog_insert(sprintf('Invalid name is detected for folder %s', '<b>' . $lFile->get_name() . '</b>'), 'warning', 'file', $lFile->ID);
}
/**** Open in a new window (only directories) ****/
if ($lFile->is_dir()) {
// Directory
$browse_dir_url = $lFile->get_view_url();
$popup_url = url_add_param($browse_dir_url, 'mode=popup');
$target = 'evo_fm_' . $lFile->get_md5_ID();
/**
* Check if file rename is acceptable
*
* used when renaming a file, File settings
*
* @param string the new name
* @param boolean true if it is a directory, false if not
* @param string the absolute path of the parent directory
* @param boolean true if user has permission to all kind of fill types, false otherwise
* @return mixed NULL if the rename is acceptable, error message if not
*/
function check_rename(&$newname, $is_dir, $dir_path, $allow_locked_filetypes)
{
global $dirpath_max_length;
// Check if provided name is okay:
$newname = trim(strip_tags($newname));
if ($is_dir) {
if ($error_dirname = validate_dirname($newname)) {
// invalid directory name
syslog_insert(sprintf('Invalid name is detected for folder %s', '<b>' . $newname . '</b>'), 'warning', 'file');
return $error_dirname;
}
if ($dirpath_max_length < strlen($dir_path) + strlen($newname)) {
// The new path length would be too long
syslog_insert(sprintf('The renamed file %s is too long for the folder', '<b>' . $newname . '</b>'), 'warning', 'file');
return T_('The new name is too long for this folder.');
}
} elseif ($error_filename = validate_filename($newname, $allow_locked_filetypes)) {
// Not a file name or not an allowed extension
syslog_insert(sprintf('The renamed file %s has an unrecognized extension', '<b>' . $newname . '</b>'), 'warning', 'file');
return $error_filename;
}
return NULL;
}
/**
* Check if file rename is acceptable
*
* used when renaming a file, File settings
*
* @param string the new name
* @param boolean true if it is a directory, false if not
* @param string the absolute path of the parent directory
* @param boolean true if user has permission to all kind of fill types, false otherwise
* @return mixed NULL if the rename is acceptable, error message if not
*/
function check_rename(&$newname, $is_dir, $dir_path, $allow_locked_filetypes)
{
global $dirpath_max_length;
// Check if provided name is okay:
$newname = trim(strip_tags($newname));
if ($is_dir) {
if ($error_dirname = validate_dirname($newname)) {
// invalid directory name
return $error_dirname;
}
if ($dirpath_max_length < strlen($dir_path) + strlen($newname)) {
// The new path length would be too long
return T_('The new name is too long for this folder.');
}
} elseif ($error_filename = validate_filename($newname, $allow_locked_filetypes)) {
// Not a file name or not an allowed extension
return $error_filename;
}
return NULL;
}
/**
* metaWeblog.newMediaObject image upload
*
* image is supplied coded in the info struct as bits
*
* @see http://www.xmlrpc.com/metaWeblogApi#metaweblognewmediaobject
*
* @todo do not overwrite existing pics with same name
* @todo extensive permissions
*
* @param xmlrpcmsg XML-RPC Message
* 0 blogid (string): Unique identifier of the blog the post will be added to.
* Currently ignored in b2evo, in favor of the category.
* 1 username (string): Login for a Blogger user who has permission to edit the given
* post (either the user who originally created it or an admin of the blog).
* 2 password (string): Password for said username.
* 3 struct (struct)
* - name : filename
* - type : mimetype
* - bits : base64 encoded file
* @return xmlrpcresp XML-RPC Response
*/
function mw_newmediaobject($m)
{
global $xmlrpcerruser;
// import user errcode value
global $Settings, $baseurl, $fileupload_allowedtypes;
// CHECK LOGIN:
/**
* @var User
*/
if (!($current_User =& xmlrpcs_login($m, 1, 2))) {
// Login failed, return (last) error:
return xmlrpcs_resperror();
}
// GET BLOG:
/**
* @var Blog
*/
if (!($Blog =& xmlrpcs_get_Blog($m, 0))) {
// Login failed, return (last) error:
return xmlrpcs_resperror();
}
// CHECK PERMISSION:
// For lack of more subtle perm: require any edit perm on blog + global file add perm.
if (!$current_User->check_perm('blog_post_statuses', 'edit', false, $Blog->ID) || !$current_User->check_perm('files', 'add', false)) {
// Permission denied
return xmlrpcs_resperror(3);
// User error 3
}
logIO('Permission granted.');
if (!$Settings->get('upload_enabled')) {
return new xmlrpcresp(0, $xmlrpcerruser + 2, 'Object upload not allowed ');
}
$xcontent = $m->getParam(3);
// Get the main data - and decode it properly for the image - sorry, binary object
$contentstruct = xmlrpc_decode_recurse($xcontent);
$data = $contentstruct['bits'];
$type = $contentstruct['type'];
logIO('Received MIME type: ' . $type);
$rf_filepath = $contentstruct['name'];
logIO('Received filepath: ' . $rf_filepath);
// Avoid problems:
$rf_filepath = strtolower($rf_filepath);
$rf_filepath = preg_replace('¤[^a-z0-9\\-_./]¤', '-', $rf_filepath);
logIO('Sanitized filepath: ' . $rf_filepath);
load_funcs('files/model/_file.funcs.php');
// Split into path + name:
$filepath_parts = explode('/', $rf_filepath);
$filename = array_pop($filepath_parts);
// Check valid filename/extension: (includes check for locked filenames)
logIO('File name: ' . $filename);
if ($error_filename = validate_filename($filename, false)) {
return new xmlrpcresp(0, $xmlrpcerruser + 4, 'Invalid objecttype for upload (' . $filename . '): ' . $error_filename);
}
// Check valid path parts:
$rds_subpath = '';
foreach ($filepath_parts as $filepath_part) {
if (empty($filepath_part) || $filepath_part == '.') {
// self ref not useful
continue;
}
if ($error = validate_dirname($filepath_part)) {
// invalid relative path:
logIO($error);
return new xmlrpcresp(0, $xmlrpcerruser + 3, $error);
}
$rds_subpath .= $filepath_part . '/';
}
logIO('Subpath: ' . $rds_subpath);
$fileupload_path = $Blog->get_media_dir();
if (!$fileupload_path) {
return new xmlrpcresp(0, $xmlrpcerruser + 5, 'Error accessing Blog media directory.');
}
// Create subdirs, if necessary:
if (!empty($rds_subpath)) {
$fileupload_path = $fileupload_path . $rds_subpath;
if (!mkdir_r($fileupload_path)) {
// Dir didn't already exist and could not be created
return new xmlrpcresp(0, $xmlrpcerruser + 6, 'Error creating sub directories: ' . rel_path_to_base($fileupload_path));
}
}
$afs_filepath = $fileupload_path . $filename;
logIO('Saving to: ' . $afs_filepath);
$fh = @fopen($afs_filepath, 'wb');
if (!$fh) {
logIO('Error opening file');
return new xmlrpcresp(0, $xmlrpcerruser + 7, 'Error opening file for writing.');
}
$ok = @fwrite($fh, $data);
@fclose($fh);
if (!$ok) {
logIO('Error writing to file');
return new xmlrpcresp(0, $xmlrpcerruser + 8, 'Error while writing to file.');
}
// chmod uploaded file:
$chmod = $Settings->get('fm_default_chmod_file');
logIO('chmod to: ' . $chmod);
@chmod($afs_filepath, octdec($chmod));
$url = $Blog->get_media_url() . $rds_subpath . $filename;
logIO('URL of new file: ' . $url);
// - return URL as XML
$urlstruct = new xmlrpcval(array('url' => new xmlrpcval($url, 'string')), 'struct');
logIO('OK.');
return new xmlrpcresp($urlstruct);
}
/**
* Check if the value is a file name
*
* @param string param name
* @param string error message
* @return boolean true if OK
*/
function param_check_filename($var, $err_msg)
{
if ($error_filename = validate_filename($GLOBALS[$var])) {
param_error($var, $error_filename);
syslog_insert(sprintf('File %s is invalid or has an unrecognized extension', '<b>' . $GLOBALS[$var] . '</b>'), 'warning', 'file');
return false;
}
return true;
}
while ($loop_src_File =& $fm_source_Filelist->get_next()) {
if (!$loop_src_File->exists()) {
// this can happen on reloading the page
$fm_source_Filelist->remove($loop_src_File);
continue;
}
if (!isset($new_names[$loop_src_File->get_md5_ID()])) {
// We have not yet provided a name to rename to...
$confirm = 0;
$new_names[$loop_src_File->get_md5_ID()] = $loop_src_File->get('name');
continue;
}
// Check if provided name is okay:
$new_names[$loop_src_File->get_md5_ID()] = trim(strip_tags($new_names[$loop_src_File->get_md5_ID()]));
if (!$loop_src_File->is_dir()) {
if ($error_filename = validate_filename($new_names[$loop_src_File->get_md5_ID()])) {
// Not a file name or not an allowed extension
$confirm = 0;
$Messages->add($error_filename, 'error');
syslog_insert(sprintf('The copied file %s has an unrecognized extension', '<b>' . $new_names[$loop_src_File->get_md5_ID()] . '</b>'), 'warning', 'file', $loop_src_File->ID);
continue;
}
} elseif ($error_dirname = validate_dirname($new_names[$loop_src_File->get_md5_ID()])) {
// Not a directory name
$confirm = 0;
$Messages->add($error_dirname, 'error');
continue;
}
// If the source is a directory, then we must check if the target path length is allowed or not
$FileCache =& get_FileCache();
$dest_File =& $FileCache->get_by_root_and_path($fm_Filelist->get_root_type(), $fm_Filelist->get_root_ID(), $fm_Filelist->get_rds_list_path() . $new_names[$loop_src_File->get_md5_ID()]);
function upload($lang)
{
$maxfilesize = 1000000;
$action = 'init';
if (isset($_POST['upload_put'])) {
$action = 'upload';
}
$file = $name = $type = $error = false;
$size = 0;
$token = false;
switch ($action) {
case 'upload':
if (isset($_POST['upload_token'])) {
$token = readarg($_POST['upload_token']);
}
if (isset($_FILES['upload_file'])) {
if (isset($_FILES['upload_file']['tmp_name'])) {
$file = $_FILES['upload_file']['tmp_name'];
}
if (isset($_FILES['upload_file']['error'])) {
$error = $_FILES['upload_file']['error'];
}
if (isset($_FILES['upload_file']['name'])) {
$name = $_FILES['upload_file']['name'];
}
if (isset($_FILES['upload_file']['type'])) {
$type = $_FILES['upload_file']['type'];
}
if (isset($_FILES['upload_file']['size'])) {
$size = $_FILES['upload_file']['size'];
}
}
break;
default:
break;
}
$bad_token = false;
$missing_file = false;
$bad_file = false;
$bad_name = false;
$bad_size = false;
$bad_copy = false;
$copy_error = false;
$file_copied = false;
switch ($action) {
case 'upload':
if (!isset($_SESSION['upload_token']) or $token != $_SESSION['upload_token']) {
$bad_token = true;
break;
}
if (!$file) {
$missing_file = true;
} else {
if (!is_uploaded_file($file)) {
$bad_file = true;
} else {
if ($error != UPLOAD_ERR_OK) {
$bad_copy = true;
} else {
if ($size > $maxfilesize) {
$bad_size = true;
} else {
if (!validate_filename($name) or !is_filename_allowed($name)) {
$bad_name = true;
}
}
}
}
}
break;
default:
break;
}
switch ($action) {
case 'upload':
if ($bad_token or $missing_file or $bad_file or $bad_size or $bad_name or $bad_copy) {
break;
}
$filecopy = FILES_DIR . DIRECTORY_SEPARATOR . $name;
if (!@move_uploaded_file($file, $filecopy)) {
$copy_error = true;
break;
}
$file_copied = true;
break;
default:
break;
}
$_SESSION['upload_token'] = $token = token_id();
$errors = compact('missing_file', 'bad_file', 'bad_size', 'bad_name', 'bad_copy', 'copy_error');
$infos = compact('file_copied');
$output = view('upload', $lang, compact('token', 'maxfilesize', 'name', 'errors', 'infos'));
return $output;
}
continue;
default:
$failedFiles[$lKey] = T_('Unknown error.') . ' #' . $_FILES['uploadfile']['error'][$lKey];
// Abort upload for this file:
continue;
}
}
if (!is_uploaded_file($_FILES['uploadfile']['tmp_name'][$lKey])) {
// Ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working.
$failedFiles[$lKey] = T_('The file does not seem to be a valid upload! It may exceed the upload_max_filesize directive in php.ini.');
// Abort upload for this file:
continue;
}
// Use new name on server if specified:
$newName = !empty($uploadfile_name[$lKey]) ? $uploadfile_name[$lKey] : $lName;
if ($error_filename = validate_filename($newName)) {
// Not a file name or not an allowed extension
$failedFiles[$lKey] = $error_filename;
// Abort upload for this file:
continue;
}
// Get File object for requested target location:
$FileCache =& get_Cache('FileCache');
$newFile =& $FileCache->get_by_root_and_path($fm_FileRoot->type, $fm_FileRoot->in_type_ID, trailing_slash($path) . $newName, true);
if ($newFile->exists()) {
// The file already exists in the target location!
// TODO: Rename/Overwriting (save as filename_<numeric_extension> and provide interface to confirm, rename or overwrite)
$failedFiles[$lKey] = sprintf(T_('The file «%s» already exists.'), $newFile->dget('name'));
// Abort upload for this file:
continue;
}
