Exemple #1
0
/**
 * This function checks to see if a file is within the specified folder.
 *
 * @param dynamicBaseFolder The folder from which the base folder is computed.
 * @param dynamicFileName The name of the file for which to check.
 *
 * @return True or false whether the file is or is not in the base folder.
 *
 */
function tNG_isFileInsideBaseFolder($dynamicBaseFolder, $dynamicFileName)
{
    $baseFolder = tNG_getBaseFolder($dynamicBaseFolder);
    $folder = KT_realPath(KT_DynamicData($dynamicBaseFolder, null));
    $fileName = KT_DynamicData($dynamicFileName, null);
    $absPath = KT_realPath($folder . $fileName, false);
    if (substr($absPath, 0, strlen($baseFolder)) === $baseFolder) {
        return true;
    }
    return false;
}
 /**
  * the main method, execute the code of the class;
  * Upload the file, set the file name in transaction;
  * return mix null or error object
  * @access public
  */
 function Execute()
 {
     if ($this->tNG->getTransactionType() == "_import") {
         $this->tNG->uploadObj =& $this;
     }
     $ret = null;
     if ($this->dbFieldName != '') {
         $oldFileName = $this->tNG->getSavedValue($this->dbFieldName);
         $saveFileName = $this->tNG->getColumnValue($this->dbFieldName);
         if ($this->tNG->getColumnType($this->dbFieldName) != 'FILE_TYPE') {
             $errObj = new tNG_error('FILE_UPLOAD_WRONG_COLTYPE', array(), array($this->dbFieldName));
             $errObj->addFieldError($this->dbFieldName, 'FILE_UPLOAD_WRONG_COLTYPE_D', array($this->dbFieldName));
             return $errObj;
         }
     } else {
         $oldFileName = KT_DynamicData($this->renameRule, $this->tNG, '', true);
         if (isset($this->tNG->multipleIdx)) {
             $saveFileName = @$_FILES[$this->formFieldName . "_" . $this->tNG->multipleIdx]['name'];
         } else {
             $saveFileName = @$_FILES[$this->formFieldName]['name'];
         }
     }
     $this->dynamicFolder = KT_DynamicData($this->folder, $this->tNG, '', false);
     $arrArgs = array();
     $autoRename = false;
     switch ($this->rename) {
         case 'auto':
             $autoRename = true;
             break;
         case 'none':
             break;
         case 'custom':
             $path_info = KT_pathinfo($saveFileName);
             $arrArgs = array('KT_name' => $path_info['filename'], 'KT_ext' => $path_info['extension']);
             $saveFileName = KT_DynamicData($this->renameRule, $this->tNG, '', false, $arrArgs);
             break;
         default:
             die('INTERNAL ERROR: Unknown upload rename method.');
     }
     if (tNG_isFileInsideBaseFolder($this->folder, $saveFileName) === false) {
         $baseFileName = dirname(KT_realPath($this->dynamicFolder . $saveFileName, false));
         return new tNG_error("FOLDER_DEL_SECURITY_ERROR", array(), array($baseFileName, tNG_getBaseFolder($this->folder)));
     }
     // Upload File
     $fileUpload = new KT_fileUpload();
     if (isset($this->tNG->multipleIdx)) {
         $fileUpload->setFileInfo($this->formFieldName . "_" . $this->tNG->multipleIdx);
     } else {
         $fileUpload->setFileInfo($this->formFieldName);
     }
     $fileUpload->setFolder($this->dynamicFolder);
     $fileUpload->setRequired(false);
     $fileUpload->setAllowedExtensions($this->allowedExtensions);
     $fileUpload->setAutoRename($autoRename);
     $fileUpload->setMaxSize($this->maxSize);
     $this->uploadedFileName = $fileUpload->uploadFile($saveFileName, $oldFileName);
     $updateDB = basename($this->uploadedFileName);
     if ($fileUpload->hasError()) {
         $arrError = $fileUpload->getError();
         $errObj = new tNG_error('FILE_UPLOAD_ERROR', array($arrError[0]), array($arrError[1]));
         if ($this->dbFieldName != '') {
             $errObj->addFieldError($this->dbFieldName, '%s', array($arrError[0]));
         }
         $ret = $errObj;
     } else {
         $this->dynamicFolder = KT_realpath($this->dynamicFolder);
         if ($this->uploadedFileName == "") {
             //Check if for update we need to rename file
             if ($this->rename == "custom") {
                 $path_info = KT_pathinfo($oldFileName);
                 $arrArgs['KT_ext'] = $path_info['extension'];
             }
             $tmpFileName = KT_DynamicData($this->renameRule, $this->tNG, '', false, $arrArgs);
             if ($tmpFileName != "" && $oldFileName != "" && $tmpFileName != $oldFileName) {
                 if (file_exists($this->dynamicFolder . $oldFileName)) {
                     if (@rename($this->dynamicFolder . $oldFileName, $this->dynamicFolder . $tmpFileName) === true) {
                         $this->uploadedFileName = $tmpFileName;
                         $updateDB = basename($this->uploadedFileName);
                     } else {
                         $ret = new tNG_error('FILE_UPLOAD_RENAME', array(), array($this->dynamicFolder . $oldFileName, $this->dynamicFolder . $tmpFileName));
                     }
                 }
             }
         }
         if ($ret === null) {
             if ($this->tNG->getTransactionType() == "_insert" || $this->tNG->getTransactionType() == "_multipleInsert") {
                 $this->tNG->registerTrigger('ERROR', 'Trigger_Default_RollBack', 1, $this);
             }
             $this->deleteThumbnails($this->dynamicFolder . 'thumbnails' . DIRECTORY_SEPARATOR, $oldFileName);
             if ($this->uploadedFileName != '') {
                 $this->deleteThumbnails($this->dynamicFolder . 'thumbnails' . DIRECTORY_SEPARATOR, $this->uploadedFileName);
             }
             if ($this->dbFieldName != '' && $this->uploadedFileName != "") {
                 $ret = $this->tNG->afterUpdateField($this->dbFieldName, $updateDB);
             }
         }
         if ($ret === null && $this->dbFieldName != "") {
             $this->tNG->setRawColumnValue($this->dbFieldName, $updateDB);
         }
     }
     $this->errObj = $ret;
     return $ret;
 }