/** * Add an attachment file into agenda * @param int $eventId * @param array $fileUserUpload ($_FILES['user_upload']) * @param string comment about file * @param array $courseInfo * @return string */ public function addAttachment($eventId, $fileUserUpload, $comment, $courseInfo) { $agenda_table_attachment = Database::get_course_table(TABLE_AGENDA_ATTACHMENT); $eventId = intval($eventId); // Storing the attachments $upload_ok = false; if (!empty($fileUserUpload['name'])) { $upload_ok = process_uploaded_file($fileUserUpload); } if (!empty($upload_ok)) { $courseDir = $courseInfo['directory'] . '/upload/calendar'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $uploadDir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($fileUserUpload['name']), $fileUserUpload['type']); // user's file name $file_name = $fileUserUpload['name']; if (!filter_extension($new_file_name)) { return Display::return_message(get_lang('UplUnableToSaveFileFilteredExtension'), 'error'); } else { $new_file_name = uniqid(''); $new_path = $uploadDir . '/' . $new_file_name; $result = @move_uploaded_file($fileUserUpload['tmp_name'], $new_path); $course_id = api_get_course_int_id(); $size = intval($fileUserUpload['size']); // Storing the attachments if any if ($result) { $params = ['c_id' => $course_id, 'filename' => $file_name, 'comment' => $comment, 'path' => $new_file_name, 'agenda_id' => $eventId, 'size' => $size]; $id = Database::insert($agenda_table_attachment, $params); if ($id) { $sql = "UPDATE {$agenda_table_attachment}\n SET id = iid WHERE iid = {$id}"; Database::query($sql); api_item_property_update($courseInfo, 'calendar_event_attachment', $id, 'AgendaAttachmentAdded', api_get_user_id()); } } } } }
/** * Attachment files when a message is sent * @param $file_attach * @param $ticket_id * @param $message_id * @param $message_attch_id * @return array */ public static function save_message_attachment_file( $file_attach, $ticket_id, $message_id, $message_attch_id ) { $now = api_get_utc_datetime(); $user_id = api_get_user_id(); $ticket_id = intval($ticket_id); $new_file_name = add_ext_on_mime( stripslashes($file_attach['name']), $file_attach['type'] ); $file_name = $file_attach['name']; $table_support_message_attachments = Database::get_main_table(TABLE_TICKET_MESSAGE_ATTACHMENTS); if (!filter_extension($new_file_name)) { Display :: display_error_message( get_lang('UplUnableToSaveFileFilteredExtension') ); } else { $new_file_name = uniqid(''); $path_attachment = api_get_path(SYS_ARCHIVE_PATH); $path_message_attach = $path_attachment . 'plugin_ticket_messageattch/'; if (!file_exists($path_message_attach)) { @mkdir($path_message_attach, api_get_permissions_for_new_directories(), true); } $new_path = $path_message_attach . $new_file_name; if (is_uploaded_file($file_attach['tmp_name'])) { $result = @copy($file_attach['tmp_name'], $new_path); } $safe_file_name = Database::escape_string($file_name); $safe_new_file_name = Database::escape_string($new_file_name); $sql = "INSERT INTO $table_support_message_attachments ( filename, path, ticket_id, message_id, message_attch_id, size, sys_insert_user_id, sys_insert_datetime, sys_lastedit_user_id, sys_lastedit_datetime ) VALUES ( '$safe_file_name', '$safe_new_file_name', '$ticket_id', '$message_id', '$message_attch_id', '" . $file_attach['size'] . "', '$user_id', '$now', '$user_id', '$now' )"; Database::query($sql); return array( 'path' => $path_message_attach . $safe_new_file_name, 'filename' => $safe_file_name ); } }
/** * This function edits an attachment file into a forum * @param string $file_comment a comment about file * @param int $post_id * @param int $id_attach attachment file Id * @return void */ function edit_forum_attachment_file($file_comment, $post_id, $id_attach) { $_course = api_get_course_info(); $table_forum_attachment = Database::get_course_table(TABLE_FORUM_ATTACHMENT); $course_id = api_get_course_int_id(); $fileCount = count($_FILES['user_upload']['name']); $filesData = []; if (!is_array($_FILES['user_upload']['name'])) { $filesData[] = $_FILES['user_upload']; } else { $fileKeys = array_keys($_FILES['user_upload']); for ($i = 0; $i < $fileCount; $i++) { foreach ($fileKeys as $key) { $filesData[$i][$key] = $_FILES['user_upload'][$key][$i]; } } } foreach ($filesData as $attachment) { if (empty($attachment['name'])) { continue; } $upload_ok = process_uploaded_file($attachment); if (!$upload_ok) { continue; } $course_dir = $_course['path'] . '/upload/forum'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $course_dir; // Try to add an extension to the file if it hasn't one. $new_file_name = add_ext_on_mime(stripslashes($attachment['name']), $attachment['type']); // User's file name $file_name = $attachment['name']; if (!filter_extension($new_file_name)) { Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); $new_path = $updir . '/' . $new_file_name; $result = @move_uploaded_file($attachment['tmp_name'], $new_path); $safe_file_comment = Database::escape_string($file_comment); $safe_file_name = Database::escape_string($file_name); $safe_new_file_name = Database::escape_string($new_file_name); $safe_post_id = (int) $post_id; $safe_id_attach = (int) $id_attach; // Storing the attachments if any. if ($result) { $sql = "UPDATE {$table_forum_attachment} SET filename = '{$safe_file_name}', comment = '{$safe_file_comment}', path = '{$safe_new_file_name}', post_id = '{$safe_post_id}', size ='" . $attachment['size'] . "'\n WHERE c_id = {$course_id} AND id = '{$safe_id_attach}'"; Database::query($sql); api_item_property_update($_course, TOOL_FORUM_ATTACH, $safe_id_attach, 'ForumAttachmentUpdated', api_get_user_id()); } } } }
/** * Upload a submitted user production. * * @param $user_id User id * @return The filename of the new production or FALSE if the upload has failed */ function upload_user_production($user_id) { $production_repository = UserManager::getUserPathById($user_id, 'system'); if (!file_exists($production_repository)) { @mkdir($production_repository, api_get_permissions_for_new_directories(), true); } $filename = api_replace_dangerous_char($_FILES['production']['name']); $filename = disable_dangerous_file($filename); if (filter_extension($filename)) { if (@move_uploaded_file($_FILES['production']['tmp_name'], $production_repository . $filename)) { return $filename; } } return false; // this should be returned if anything went wrong with the upload }
function IsAllowedExt($sExtension, $resourceType) { global $Config; // Get the allowed and denied extensions arrays. $arAllowed = $Config['AllowedExtensions'][$resourceType]; $arDenied = $Config['DeniedExtensions'][$resourceType]; if (count($arAllowed) > 0 && !in_array($sExtension, $arAllowed)) { return false; } if (count($arDenied) > 0 && in_array($sExtension, $arDenied)) { return false; } // Adding a check using the Chamilo system's white or black list. if (!filter_extension($sExtension)) { return false; } return true; }
/** * Creates a comment on a post in a given blog * @author Toon Keppens * @param String $title * @param String $full_text * @param Integer $blog_id * @param Integer $post_id * @param Integer $parent_id */ public static function create_comment($title, $full_text, $file_comment, $blog_id, $post_id, $parent_id, $task_id = 'NULL') { $_user = api_get_user_info(); $_course = api_get_course_info(); $blog_table_attachment = Database::get_course_table(TABLE_BLOGS_ATTACHMENT); $upload_ok = true; $has_attachment = false; $current_date = date('Y-m-d H:i:s', time()); $course_id = api_get_course_int_id(); if (!empty($_FILES['user_upload']['name'])) { $upload_ok = process_uploaded_file($_FILES['user_upload']); $has_attachment = true; } if ($upload_ok) { // Table Definition $tbl_blogs_comments = Database::get_course_table(TABLE_BLOGS_COMMENTS); // Create the comment $sql = "INSERT INTO {$tbl_blogs_comments} (c_id, title, comment, author_id, date_creation, blog_id, post_id, parent_comment_id, task_id )\n\t\t\t\t\tVALUES ({$course_id}, '" . Database::escape_string($title) . "', '" . Database::escape_string($full_text) . "', '" . (int) $_user['user_id'] . "','" . $current_date . "', '" . (int) $blog_id . "', '" . (int) $post_id . "', '" . (int) $parent_id . "', '" . (int) $task_id . "')"; Database::query($sql); // Empty post values, or they are shown on the page again $last_id = Database::insert_id(); if ($last_id) { $sql = "UPDATE {$tbl_blogs_comments} SET comment_id = iid WHERE iid = {$last_id}"; Database::query($sql); } if ($has_attachment) { $courseDir = $_course['path'] . '/upload/blog'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($_FILES['user_upload']['name']), $_FILES['user_upload']['type']); // user's file name $file_name = $_FILES['user_upload']['name']; if (!filter_extension($new_file_name)) { Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); $new_path = $updir . '/' . $new_file_name; $result = @move_uploaded_file($_FILES['user_upload']['tmp_name'], $new_path); $comment = Database::escape_string($file_comment); // Storing the attachments if any if ($result) { $sql = 'INSERT INTO ' . $blog_table_attachment . '(c_id, filename,comment, path, post_id,size,blog_id,comment_id) ' . "VALUES ({$course_id}, '" . Database::escape_string($file_name) . "', '" . $comment . "', '" . Database::escape_string($new_file_name) . "' , '" . $post_id . "', '" . $_FILES['user_upload']['size'] . "', '" . $blog_id . "', '" . $last_id . "' )"; Database::query($sql); $id = Database::insert_id(); if ($id) { $sql = "UPDATE {$blog_table_attachment} SET id = iid WHERE iid = {$id}"; Database::query($sql); } } } } } }
/** * This function edit a attachment file into agenda * @param string a comment about file * @param int Agenda Id * @param int attachment file Id */ function edit_agenda_attachment_file($file_comment, $agenda_id, $id_attach) { global $_course; $agenda_table_attachment = Database::get_course_table(TABLE_AGENDA_ATTACHMENT); // Storing the attachments if (!empty($_FILES['user_upload']['name'])) { $upload_ok = process_uploaded_file($_FILES['user_upload']); } if (!empty($upload_ok)) { $courseDir = $_course['path'] . '/upload/calendar'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($_FILES['user_upload']['name']), $_FILES['user_upload']['type']); // user's file name $file_name = $_FILES['user_upload']['name']; if (!filter_extension($new_file_name)) { Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); $new_path = $updir . '/' . $new_file_name; $result = @move_uploaded_file($_FILES['user_upload']['tmp_name'], $new_path); $safe_file_comment = Database::escape_string($file_comment); $safe_file_name = Database::escape_string($file_name); $safe_new_file_name = Database::escape_string($new_file_name); $safe_agenda_id = intval($agenda_id); $safe_id_attach = intval($id_attach); // Storing the attachments if any if ($result) { $sql = "UPDATE {$agenda_table_attachment} SET filename = '{$safe_file_name}', comment = '{$safe_file_comment}', path = '{$safe_new_file_name}', agenda_id = '{$safe_agenda_id}', size ='" . intval($_FILES['user_upload']['size']) . "'\n\t\t\t\t\t\t WHERE id = '{$safe_id_attach}'"; Database::query($sql); api_item_property_update($_course, 'calendar_event_attachment', $safe_id_attach, 'AgendaAttachmentUpdated', api_get_user_id()); } } } }
/** * @param array $my_folder_data * @param array $_course * @return array */ function uploadWork($my_folder_data, $_course) { if (empty($_FILES['file']['size'])) { return array('error' => Display :: return_message(get_lang('UplUploadFailedSizeIsZero'), 'error')); } $updir = api_get_path(SYS_COURSE_PATH).$_course['path'].'/work/'; //directory path to upload // Try to add an extension to the file if it has'nt one $filename = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']); // Replace dangerous characters $filename = replace_dangerous_char($filename, 'strict'); // Transform any .php file in .phps fo security $filename = php2phps($filename); $filesize = filesize($_FILES['file']['tmp_name']); if (empty($filesize)) { return array('error' => Display :: return_message(get_lang('UplUploadFailedSizeIsZero'), 'error')); } elseif (!filter_extension($new_file_name)) { return array('error' => Display :: return_message(get_lang('UplUnableToSaveFileFilteredExtension'), 'error')); } $totalSpace = DocumentManager::documents_total_space($_course['real_id']); $course_max_space = DocumentManager::get_course_quota($_course['code']); $total_size = $filesize + $totalSpace; if ($total_size > $course_max_space) { return array( 'error' => Display :: return_message(get_lang('NoSpace'), 'error') ); } // Compose a unique file name to avoid any conflict $new_file_name = api_get_unique_id(); $curdirpath = basename($my_folder_data['url']); // If we come from the group tools the groupid will be saved in $work_table if (is_dir($updir.$curdirpath) || empty($curdirpath)) { $result = move_uploaded_file( $_FILES['file']['tmp_name'], $updir.$curdirpath.'/'.$new_file_name ); } else { return array( 'error' => Display :: return_message( get_lang('FolderDoesntExistsInFileSystem'), 'error' ) ); } $url = null; if ($result) { $url = 'work/'.$curdirpath.'/'.$new_file_name; } return array( 'url' => $url, 'filename' => $filename, 'error' => null ); }
/** * This function cleans up a given path * by eliminating dangerous file names and cleaning them * * @param string $path * @return $path * @see disable_dangerous_file() * @see api_replace_dangerous_char() */ function clean_up_path(&$path) { // Split the path in folders and files $path_array = explode('/', $path); // Clean up every foler and filename in the path foreach ($path_array as $key => &$val) { // We don't want to lose the dots in ././folder/file (cfr. zipfile) if ($val != '.') { $val = disable_dangerous_file(api_replace_dangerous_char($val)); } } // Join the "cleaned" path (modified in-place as passed by reference) $path = implode('/', $path_array); $res = filter_extension($path); return $res; }
/** * This function edit a attachment file into announcement * @param int attach id * @param array uploaded file $_FILES * @param string file comment * @return int */ public static function edit_announcement_attachment_file($id_attach, $file, $file_comment) { $_course = api_get_course_info(); $tbl_announcement_attachment = Database::get_course_table(TABLE_ANNOUNCEMENT_ATTACHMENT); $return = 0; $course_id = api_get_course_int_id(); if (is_array($file) && $file['error'] == 0) { // TODO: This path is obsolete. The new document repository scheme should be kept in mind here. $courseDir = $_course['path'] . '/upload/announcements'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($file['name']), $file['type']); // user's file name $file_name = $file['name']; if (!filter_extension($new_file_name)) { $return - 1; Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); $new_path = $updir . '/' . $new_file_name; @move_uploaded_file($file['tmp_name'], $new_path); $safe_file_comment = Database::escape_string($file_comment); $safe_file_name = Database::escape_string($file_name); $safe_new_file_name = Database::escape_string($new_file_name); $id_attach = intval($id_attach); $sql = "UPDATE {$tbl_announcement_attachment} SET filename = '{$safe_file_name}', comment = '{$safe_file_comment}', path = '{$safe_new_file_name}', size ='" . intval($file['size']) . "'\n\t\t\t\t\t \tWHERE c_id = {$course_id} AND id = '{$id_attach}'"; $result = Database::query($sql); if ($result === false) { $return = -1; Display::display_error_message(get_lang('UplUnableToSaveFile')); } else { $return = 1; } } } return $return; }
/** * @return array|null|string */ function store_add_dropbox() { $_course = api_get_course_info(); $_user = api_get_user_info(); $dropbox_cnf = getDropboxConf(); // Validating the form data // there are no recipients selected if (!isset($_POST['recipients']) || count($_POST['recipients']) <= 0) { return get_lang('YouMustSelectAtLeastOneDestinee'); } else { // Check if all the recipients are valid $thisIsAMailing = false; $thisIsJustUpload = false; foreach ($_POST['recipients'] as $rec) { if ($rec == 'mailing') { $thisIsAMailing = true; } elseif ($rec == 'upload') { $thisIsJustUpload = true; } elseif (strpos($rec, 'user_') === 0 && !isCourseMember(substr($rec, strlen('user_')))) { return get_lang('InvalideUserDetected'); } elseif (strpos($rec, 'group_') !== 0 && strpos($rec, 'user_') !== 0) { return get_lang('InvalideGroupDetected'); } } } // we are doing a mailing but an additional recipient is selected if ($thisIsAMailing && count($_POST['recipients']) != 1) { return get_lang('MailingSelectNoOther'); } // we are doing a just upload but an additional recipient is selected. // note: why can't this be valid? It is like sending a document to yourself AND to a different person (I do this quite often with my e-mails) if ($thisIsJustUpload && count($_POST['recipients']) != 1) { return get_lang('MailingJustUploadSelectNoOther'); } if (empty($_FILES['file']['name'])) { $error = true; return get_lang('NoFileSpecified'); } // are we overwriting a previous file or sending a new one $dropbox_overwrite = false; if (isset($_POST['cb_overwrite']) && $_POST['cb_overwrite']) { $dropbox_overwrite = true; } // doing the upload $dropbox_filename = $_FILES['file']['name']; $dropbox_filesize = $_FILES['file']['size']; $dropbox_filetype = $_FILES['file']['type']; $dropbox_filetmpname = $_FILES['file']['tmp_name']; // check if the filesize does not exceed the allowed size. if ($dropbox_filesize <= 0 || $dropbox_filesize > $dropbox_cnf['maxFilesize']) { return get_lang('DropboxFileTooBig'); // TODO: The "too big" message does not fit in the case of uploading zero-sized file. } // check if the file is actually uploaded if (!is_uploaded_file($dropbox_filetmpname)) { // check user fraud : no clean error msg. return get_lang('TheFileIsNotUploaded'); } $upload_ok = process_uploaded_file($_FILES['file'], true); if (!$upload_ok) { return null; } // Try to add an extension to the file if it hasn't got one $dropbox_filename = add_ext_on_mime($dropbox_filename, $dropbox_filetype); // Replace dangerous characters $dropbox_filename = replace_dangerous_char($dropbox_filename); // Transform any .php file in .phps fo security $dropbox_filename = php2phps($dropbox_filename); //filter extension if (!filter_extension($dropbox_filename)) { return get_lang('UplUnableToSaveFileFilteredExtension'); } // set title $dropbox_title = $dropbox_filename; // set author if (!isset($_POST['authors'])) { $_POST['authors'] = getUserNameFromId($_user['user_id']); } // note: I think we could better migrate everything from here on to separate functions: store_new_dropbox, store_new_mailing, store_just_upload if ($dropbox_overwrite) { $dropbox_person = new Dropbox_Person($_user['user_id'], api_is_course_admin(), api_is_course_tutor()); foreach ($dropbox_person->sentWork as $w) { if ($w->title == $dropbox_filename) { if ($w->recipients[0]['id'] > dropbox_cnf('mailingIdBase') xor $thisIsAMailing) { return get_lang('MailingNonMailingError'); } if ($w->recipients[0]['id'] == $_user['user_id'] xor $thisIsJustUpload) { return get_lang('MailingJustUploadSelectNoOther'); } $dropbox_filename = $w->filename; $found = true; // note: do we still need this? break; } } } else { // rename file to login_filename_uniqueId format $dropbox_filename = getLoginFromId($_user['user_id']) . "_" . $dropbox_filename . "_" . uniqid(''); } // creating the array that contains all the users who will receive the file $new_work_recipients = array(); foreach ($_POST['recipients'] as $rec) { if (strpos($rec, 'user_') === 0) { $new_work_recipients[] = substr($rec, strlen('user_')); } elseif (strpos($rec, 'group_') === 0) { $userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_'))); foreach ($userList as $usr) { if (!in_array($usr['user_id'], $new_work_recipients) && $usr['user_id'] != $_user['user_id']) { $new_work_recipients[] = $usr['user_id']; } } } } @move_uploaded_file($dropbox_filetmpname, dropbox_cnf('sysPath') . '/' . $dropbox_filename); $b_send_mail = api_get_course_setting('email_alert_on_new_doc_dropbox'); if ($b_send_mail) { foreach ($new_work_recipients as $recipient_id) { $recipent_temp = UserManager::get_user_info_by_id($recipient_id); $additionalParameters = array('smsType' => ClockworksmsPlugin::NEW_FILE_SHARED_COURSE_BY, 'userId' => $recipient_id, 'courseTitle' => $_course['title'], 'userUsername' => $recipent_temp['username']); api_mail_html(api_get_person_name($recipent_temp['firstname'] . ' ' . $recipent_temp['lastname'], null, PERSON_NAME_EMAIL_ADDRESS), $recipent_temp['email'], get_lang('NewDropboxFileUploaded'), get_lang('NewDropboxFileUploadedContent') . ' ' . api_get_path(WEB_CODE_PATH) . 'dropbox/index.php?cidReq=' . $_course['sysCode'] . "\n\n" . api_get_person_name($_user['firstName'], $_user['lastName'], null, PERSON_NAME_EMAIL_ADDRESS) . "\n" . get_lang('Email') . " : " . $_user['mail'], api_get_person_name($_user['firstName'], $_user['lastName'], null, PERSON_NAME_EMAIL_ADDRESS), $_user['mail'], null, null, null, $additionalParameters); } } new Dropbox_SentWork($_user['user_id'], $dropbox_title, $_POST['description'], strip_tags($_POST['authors']), $dropbox_filename, $dropbox_filesize, $new_work_recipients); Security::clear_token(); return get_lang('FileUploadSucces'); }
if ($dropbox_filesize <= 0 || $dropbox_filesize > dropbox_cnf('maxFilesize')) { $errormsg = get_lang('TooBig'); // TODO: The "too big" message does not fit in the case of uploading zero-sized file. $error = true; } elseif (!is_uploaded_file($dropbox_filetmpname)) { // check user fraud : no clean error msg. die(get_lang('BadFormData') . ' (code 403)'); } if (!$error) { // Try to add an extension to the file if it hasn't got one $dropbox_filename = add_ext_on_mime($dropbox_filename, $dropbox_filetype); // Replace dangerous characters $dropbox_filename = api_replace_dangerous_char($dropbox_filename); // Transform any .php file in .phps fo security $dropbox_filename = php2phps($dropbox_filename); if (!filter_extension($dropbox_filename)) { $error = true; $errormsg = get_lang('UplUnableToSaveFileFilteredExtension'); } else { // set title $dropbox_title = $dropbox_filename; // set author if ($_POST['authors'] == '') { $_POST['authors'] = getUserNameFromId($_user['user_id']); } if ($dropbox_overwrite) { $dropbox_person = new Dropbox_Person($_user['user_id'], $is_courseAdmin, $is_courseTutor); foreach ($dropbox_person->sentWork as $w) { if ($w->title == $dropbox_filename) { if ($w->recipients[0]['id'] > dropbox_cnf('mailingIdBase') xor $thisIsAMailing) { $error = true;
/** * Uploads an author image to the upload/learning_path/images directory * @param array The image array, coming from the $_FILES superglobal * @return boolean True on success, false on error */ public function upload_image($image_array) { $image_moved = false; if (!empty($image_array['name'])) { $upload_ok = process_uploaded_file($image_array); $has_attachment = true; } else { $image_moved = true; } if ($upload_ok) { if ($has_attachment) { $courseDir = api_get_course_path() . '/upload/learning_path/images'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one. $new_file_name = add_ext_on_mime(stripslashes($image_array['name']), $image_array['type']); if (!filter_extension($new_file_name)) { //Display :: display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); $image_moved = false; } else { $file_extension = explode('.', $image_array['name']); $file_extension = strtolower($file_extension[sizeof($file_extension) - 1]); $filename = uniqid(''); $new_file_name = $filename . '.' . $file_extension; $new_path = $updir . '/' . $new_file_name; // Resize the image. $temp = new Image($image_array['tmp_name']); $picture_infos = $temp->get_image_info(); if ($picture_infos['width'] > 104) { $thumbwidth = 104; } else { $thumbwidth = $picture_infos['width']; } if ($picture_infos['height'] > 96) { $new_height = 96; } else { $new_height = $picture_infos['height']; } $temp->resize($thumbwidth, $new_height, 0); $result = $temp->send_image($new_path); // Storing the image filename. if ($result) { $image_moved = true; $this->set_preview_image($new_file_name); //Resize to 64px to use on course homepage $temp->resize(64, 64, 0); $temp->send_image($updir . '/' . $filename . '.64.' . $file_extension); return true; } } } } return false; }
/** * Process upload files. The file must be an * uploaded file. If 'validate_images' is set to * true, only images will be processed. Any duplicate * file will be renamed. See Files::copyFile for details * on renaming. * @param string $relative the relative path where the file * should be copied to. * @param array $file the uploaded file from $_FILES * @return boolean true if the file was processed successfully, * false otherwise */ function _processFiles($relative, $file) { global $_course; if ($file['error'] != 0) { return false; } if (!is_file($file['tmp_name'])) { return false; } if (!is_uploaded_file($file['tmp_name'])) { Files::delFile($file['tmp_name']); return false; } $file['name'] = replace_dangerous_char($file['name'], 'strict'); $file_name = $file['name']; $extension = explode('.', $file_name); $count = count($extension); if ($count == 1) { $extension = ''; } else { $extension = strtolower($extension[$count - 1]); } // Checking for image by file extension first, using the configuration file. if (!in_array($extension, $this->config['accepted_extensions'])) { Files::delFile($file['tmp_name']); return false; } // Second, filtering using a special function of the system. $result = filter_extension($file_name); if ($result == 0 || $file_name != $file['name']) { Files::delFile($file['tmp_name']); return false; } // Checking for a valid image by reading binary file (partially in most cases). if ($this->config['validate_images']) { $imgInfo = @getImageSize($file['tmp_name']); if (!is_array($imgInfo)) { Files::delFile($file['tmp_name']); return false; } } //now copy the file $path = Files::makePath($this->getBaseDir(), $relative); $result = Files::copyFile($file['tmp_name'], $path, $file['name']); //no copy error if (!is_int($result)) { if (isset($_course) && !empty($_course) && isset($_course['code'])) { //adding the document to the DB global $to_group_id; // looking for the /document/ folder $document_path = substr($path, strpos($path, '/document/') + 9, strlen($path)); // /shared_folder/4/name $document_path .= $result; $chamiloFile = $file['name']; $chamiloFileSize = $file['size']; if (!empty($group_properties['directory'])) { $chamiloFolder = $group_properties['directory'] . $chamiloFolder; } $doc_id = add_document($_course, $document_path, 'file', $chamiloFileSize, $chamiloFile); api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', api_get_user_id(), $to_group_id, null, null, null, api_get_session_id()); } $dimensionsIndex = isset($_REQUEST['uploadSize']) ? $_REQUEST['uploadSize'] : 0; // If maximum size is specified, constrain image to it. if ($this->config['maxWidth'][$dimensionsIndex] > 0 && $this->config['maxHeight'][$dimensionsIndex] > 0) { $img = Image_Transform::factory(IMAGE_CLASS); $img->load($path . $result); // image larger than max dimensions? if ($img->img_x > $this->config['maxWidth'][$dimensionsIndex] || $img->img_y > $this->config['maxHeight'][$dimensionsIndex]) { $percentage = min($this->config['maxWidth'][$dimensionsIndex] / $img->img_x, $this->config['maxHeight'][$dimensionsIndex] / $img->img_y); $img->scale($percentage); } $img->save($path . $result); $img->free(); } } // Delete tmp files. Files::delFile($file['tmp_name']); return false; }
/** * Saves a message attachment files * @param array $file_attach $_FILES['name'] * @param string a comment about the uploaded file * @param int message id * @param int receiver user id (optional) * @param int sender user id (optional) * @param int group id (optional) * @return void */ public static function save_message_attachment_file($file_attach, $file_comment, $message_id, $receiver_user_id = 0, $sender_user_id = 0, $group_id = 0) { $tbl_message_attach = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT); // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($file_attach['name']), $file_attach['type']); // user's file name $file_name = $file_attach['name']; if (!filter_extension($new_file_name)) { Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); if (!empty($receiver_user_id)) { $message_user_id = $receiver_user_id; } else { $message_user_id = $sender_user_id; } // User-reserved directory where photos have to be placed.* $userGroup = new UserGroup(); if (!empty($group_id)) { $path_user_info = $userGroup->get_group_picture_path_by_id($group_id, 'system', true); } else { $path_user_info['dir'] = UserManager::getUserPathById($message_user_id, 'system'); } $path_message_attach = $path_user_info['dir'] . 'message_attachments/'; // If this directory does not exist - we create it. if (!file_exists($path_message_attach)) { @mkdir($path_message_attach, api_get_permissions_for_new_directories(), true); } $new_path = $path_message_attach . $new_file_name; if (is_uploaded_file($file_attach['tmp_name'])) { @copy($file_attach['tmp_name'], $new_path); } // Storing the attachments if any $params = ['filename' => $file_name, 'comment' => $file_comment, 'path' => $new_file_name, 'message_id' => $message_id, 'size' => $file_attach['size']]; Database::insert($tbl_message_attach, $params); } }
function accept($filename) { return (bool) filter_extension($filename); }
/** * Update User extra field file type into {user_folder}/{$extra_field} * @param int $user_id The user internal identification number * @param string $extra_field The $extra_field The extra field name * @param null $file The filename * @param null $source_file The temporal filename * @return bool|null return filename if success, but false */ public static function update_user_extra_file($user_id, $extra_field = '', $file = null, $source_file = null) { // Add Filter $source_file = Security::filter_filename($source_file); $file = Security::filter_filename($file); if (empty($user_id)) { return false; } if (empty($source_file)) { $source_file = $file; } // User-reserved directory where extra file have to be placed. $path_info = self::get_user_picture_path_by_id($user_id, 'system'); $path = $path_info['dir']; if (!empty($extra_field)) { $path .= $extra_field . '/'; } // If this directory does not exist - we create it. if (!file_exists($path)) { @mkdir($path, api_get_permissions_for_new_directories(), true); } if (filter_extension($file)) { if (@move_uploaded_file($source_file, $path . $file)) { if ($extra_field) { return $extra_field . '/' . $file; } else { return $file; } } } return false; // this should be returned if anything went wrong with the upload }
/** * Saves a message attachment files * @param array $_FILES['name'] * @param string a comment about the uploaded file * @param int message id * @param int receiver user id (optional) * @param int sender user id (optional) * @param int group id (optional) * @return void */ public static function save_message_attachment_file($file_attach, $file_comment, $message_id, $receiver_user_id = 0, $sender_user_id = 0, $group_id = 0) { $tbl_message_attach = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT); // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($file_attach['name']), $file_attach['type']); // user's file name $file_name = $file_attach['name']; if (!filter_extension($new_file_name)) { Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); } else { $new_file_name = uniqid(''); if (!empty($receiver_user_id)) { $message_user_id = $receiver_user_id; } else { $message_user_id = $sender_user_id; } // User-reserved directory where photos have to be placed. if (!empty($group_id)) { $path_user_info = GroupPortalManager::get_group_picture_path_by_id($group_id, 'system', true); } else { $path_user_info = UserManager::get_user_picture_path_by_id($message_user_id, 'system', true); } $path_message_attach = $path_user_info['dir'] . 'message_attachments/'; // If this directory does not exist - we create it. if (!file_exists($path_message_attach)) { @mkdir($path_message_attach, api_get_permissions_for_new_directories(), true); } $new_path = $path_message_attach . $new_file_name; if (is_uploaded_file($file_attach['tmp_name'])) { @copy($file_attach['tmp_name'], $new_path); } $safe_file_comment = Database::escape_string($file_comment); $safe_file_name = Database::escape_string($file_name); $safe_new_file_name = Database::escape_string($new_file_name); // Storing the attachments if any $sql = "INSERT INTO {$tbl_message_attach}(filename,comment, path,message_id,size)\n\t\t\t\t VALUES ('{$safe_file_name}', '{$safe_file_comment}', '{$safe_new_file_name}' , '{$message_id}', '" . $file_attach['size'] . "' )"; Database::query($sql); } }
/** * Uploads an author image to the upload/learning_path/images directory * @param array The image array, coming from the $_FILES superglobal * @return boolean True on success, false on error */ function upload_image($image_array) { $image_moved = false; if (!empty($image_array['name'])) { $upload_ok = process_uploaded_file($image_array); $has_attachment = true; } else { $image_moved = true; } if ($upload_ok) { if ($has_attachment) { $courseDir = api_get_course_path() . '/upload/learning_path/images'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $updir = $sys_course_path . $courseDir; // Try to add an extension to the file if it hasn't one $new_file_name = add_ext_on_mime(stripslashes($image_array['name']), $image_array['type']); if (!filter_extension($new_file_name)) { //Display :: display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); $image_moved = false; } else { $file_extension = explode('.', $image_array['name']); $file_extension = strtolower($file_extension[sizeof($file_extension) - 1]); $new_file_name = uniqid('') . '.' . $file_extension; $new_path = $updir . '/' . $new_file_name; //$result= @move_uploaded_file($image_array['tmp_name'], $new_path); // resize the image include_once api_get_path(LIBRARY_PATH) . 'image.lib.php'; $temp = new image($image_array['tmp_name']); $picture_infos = @getimagesize($image_array['tmp_name']); // $picture_infos[0]-> width if ($picture_infos[0] > 104) { $thumbwidth = 104; } else { $thumbwidth = $picture_infos[0]; } if ($picture_infos[1] > 96) { $new_height = 96; } else { $new_height = $picture_infos[1]; } //$new_height = round(($thumbwidth/$picture_infos[0])*$picture_infos[1]); $temp->resize($thumbwidth, $new_height, 0); $type = $picture_infos[2]; $result = false; switch ($type) { case 2: $result = $temp->send_image('JPG', $new_path); break; case 3: $result = $temp->send_image('PNG', $new_path); break; case 1: $result = $temp->send_image('GIF', $new_path); break; } $temp->resize($thumbwidth, $new_height, 0); $type = $picture_infos[2]; $result = false; switch ($type) { case 2: $result = $temp->send_image('JPG', $new_path); break; case 3: $result = $temp->send_image('PNG', $new_path); break; case 1: $result = $temp->send_image('GIF', $new_path); break; } // Storing the image filename if ($result) { $image_moved = true; $this->set_preview_image($new_file_name); return true; } } } } return false; }
$title = isset($_POST['title']) ? $_POST['title'] : null; $description = isset($_POST['description']) ? $_POST['description'] : null; if ($_POST['contains_file'] && !empty($_FILES['file']['size'])) { $updir = $currentCourseRepositorySys . 'work/'; //directory path to upload // Try to add an extension to the file if it has'nt one $new_file_name = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']); // Replace dangerous characters $new_file_name = replace_dangerous_char($new_file_name, 'strict'); // Transform any .php file in .phps fo security $new_file_name = php2phps($new_file_name); $filesize = filesize($_FILES['file']['tmp_name']); if (empty($filesize)) { $error_message .= Display::return_message(get_lang('UplUploadFailedSizeIsZero'), 'error'); $succeed = false; } elseif (!filter_extension($new_file_name)) { //filter extension $error_message .= Display::return_message(get_lang('UplUnableToSaveFileFilteredExtension'), 'error'); $succeed = false; } if (!$title) { $title = $_FILES['file']['name']; } // Compose a unique file name to avoid any conflict $new_file_name = api_get_unique_id(); $curdirpath = basename($my_folder_data['url']); // If we come from the group tools the groupid will be saved in $work_table $result = move_uploaded_file($_FILES['file']['tmp_name'], $updir . $curdirpath . '/' . $new_file_name); if ($result) { $url = 'work/' . $curdirpath . '/' . $new_file_name; $contains_file = 1;