/** * @brief Creates a new file in the directory. * * Data will either be supplied as a stream resource, or in certain cases * as a string. Keep in mind that you may have to support either. * * After successful creation of the file, you may choose to return the ETag * of the new file here. * * @throw \Sabre\DAV\Exception\Forbidden * @param string $name Name of the file * @param resource|string $data Initial payload * @return null|string ETag */ public function createFile($name, $data = null) { logger('create file in directory ' . $name, LOGGER_DEBUG); if (!$this->auth->owner_id) { logger('permission denied ' . $name); throw new DAV\Exception\Forbidden('Permission denied.'); } if (!perm_is_allowed($this->auth->owner_id, $this->auth->observer, 'write_storage')) { logger('permission denied ' . $name); throw new DAV\Exception\Forbidden('Permission denied.'); } $mimetype = z_mime_content_type($name); $c = q("SELECT * FROM channel WHERE channel_id = %d AND channel_removed = 0 LIMIT 1", intval($this->auth->owner_id)); if (!$c) { logger('no channel'); throw new DAV\Exception\Forbidden('Permission denied.'); } $filesize = 0; $hash = random_string(); $f = 'store/' . $this->auth->owner_nick . '/' . ($this->os_path ? $this->os_path . '/' : '') . $hash; $direct = null; if ($this->folder_hash) { $r = q("select * from attach where hash = '%s' and is_dir = 1 and uid = %d limit 1", dbesc($this->folder_hash), intval($c[0]['channel_id'])); if ($r) { $direct = $r[0]; } } if ($direct && ($direct['allow_cid'] || $direct['allow_gid'] || $direct['deny_cid'] || $direct['deny_gid'])) { $allow_cid = $direct['allow_cid']; $allow_gid = $direct['allow_gid']; $deny_cid = $direct['deny_cid']; $deny_gid = $direct['deny_gid']; } else { $allow_cid = $c[0]['channel_allow_cid']; $allow_gid = $c[0]['channel_allow_gid']; $deny_cid = $c[0]['channel_deny_cid']; $deny_gid = $c[0]['channel_deny_gid']; } $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, os_storage, filetype, filesize, revision, is_photo, content, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($c[0]['channel_account_id']), intval($c[0]['channel_id']), dbesc($hash), dbesc($this->auth->observer), dbesc($name), dbesc($this->folder_hash), intval(1), dbesc($mimetype), intval($filesize), intval(0), intval($is_photo), dbesc($f), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc($allow_cid), dbesc($allow_gid), dbesc($deny_cid), dbesc($deny_gid)); // returns the number of bytes that were written to the file, or FALSE on failure $size = file_put_contents($f, $data); // delete attach entry if file_put_contents() failed if ($size === false) { logger('file_put_contents() failed to ' . $f); attach_delete($c[0]['channel_id'], $hash); return; } // returns now $edited = datetime_convert(); $is_photo = 0; $x = @getimagesize($f); logger('getimagesize: ' . print_r($x, true), LOGGER_DATA); if ($x && ($x[2] === IMAGETYPE_GIF || $x[2] === IMAGETYPE_JPEG || $x[2] === IMAGETYPE_PNG)) { $is_photo = 1; } // updates entry with filesize and timestamp $d = q("UPDATE attach SET filesize = '%s', is_photo = %d, edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($size), intval($is_photo), dbesc($edited), dbesc($hash), intval($c[0]['channel_id'])); // update the folder's lastmodified timestamp $e = q("UPDATE attach SET edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($edited), dbesc($this->folder_hash), intval($c[0]['channel_id'])); $maxfilesize = get_config('system', 'maxfilesize'); if ($maxfilesize && $size > $maxfilesize) { attach_delete($c[0]['channel_id'], $hash); return; } // check against service class quota $limit = engr_units_to_bytes(service_class_fetch($c[0]['channel_id'], 'attach_upload_limit')); if ($limit !== false) { $x = q("SELECT SUM(filesize) AS total FROM attach WHERE aid = %d ", intval($c[0]['channel_account_id'])); if ($x && $x[0]['total'] + $size > $limit) { logger('service class limit exceeded for ' . $c[0]['channel_name'] . ' total usage is ' . $x[0]['total'] . ' limit is ' . userReadableSize($limit)); attach_delete($c[0]['channel_id'], $hash); return; } } if ($is_photo) { $album = ''; if ($this->folder_hash) { $f1 = q("select filename from attach WHERE hash = '%s' AND uid = %d", dbesc($this->folder_hash), intval($c[0]['channel_id'])); if ($f1) { $album = $f1[0]['filename']; } } require_once 'include/photos.php'; $args = array('resource_id' => $hash, 'album' => $album, 'os_path' => $f, 'filename' => $name, 'getimagesize' => $x, 'directory' => $direct); $p = photo_upload($c[0], \App::get_observer(), $args); } $sync = attach_export_data($c[0], $hash); if ($sync) { build_sync_packet($c[0]['channel_id'], array('file' => array($sync))); } }
/** * A lot going on in this function, and some of it is old cruft and some is new cruft * and the entire thing probably needs to be refactored. It started out just storing * files, before we had DAV. It was made extensible to do extra stuff like edit an * existing file or optionally store a separate revision using $options to choose between different * storage models. Along the way we moved from * DB data storage to file system storage. * Then DAV came along and used different upload methods depending on whether the * file was stored as a DAV directory object or updated as a file object. One of these * is essentially an update and the other is basically an upload, but doesn't use the traditional PHP * upload workflow. * Then came hubzilla and we tried to merge photo functionality with the file storage. Most of * that integration occurs within this function. * This required overlap with the old photo_upload stuff and photo albums were * completely different concepts from directories which needed to be reconciled somehow. * The old revision stuff is kind of orphaned currently. There's new revision stuff for photos * which attaches (2) etc. onto the name, but doesn't integrate with the attach table revisioning. * That's where it sits currently. I repeat it needs to be refactored, and this note is here * for future explorers and those who may be doing that work to understand where it came * from and got to be the monstrosity of tangled unrelated code that it currently is. */ function attach_store($channel, $observer_hash, $options = '', $arr = null) { require_once 'include/photos.php'; call_hooks('photo_upload_begin', $arr); $ret = array('success' => false); $channel_id = $channel['channel_id']; $sql_options = ''; $source = $arr ? $arr['source'] : ''; $album = $arr ? $arr['album'] : ''; $newalbum = $arr ? $arr['newalbum'] : ''; $hash = $arr && $arr['hash'] ? $arr['hash'] : null; $upload_path = $arr && $arr['directory'] ? $arr['directory'] : ''; $visible = $arr && $arr['visible'] ? $arr['visible'] : ''; $observer = array(); if ($observer_hash) { $x = q("select * from xchan where xchan_hash = '%s' limit 1", dbesc($observer_hash)); if ($x) { $observer = $x[0]; } } logger('arr: ' . print_r($arr, true)); if (!perm_is_allowed($channel_id, $observer_hash, 'write_storage')) { $ret['message'] = t('Permission denied.'); return $ret; } $str_group_allow = perms2str($arr['group_allow']); $str_contact_allow = perms2str($arr['contact_allow']); $str_group_deny = perms2str($arr['group_deny']); $str_contact_deny = perms2str($arr['contact_deny']); // The 'update' option sets db values without uploading a new attachment // 'replace' replaces the existing uploaded data // 'revision' creates a new revision with new upload data // Default is to upload a new file // revise or update must provide $arr['hash'] of the thing to revise/update // By default remove $src when finished $remove_when_processed = true; if ($options === 'import') { $src = $arr['src']; $filename = $arr['filename']; $filesize = @filesize($src); $hash = $arr['resource_id']; if (array_key_exists('hash', $arr)) { $hash = $arr['hash']; } if (array_key_exists('type', $arr)) { $type = $arr['type']; } if ($arr['preserve_original']) { $remove_when_processed = false; } // if importing a directory, just do it now and go home - we're done. if (array_key_exists('is_dir', $arr) && intval($arr['is_dir'])) { $x = attach_mkdir($channel, $observer_hash, $arr); if ($x['message']) { logger('import_directory: ' . $x['message']); } return; } } elseif ($options !== 'update') { $f = array('src' => '', 'filename' => '', 'filesize' => 0, 'type' => ''); call_hooks('photo_upload_file', $f); call_hooks('attach_upload_file', $f); if (x($f, 'src') && x($f, 'filesize')) { $src = $f['src']; $filename = $f['filename']; $filesize = $f['filesize']; $type = $f['type']; } else { if (!x($_FILES, 'userfile')) { $ret['message'] = t('No source file.'); return $ret; } $src = $_FILES['userfile']['tmp_name']; $filename = basename($_FILES['userfile']['name']); $filesize = intval($_FILES['userfile']['size']); } } $existing_size = 0; if ($options === 'replace') { $x = q("select id, hash, filesize from attach where id = %d and uid = %d limit 1", intval($arr['id']), intval($channel_id)); if (!$x) { $ret['message'] = t('Cannot locate file to replace'); return $ret; } $existing_id = $x[0]['id']; $existing_size = intval($x[0]['filesize']); $hash = $x[0]['hash']; } if ($options === 'revise' || $options === 'update') { $sql_options = " order by revision desc "; if ($options === 'update' && $arr && array_key_exists('revision', $arr)) { $sql_options = " and revision = " . intval($arr['revision']) . " "; } $x = q("select id, aid, uid, filename, filetype, filesize, hash, revision, folder, os_storage, is_photo, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where hash = '%s' and uid = %d {$sql_options} limit 1", dbesc($arr['hash']), intval($channel_id)); if (!$x) { $ret['message'] = t('Cannot locate file to revise/update'); return $ret; } $hash = $x[0]['hash']; } $def_extension = ''; $is_photo = 0; $gis = @getimagesize($src); logger('getimagesize: ' . print_r($gis, true), LOGGER_DATA); if ($gis && ($gis[2] === IMAGETYPE_GIF || $gis[2] === IMAGETYPE_JPEG || $gis[2] === IMAGETYPE_PNG)) { $is_photo = 1; if ($gis[2] === IMAGETYPE_GIF) { $def_extension = '.gif'; } if ($gis[2] === IMAGETYPE_JPEG) { $def_extension = '.jpg'; } if ($gis[2] === IMAGETYPE_PNG) { $def_extension = '.png'; } } $pathname = ''; if ($is_photo) { if ($newalbum) { $pathname = filepath_macro($newalbum); } elseif (array_key_exists('folder', $arr)) { $x = q("select filename from attach where hash = '%s' and uid = %d limit 1", dbesc($arr['folder']), intval($channel['channel_id'])); if ($x) { $pathname = $x[0]['filename']; } } else { $pathname = filepath_macro($album); } } else { $pathname = filepath_macro($upload_path); } $darr = array('pathname' => $pathname); // if we need to create a directory, use the channel default permissions. $darr['allow_cid'] = $channel['allow_cid']; $darr['allow_gid'] = $channel['allow_gid']; $darr['deny_cid'] = $channel['deny_cid']; $darr['deny_gid'] = $channel['deny_gid']; $direct = null; if ($pathname) { $x = attach_mkdirp($channel, $observer_hash, $darr); $folder_hash = $x['success'] ? $x['data']['hash'] : ''; $direct = $x['success'] ? $x['data'] : null; if (!$str_contact_allow && !$str_group_allow && !$str_contact_deny && !$str_group_deny) { $str_contact_allow = $x['data']['allow_cid']; $str_group_allow = $x['data']['allow_gid']; $str_contact_deny = $x['data']['deny_cid']; $str_group_deny = $x['data']['deny_gid']; } } else { $folder_hash = $arr && array_key_exists('folder', $arr) ? $arr['folder'] : ''; } if (!$options || $options === 'import') { // A freshly uploaded file. Check for duplicate and resolve with the channel's overwrite settings. $r = q("select filename, id, hash, filesize from attach where filename = '%s' and folder = '%s' ", dbesc($filename), dbesc($folder_hash)); if ($r) { $overwrite = get_pconfig($channel_id, 'system', 'overwrite_dup_files'); if ($overwrite) { $options = 'replace'; $existing_id = $x[0]['id']; $existing_size = intval($x[0]['filesize']); $hash = $x[0]['hash']; } else { if (strpos($filename, '.') !== false) { $basename = substr($filename, 0, strrpos($filename, '.')); $ext = substr($filename, strrpos($filename, '.')); } else { $basename = $filename; $ext = $def_extension; } $r = q("select filename from attach where ( filename = '%s' OR filename like '%s' ) and folder = '%s' ", dbesc($basename . $ext), dbesc($basename . '(%)' . $ext), dbesc($folder_hash)); if ($r) { $x = 1; do { $found = false; foreach ($r as $rr) { if ($rr['filename'] === $basename . '(' . $x . ')' . $ext) { $found = true; break; } } if ($found) { $x++; } } while ($found); $filename = $basename . '(' . $x . ')' . $ext; } else { $filename = $basename . $ext; } } } } if (!$hash) { $hash = random_string(); } // Check storage limits if ($options !== 'update') { $maxfilesize = get_config('system', 'maxfilesize'); if ($maxfilesize && $filesize > $maxfilesize) { $ret['message'] = sprintf(t('File exceeds size limit of %d'), $maxfilesize); if ($remove_when_processed) { @unlink($src); } call_hooks('photo_upload_end', $ret); return $ret; } $limit = service_class_fetch($channel_id, 'attach_upload_limit'); if ($limit !== false) { $r = q("select sum(filesize) as total from attach where aid = %d ", intval($channel['channel_account_id'])); if ($r && $r[0]['total'] + $filesize > $limit - $existing_size) { $ret['message'] = upgrade_message(true) . sprintf(t("You have reached your limit of %1\$.0f Mbytes attachment storage."), $limit / 1024000); if ($remove_when_processed) { @unlink($src); } call_hooks('photo_upload_end', $ret); return $ret; } } $mimetype = isset($type) && $type ? $type : z_mime_content_type($filename); } $os_basepath = 'store/' . $channel['channel_address'] . '/'; $os_relpath = ''; if ($folder_hash) { $curr = find_folder_hash_by_attach_hash($channel_id, $folder_hash, true); if ($curr) { $os_relpath .= $curr . '/'; } $os_relpath .= $folder_hash . '/'; } $os_relpath .= $hash; if ($src) { @file_put_contents($os_basepath . $os_relpath, @file_get_contents($src)); } if (array_key_exists('created', $arr)) { $created = $arr['created']; } else { $created = datetime_convert(); } if (array_key_exists('edited', $arr)) { $edited = $arr['edited']; } else { $edited = $created; } if ($options === 'replace') { $r = q("update attach set filename = '%s', filetype = '%s', folder = '%s', filesize = %d, os_storage = %d, is_photo = %d, data = '%s', edited = '%s' where id = %d and uid = %d", dbesc($filename), dbesc($mimetype), dbesc($folder_hash), intval($filesize), intval(1), intval($is_photo), dbesc($os_relpath), dbesc($created), intval($existing_id), intval($channel_id)); } elseif ($options === 'revise') { $r = q("insert into attach ( aid, uid, hash, creator, filename, filetype, folder, filesize, revision, os_storage, is_photo, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($x[0]['aid']), intval($channel_id), dbesc($x[0]['hash']), dbesc($observer_hash), dbesc($filename), dbesc($mimetype), dbesc($folder_hash), intval($filesize), intval($x[0]['revision'] + 1), intval(1), intval($is_photo), dbesc($os_relpath), dbesc($created), dbesc($created), dbesc($x[0]['allow_cid']), dbesc($x[0]['allow_gid']), dbesc($x[0]['deny_cid']), dbesc($x[0]['deny_gid'])); } elseif ($options === 'update') { $r = q("update attach set filename = '%s', filetype = '%s', folder = '%s', edited = '%s', os_storage = %d, is_photo = %d, \n\t\t\tallow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s' where id = %d and uid = %d", dbesc(array_key_exists('filename', $arr) ? $arr['filename'] : $x[0]['filename']), dbesc(array_key_exists('filetype', $arr) ? $arr['filetype'] : $x[0]['filetype']), dbesc($folder_hash ? $folder_hash : $x[0]['folder']), dbesc($created), dbesc(array_key_exists('os_storage', $arr) ? $arr['os_storage'] : $x[0]['os_storage']), dbesc(array_key_exists('is_photo', $arr) ? $arr['is_photo'] : $x[0]['is_photo']), dbesc(array_key_exists('allow_cid', $arr) ? $arr['allow_cid'] : $x[0]['allow_cid']), dbesc(array_key_exists('allow_gid', $arr) ? $arr['allow_gid'] : $x[0]['allow_gid']), dbesc(array_key_exists('deny_cid', $arr) ? $arr['deny_cid'] : $x[0]['deny_cid']), dbesc(array_key_exists('deny_gid', $arr) ? $arr['deny_gid'] : $x[0]['deny_gid']), intval($x[0]['id']), intval($x[0]['uid'])); } else { $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, folder, filesize, revision, os_storage, is_photo, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel_id), dbesc($hash), dbesc(get_observer_hash()), dbesc($filename), dbesc($mimetype), dbesc($folder_hash), intval($filesize), intval(0), intval(1), intval($is_photo), dbesc($os_relpath), dbesc($created), dbesc($created), dbesc($arr && array_key_exists('allow_cid', $arr) ? $arr['allow_cid'] : $str_contact_allow), dbesc($arr && array_key_exists('allow_gid', $arr) ? $arr['allow_gid'] : $str_group_allow), dbesc($arr && array_key_exists('deny_cid', $arr) ? $arr['deny_cid'] : $str_contact_deny), dbesc($arr && array_key_exists('deny_gid', $arr) ? $arr['deny_gid'] : $str_group_deny)); } if ($is_photo) { $args = array('source' => $source, 'visible' => $visible, 'resource_id' => $hash, 'album' => basename($pathname), 'os_path' => $os_basepath . $os_relpath, 'filename' => $filename, 'getimagesize' => $gis, 'directory' => $direct); if ($arr['contact_allow']) { $args['contact_allow'] = $arr['contact_allow']; } if ($arr['group_allow']) { $args['group_allow'] = $arr['group_allow']; } if ($arr['contact_deny']) { $args['contact_deny'] = $arr['contact_deny']; } if ($arr['group_deny']) { $args['group_deny'] = $arr['group_deny']; } if (array_key_exists('allow_cid', $arr)) { $args['allow_cid'] = $arr['allow_cid']; } if (array_key_exists('allow_gid', $arr)) { $args['allow_gid'] = $arr['allow_gid']; } if (array_key_exists('deny_cid', $arr)) { $args['deny_cid'] = $arr['deny_cid']; } if (array_key_exists('deny_gid', $arr)) { $args['deny_gid'] = $arr['deny_gid']; } $args['created'] = $created; $args['edited'] = $edited; if ($arr['item']) { $args['item'] = $arr['item']; } $p = photo_upload($channel, $observer, $args); if ($p['success']) { $ret['body'] = $p['body']; } } if ($options !== 'update' && $remove_when_processed) { @unlink($src); } if (!$r) { $ret['message'] = t('File upload failed. Possible system limit or action terminated.'); call_hooks('photo_upload_end', $ret); return $ret; } // Caution: This re-uses $sql_options set further above $r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, os_storage, is_photo, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' {$sql_options} limit 1", intval($channel_id), dbesc($hash)); if (!$r) { $ret['message'] = t('Stored file could not be verified. Upload failed.'); call_hooks('photo_upload_end', $ret); return $ret; } $ret['success'] = true; $ret['data'] = $r[0]; if (!$is_photo) { // This would've been called already with a success result in photos_upload() if it was a photo. call_hooks('photo_upload_end', $ret); } return $ret; }
function wall_attach_post(&$a) { if ($a->argc > 1) { $nick = $a->argv[1]; $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 LIMIT 1", dbesc($nick)); if (!count($r)) { return; } } else { return; } $can_post = false; $visitor = 0; $page_owner_uid = $r[0]['uid']; $page_owner_nick = $r[0]['nickname']; $community_page = $r[0]['page-flags'] == PAGE_COMMUNITY ? true : false; if (local_user() && local_user() == $page_owner_uid) { $can_post = true; } else { if ($community_page && remote_user()) { $r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1", intval(remote_user()), intval($page_owner_uid)); if (count($r)) { $can_post = true; $visitor = remote_user(); } } } if (!$can_post) { notice(t('Permission denied.') . EOL); killme(); } if (!x($_FILES, 'userfile')) { killme(); } $src = $_FILES['userfile']['tmp_name']; $filename = basename($_FILES['userfile']['name']); $filesize = intval($_FILES['userfile']['size']); $maxfilesize = get_config('system', 'maxfilesize'); if ($maxfilesize && $filesize > $maxfilesize) { notice(sprintf(t('File exceeds size limit of %d'), $maxfilesize) . EOL); @unlink($src); return; } $filedata = @file_get_contents($src); $mimetype = z_mime_content_type($filename); if ((!strlen($mimetype) || $mimetype === 'application/octet-stream') && function_exists('mime_content_type')) { $mimetype = mime_content_type($filename); } $hash = random_string(); $created = datetime_convert(); $r = q("INSERT INTO `attach` ( `uid`, `hash`, `filename`, `filetype`, `filesize`, `data`, `created`, `edited`, `allow_cid`, `allow_gid`,`deny_cid`, `deny_gid` )\n\t\tVALUES ( %d, '%s', '%s', '%s', %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($page_owner_uid), dbesc($hash), dbesc($filename), dbesc($mimetype), intval($filesize), dbesc($filedata), dbesc($created), dbesc($created), dbesc('<' . $page_owner_uid . '>'), dbesc(''), dbesc(''), dbesc('')); @unlink($src); if (!$r) { echo t('File upload failed.') . EOL; killme(); } $r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `created` = '%s' AND `hash` = '%s' LIMIT 1", intval($page_owner_uid), dbesc($created), dbesc($hash)); if (!count($r)) { echo t('File upload failed.') . EOL; killme(); } echo '<br /><br />[attachment]' . $r[0]['id'] . '[/attachment]' . '<br />'; killme(); // NOTREACHED }
function wall_attach_post(&$a) { if ($a->argc > 1) { $nick = $a->argv[1]; $r = q("SELECT `user`.*, `contact`.`id` FROM `user` LEFT JOIN `contact` on `user`.`uid` = `contact`.`uid` WHERE `user`.`nickname` = '%s' AND `user`.`blocked` = 0 and `contact`.`self` = 1 LIMIT 1", dbesc($nick)); if (!count($r)) { return; } } else { return; } $can_post = false; $visitor = 0; $page_owner_uid = $r[0]['uid']; $page_owner_cid = $r[0]['id']; $page_owner_nick = $r[0]['nickname']; $community_page = $r[0]['page-flags'] == PAGE_COMMUNITY ? true : false; if (local_user() && local_user() == $page_owner_uid) { $can_post = true; } else { if ($community_page && remote_user()) { $cid = 0; if (is_array($_SESSION['remote'])) { foreach ($_SESSION['remote'] as $v) { if ($v['uid'] == $page_owner_uid) { $cid = $v['cid']; break; } } } if ($cid) { $r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1", intval($cid), intval($page_owner_uid)); if (count($r)) { $can_post = true; $visitor = $cid; } } } } if (!$can_post) { notice(t('Permission denied.') . EOL); killme(); } if (!x($_FILES, 'userfile')) { killme(); } $src = $_FILES['userfile']['tmp_name']; $filename = basename($_FILES['userfile']['name']); $filesize = intval($_FILES['userfile']['size']); $maxfilesize = get_config('system', 'maxfilesize'); /* Found html code written in text field of form, * when trying to upload a file with filesize * greater than upload_max_filesize. Cause is unknown. * Then Filesize gets <= 0. */ if ($filesize <= 0) { notice(t('Sorry, maybe your upload is bigger than the PHP configuration allows') . EOL . t('Or - did you try to upload an empty file?') . EOL); @unlink($src); killme(); } if ($maxfilesize && $filesize > $maxfilesize) { notice(sprintf(t('File exceeds size limit of %d'), $maxfilesize) . EOL); @unlink($src); return; } $r = q("select sum(octet_length(data)) as total from attach where uid = %d ", intval($page_owner_uid)); $limit = service_class_fetch($page_owner_uid, 'attach_upload_limit'); if ($limit !== false && $r[0]['total'] + strlen($imagedata) > $limit) { echo upgrade_message(true) . EOL; @unlink($src); killme(); } $filedata = @file_get_contents($src); $mimetype = z_mime_content_type($filename); $hash = random_string(); $created = datetime_convert(); $r = q("INSERT INTO `attach` ( `uid`, `hash`, `filename`, `filetype`, `filesize`, `data`, `created`, `edited`, `allow_cid`, `allow_gid`,`deny_cid`, `deny_gid` )\n\t\tVALUES ( %d, '%s', '%s', '%s', %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($page_owner_uid), dbesc($hash), dbesc($filename), dbesc($mimetype), intval($filesize), dbesc($filedata), dbesc($created), dbesc($created), dbesc('<' . $page_owner_cid . '>'), dbesc(''), dbesc(''), dbesc('')); @unlink($src); if (!$r) { echo t('File upload failed.') . EOL; killme(); } $r = q("SELECT `id` FROM `attach` WHERE `uid` = %d AND `created` = '%s' AND `hash` = '%s' LIMIT 1", intval($page_owner_uid), dbesc($created), dbesc($hash)); if (!count($r)) { echo t('File upload failed.') . EOL; killme(); } $lf = "\n"; echo $lf . $lf . '[attachment]' . $r[0]['id'] . '[/attachment]' . $lf; killme(); // NOTREACHED }
/** * @brief * * @param $channel channel array of owner * @param $observer_hash hash of current observer * @param $options (optional) * @param $arr (optional) */ function attach_store($channel, $observer_hash, $options = '', $arr = null) { $ret = array('success' => false); $channel_id = $channel['channel_id']; $sql_options = ''; if (!perm_is_allowed($channel_id, get_observer_hash(), 'write_storage')) { $ret['message'] = t('Permission denied.'); return $ret; } // The 'update' option sets db values without uploading a new attachment // 'replace' replaces the existing uploaded data // 'revision' creates a new revision with new upload data // Default is to upload a new file // revise or update must provide $arr['hash'] of the thing to revise/update if ($options !== 'update') { if (!x($_FILES, 'userfile')) { $ret['message'] = t('No source file.'); return $ret; } $src = $_FILES['userfile']['tmp_name']; $filename = basename($_FILES['userfile']['name']); $filesize = intval($_FILES['userfile']['size']); } $existing_size = 0; if ($options === 'replace') { $x = q("select id, hash, filesize from attach where id = %d and uid = %d limit 1", intval($replace), intval($channel_id)); if (!$x) { $ret['message'] = t('Cannot locate file to replace'); return $ret; } $existing_id = $x[0]['id']; $existing_size = intval($x[0]['filesize']); $hash = $x[0]['hash']; } if ($options === 'revise' || $options === 'update') { $sql_options = " order by revision desc "; if ($options === 'update' && $arr && array_key_exists('revision', $arr)) { $sql_options = " and revision = " . intval($arr['revision']) . " "; } $x = q("select id, aid, uid, filename, filetype, filesize, hash, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where hash = '%s' and uid = %d {$sql_options} limit 1", dbesc($arr['hash']), intval($channel_id)); if (!$x) { $ret['message'] = t('Cannot locate file to revise/update'); return $ret; } $hash = $x[0]['hash']; } // Check storage limits if ($options !== 'update') { $maxfilesize = get_config('system', 'maxfilesize'); if ($maxfilesize && $filesize > $maxfilesize) { $ret['message'] = sprintf(t('File exceeds size limit of %d'), $maxfilesize); @unlink($src); return $ret; } $limit = service_class_fetch($channel_id, 'attach_upload_limit'); if ($limit !== false) { $r = q("select sum(filesize) as total from attach where aid = %d ", intval($channel['channel_account_id'])); if ($r && $r[0]['total'] + $filesize > $limit - $existing_size) { $ret['message'] = upgrade_message(true) . sprintf(t("You have reached your limit of %1\$.0f Mbytes attachment storage."), $limit / 1024000); @unlink($src); return $ret; } } $mimetype = z_mime_content_type($filename); } if (!isset($hash)) { $hash = random_string(); } $created = datetime_convert(); if ($options === 'replace') { $r = q("update attach set filename = '%s', filetype = '%s', filesize = %d, data = '%s', edited = '%s' where id = %d and uid = %d limit 1", dbesc($filename), dbesc($mimetype), intval($filesize), dbesc(@file_get_contents($src)), dbesc($created), intval($existing_id), intval($channel_id)); } elseif ($options === 'revise') { $r = q("insert into attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($x[0]['aid']), intval($channel_id), dbesc($x[0]['hash']), dbesc(get_observer_hash()), dbesc($filename), dbesc($mimetype), intval($filesize), intval($x[0]['revision'] + 1), dbesc(@file_get_contents($src)), dbesc($created), dbesc($created), dbesc($x[0]['allow_cid']), dbesc($x[0]['allow_gid']), dbesc($x[0]['deny_cid']), dbesc($x[0]['deny_gid'])); } elseif ($options === 'update') { $r = q("update attach set filename = '%s', filetype = '%s', edited = '%s', \n\t\t\tallow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s' where id = %d and uid = %d limit 1", dbesc(array_key_exists('filename', $arr) ? $arr['filename'] : $x[0]['filename']), dbesc(array_key_exists('filetype', $arr) ? $arr['filetype'] : $x[0]['filetype']), dbesc($created), dbesc(array_key_exists('allow_cid', $arr) ? $arr['allow_cid'] : $x[0]['allow_cid']), dbesc(array_key_exists('allow_gid', $arr) ? $arr['allow_gid'] : $x[0]['allow_gid']), dbesc(array_key_exists('deny_cid', $arr) ? $arr['deny_cid'] : $x[0]['deny_cid']), dbesc(array_key_exists('deny_gid', $arr) ? $arr['deny_gid'] : $x[0]['deny_gid']), intval($x[0]['id']), intval($x[0]['uid'])); } else { $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel_id), dbesc($hash), dbesc(get_observer_hash()), dbesc($filename), dbesc($mimetype), intval($filesize), intval(0), dbesc(@file_get_contents($src)), dbesc($created), dbesc($created), dbesc($arr && array_key_exists('allow_cid', $arr) ? $arr['allow_cid'] : '<' . $channel['channel_hash'] . '>'), dbesc($arr && array_key_exists('allow_gid', $arr) ? $arr['allow_gid'] : ''), dbesc($arr && array_key_exists('deny_cid', $arr) ? $arr['deny_cid'] : ''), dbesc($arr && array_key_exists('deny_gid', $arr) ? $arr['deny_gid'] : '')); } if ($options !== 'update') { @unlink($src); } if (!$r) { $ret['message'] = t('File upload failed. Possible system limit or action terminated.'); return $ret; } // Caution: This re-uses $sql_options set further above $r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' {$sql_options} limit 1", intval($channel_id), dbesc($hash)); if (!$r) { $ret['message'] = t('Stored file could not be verified. Upload failed.'); return $ret; } $ret['success'] = true; $ret['data'] = $r[0]; return $ret; }
/** * @brief Creates a new file in the directory. * * Data will either be supplied as a stream resource, or in certain cases * as a string. Keep in mind that you may have to support either. * * After successful creation of the file, you may choose to return the ETag * of the new file here. * * @throw \Sabre\DAV\Exception\Forbidden * @param string $name Name of the file * @param resource|string $data Initial payload * @return null|string ETag */ public function createFile($name, $data = null) { logger($name, LOGGER_DEBUG); if (!$this->auth->owner_id) { logger('permission denied ' . $name); throw new DAV\Exception\Forbidden('Permission denied.'); } if (!perm_is_allowed($this->auth->owner_id, $this->auth->observer, 'write_storage')) { logger('permission denied ' . $name); throw new DAV\Exception\Forbidden('Permission denied.'); } $mimetype = z_mime_content_type($name); $c = q("SELECT * FROM channel WHERE channel_id = %d AND NOT (channel_pageflags & %d)>0 LIMIT 1", intval($this->auth->owner_id), intval(PAGE_REMOVED)); if (!$c) { logger('no channel'); throw new DAV\Exception\Forbidden('Permission denied.'); } $filesize = 0; $hash = random_string(); $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )\n\t\t\tVALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($c[0]['channel_account_id']), intval($c[0]['channel_id']), dbesc($hash), dbesc($this->auth->observer), dbesc($name), dbesc($this->folder_hash), dbesc(ATTACH_FLAG_OS), dbesc($mimetype), intval($filesize), intval(0), dbesc($this->os_path . '/' . $hash), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc($c[0]['channel_allow_cid']), dbesc($c[0]['channel_allow_gid']), dbesc($c[0]['channel_deny_cid']), dbesc($c[0]['channel_deny_gid'])); $f = 'store/' . $this->auth->owner_nick . '/' . ($this->os_path ? $this->os_path . '/' : '') . $hash; // returns the number of bytes that were written to the file, or FALSE on failure $size = file_put_contents($f, $data); // delete attach entry if file_put_contents() failed if ($size === false) { logger('file_put_contents() failed to ' . $f); attach_delete($c[0]['channel_id'], $hash); return; } // returns now $edited = datetime_convert(); // updates entry with filesize and timestamp $d = q("UPDATE attach SET filesize = '%s', edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($size), dbesc($edited), dbesc($hash), intval($c[0]['channel_id'])); // update the folder's lastmodified timestamp $e = q("UPDATE attach SET edited = '%s' WHERE hash = '%s' AND uid = %d", dbesc($edited), dbesc($this->folder_hash), intval($c[0]['channel_id'])); $maxfilesize = get_config('system', 'maxfilesize'); if ($maxfilesize && $size > $maxfilesize) { attach_delete($c[0]['channel_id'], $hash); return; } // check against service class quota $limit = service_class_fetch($c[0]['channel_id'], 'attach_upload_limit'); if ($limit !== false) { $x = q("SELECT SUM(filesize) AS total FROM attach WHERE aid = %d ", intval($c[0]['channel_account_id'])); if ($x && $x[0]['total'] + $size > $limit) { logger('service class limit exceeded for ' . $c[0]['channel_name'] . ' total usage is ' . $x[0]['total'] . ' limit is ' . $limit); attach_delete($c[0]['channel_id'], $hash); return; } } }
public function testFileNameOneDot() { $multidots = "foo.ogg"; $this->assertEquals("audio/ogg", z_mime_content_type($multidots)); $this->assertNotEquals("application/octet-stream", z_mime_content_type($multidots)); }