/** * This function checks to see if a file is within the specified folder. * * @param dynamicBaseFolder The folder from which the base folder is computed. * @param dynamicFileName The name of the file for which to check. * * @return True or false whether the file is or is not in the base folder. * */ function tNG_isFileInsideBaseFolder($dynamicBaseFolder, $dynamicFileName) { $baseFolder = tNG_getBaseFolder($dynamicBaseFolder); $folder = KT_realPath(KT_DynamicData($dynamicBaseFolder, null)); $fileName = KT_DynamicData($dynamicFileName, null); $absPath = KT_realPath($folder . $fileName, false); if (substr($absPath, 0, strlen($baseFolder)) === $baseFolder) { return true; } return false; }
/** * the main method, execute the code of the class; * Upload the file, set the file name in transaction; * return mix null or error object * @access public */ function Execute() { if ($this->tNG->getTransactionType() == "_import") { $this->tNG->uploadObj =& $this; } $ret = null; if ($this->dbFieldName != '') { $oldFileName = $this->tNG->getSavedValue($this->dbFieldName); $saveFileName = $this->tNG->getColumnValue($this->dbFieldName); if ($this->tNG->getColumnType($this->dbFieldName) != 'FILE_TYPE') { $errObj = new tNG_error('FILE_UPLOAD_WRONG_COLTYPE', array(), array($this->dbFieldName)); $errObj->addFieldError($this->dbFieldName, 'FILE_UPLOAD_WRONG_COLTYPE_D', array($this->dbFieldName)); return $errObj; } } else { $oldFileName = KT_DynamicData($this->renameRule, $this->tNG, '', true); if (isset($this->tNG->multipleIdx)) { $saveFileName = @$_FILES[$this->formFieldName . "_" . $this->tNG->multipleIdx]['name']; } else { $saveFileName = @$_FILES[$this->formFieldName]['name']; } } $this->dynamicFolder = KT_DynamicData($this->folder, $this->tNG, '', false); $arrArgs = array(); $autoRename = false; switch ($this->rename) { case 'auto': $autoRename = true; break; case 'none': break; case 'custom': $path_info = KT_pathinfo($saveFileName); $arrArgs = array('KT_name' => $path_info['filename'], 'KT_ext' => $path_info['extension']); $saveFileName = KT_DynamicData($this->renameRule, $this->tNG, '', false, $arrArgs); break; default: die('INTERNAL ERROR: Unknown upload rename method.'); } if (tNG_isFileInsideBaseFolder($this->folder, $saveFileName) === false) { $baseFileName = dirname(KT_realPath($this->dynamicFolder . $saveFileName, false)); return new tNG_error("FOLDER_DEL_SECURITY_ERROR", array(), array($baseFileName, tNG_getBaseFolder($this->folder))); } // Upload File $fileUpload = new KT_fileUpload(); if (isset($this->tNG->multipleIdx)) { $fileUpload->setFileInfo($this->formFieldName . "_" . $this->tNG->multipleIdx); } else { $fileUpload->setFileInfo($this->formFieldName); } $fileUpload->setFolder($this->dynamicFolder); $fileUpload->setRequired(false); $fileUpload->setAllowedExtensions($this->allowedExtensions); $fileUpload->setAutoRename($autoRename); $fileUpload->setMaxSize($this->maxSize); $this->uploadedFileName = $fileUpload->uploadFile($saveFileName, $oldFileName); $updateDB = basename($this->uploadedFileName); if ($fileUpload->hasError()) { $arrError = $fileUpload->getError(); $errObj = new tNG_error('FILE_UPLOAD_ERROR', array($arrError[0]), array($arrError[1])); if ($this->dbFieldName != '') { $errObj->addFieldError($this->dbFieldName, '%s', array($arrError[0])); } $ret = $errObj; } else { $this->dynamicFolder = KT_realpath($this->dynamicFolder); if ($this->uploadedFileName == "") { //Check if for update we need to rename file if ($this->rename == "custom") { $path_info = KT_pathinfo($oldFileName); $arrArgs['KT_ext'] = $path_info['extension']; } $tmpFileName = KT_DynamicData($this->renameRule, $this->tNG, '', false, $arrArgs); if ($tmpFileName != "" && $oldFileName != "" && $tmpFileName != $oldFileName) { if (file_exists($this->dynamicFolder . $oldFileName)) { if (@rename($this->dynamicFolder . $oldFileName, $this->dynamicFolder . $tmpFileName) === true) { $this->uploadedFileName = $tmpFileName; $updateDB = basename($this->uploadedFileName); } else { $ret = new tNG_error('FILE_UPLOAD_RENAME', array(), array($this->dynamicFolder . $oldFileName, $this->dynamicFolder . $tmpFileName)); } } } } if ($ret === null) { if ($this->tNG->getTransactionType() == "_insert" || $this->tNG->getTransactionType() == "_multipleInsert") { $this->tNG->registerTrigger('ERROR', 'Trigger_Default_RollBack', 1, $this); } $this->deleteThumbnails($this->dynamicFolder . 'thumbnails' . DIRECTORY_SEPARATOR, $oldFileName); if ($this->uploadedFileName != '') { $this->deleteThumbnails($this->dynamicFolder . 'thumbnails' . DIRECTORY_SEPARATOR, $this->uploadedFileName); } if ($this->dbFieldName != '' && $this->uploadedFileName != "") { $ret = $this->tNG->afterUpdateField($this->dbFieldName, $updateDB); } } if ($ret === null && $this->dbFieldName != "") { $this->tNG->setRawColumnValue($this->dbFieldName, $updateDB); } } $this->errObj = $ret; return $ret; }