/** * Gets a value from the input data. * * @param string $name The name of the input property (usually the name of the files INPUT tag) to get. * @param mixed $default The default value to return if the named property does not exist. * @param string $filter The filter to apply to the value. * * @return mixed The filtered input value. * * @see JFilterInput::clean() * @since 11.1 */ public function get($name, $default = null, $filter = 'cmd') { if (isset($this->data[$name])) { $results = $this->decodeData(array($this->data[$name]['name'], $this->data[$name]['type'], $this->data[$name]['tmp_name'], $this->data[$name]['error'], $this->data[$name]['size'])); // Prevent returning an unsafe file unless speciffically requested if ($filter != 'raw') { $isSafe = JFilterInput::isSafeFile($results); if (!$isSafe) { return $default; } } return $results; } return $default; }
/** * The class constructor. * * @param array $source The source argument is ignored. $_FILES is always used. * @param array $options An optional array of configuration options: * filter : a custom JFilterInput object. * * @since 12.1 */ public function __construct(array $source = null, array $options = array()) { if (isset($options['filter'])) { $this->filter = $options['filter']; } else { $this->filter = JFilterInput::getInstance(); } // Set the data source. $this->data =& $_FILES; // Scan the files in the array if (!empty($this->data)) { foreach ($this->data as $name => &$descriptor) { $descriptor['safe'] = JFilterInput::isSafeFile($descriptor); } } // Set the options for the class. $this->options = $options; }
/** * Checks an uploaded for suspicious naming and potential PHP contents which could indicate a hacking attempt. */ public static function isSafeFile($file, $options = array()) { if (class_exists('JFilterInput') && method_exists(JFilterInput, 'isSafeFile')) { return JFilterInput::isSafeFile($file, $options); } require_once dirname(__FILE__) . '/uploadshield.php'; return WFUploadShield::isSafeFile($file, $options); }
/** * Moves an uploaded file to a destination folder * * @param string $src The name of the php (temporary) uploaded file * @param string $dest The path (including filename) to move the uploaded file to * @param boolean $use_streams True to use streams * @param boolean $allow_unsafe Allow the upload of unsafe files * @param boolean $safeFileOptions Options to JFilterInput::isSafeFile * * @return boolean True on success * * @since 11.1 */ public static function upload($src, $dest, $use_streams = false, $allow_unsafe = false, $safeFileOptions = array()) { if (!$allow_unsafe) { $descriptor = array('tmp_name' => $src, 'name' => basename($dest), 'type' => '', 'error' => '', 'size' => ''); $isSafe = JFilterInput::isSafeFile($descriptor, $safeFileOptions); if (!$isSafe) { JLog::add(JText::sprintf('JLIB_FILESYSTEM_ERROR_WARNFS_ERR03', $dest), JLog::WARNING, 'jerror'); return false; } } // Ensure that the path is valid and clean $pathObject = new JFilesystemWrapperPath(); $dest = $pathObject->clean($dest); // Create the destination directory if it does not exist $baseDir = dirname($dest); if (!file_exists($baseDir)) { $folderObject = new JFilesystemWrapperFolder(); $folderObject->create($baseDir); } if ($use_streams) { $stream = JFactory::getStream(); if (!$stream->upload($src, $dest)) { JLog::add(JText::sprintf('JLIB_FILESYSTEM_ERROR_UPLOAD', $stream->getError()), JLog::WARNING, 'jerror'); return false; } return true; } else { $FTPOptions = JClientHelper::getCredentials('ftp'); $ret = false; if ($FTPOptions['enabled'] == 1) { // Connect the FTP client $ftp = JClientFtp::getInstance($FTPOptions['host'], $FTPOptions['port'], array(), $FTPOptions['user'], $FTPOptions['pass']); // Translate path for the FTP account $dest = $pathObject->clean(str_replace(JPATH_ROOT, $FTPOptions['root'], $dest), '/'); // Copy the file to the destination directory if (is_uploaded_file($src) && $ftp->store($src, $dest)) { unlink($src); $ret = true; } else { JLog::add(JText::sprintf('JLIB_FILESYSTEM_ERROR_WARNFS_ERR04', $src, $dest), JLog::WARNING, 'jerror'); } } else { if (is_writeable($baseDir) && move_uploaded_file($src, $dest)) { // Short circuit to prevent file permission errors if ($pathObject->setPermissions($dest)) { $ret = true; } else { JLog::add(JText::_('JLIB_FILESYSTEM_ERROR_WARNFS_ERR01'), JLog::WARNING, 'jerror'); } } else { JLog::add(JText::sprintf('JLIB_FILESYSTEM_ERROR_WARNFS_ERR04', $src, $dest), JLog::WARNING, 'jerror'); } } return $ret; } }