/** * Confirms that a folder dir and a URL purportedly linking to that folder do, in fact, match. * * If the URL does point to the folder it returns true; otherwise returns false. The function works * by creating a temporary file in $folder, then try and scrape it via file(). If it exists, the * folder is a match for URL and it returns true. * * Assumption: the "allow_url_fopen" setting in php.ini is set to "1" (Checks for this). If it's * not set it always returns false. * * @param string $folder a folder on this server. * @param string $url The URL that claims to point to <b>$folder</b> * @return array Returns array with indexes:<br/> * [0]: true/false (success / failure)<br/> * [1]: message string<br/> */ function ft_check_folder_url_match($folder, $url) { global $g_debug, $g_default_error_reporting, $LANG; $folder = rtrim(trim($folder), "/\\"); $url = rtrim(trim($url), "/\\"); list($success, $message) = ft_check_upload_folder($folder); if (!$success) { return array(false, $LANG["validation_folder_invalid_permissions"]); } if (ini_get("allow_url_fopen") != "1") { return array(false, $LANG["notify_allow_url_fopen_not_set"]); } // create the temp file $test_file = "ft_" . date("U") . ".tmp"; if (($fh = fopen("{$folder}/{$test_file}", "w")) === FALSE) { return array(true, "Problem creating test file."); } fwrite($fh, "Folder-URL match test"); fclose($fh); // now try and read the file. We activate error reporting for the duration of this test so we // can examine any error messages that occur to provide some pointers for the user error_reporting(2047); ob_start(); $result = @file("{$url}/{$test_file}"); $errors = ob_get_clean(); error_reporting($g_default_error_reporting); // delete temp file @unlink("{$folder}/{$test_file}"); // if $errors is empty, that means there was a match if (is_array($result) && $result[0] == "Folder-URL match test") { return array(true, $LANG["notify_folder_url_match"]); } else { $debug = $g_debug ? "<br />{$errors}" : ""; // let's take a look at the warning. [Assumption: error messages in English] // "404 Not Found" - Not a match if (preg_match("/404 Not Found/", $errors)) { return array(false, $LANG["notify_folder_url_no_match"] . " {$debug}"); } else { if (preg_match("/Authorization Required/", $errors)) { return array(false, $LANG["notify_folder_url_no_access"] . " {$debug}"); } } return array(false, $LANG["notify_folder_url_unknown_error"]); } }
$return_str = ""; if (isset($request["return_vars"])) { $vals = array(); while (list($key, $value) = each($request["return_vars"])) { $vals[] = "\"{$key}\": \"{$value}\""; } $return_str = ", " . implode(", ", $vals); } if (!$permission_check["has_permission"]) { $message = $permission_check["message"]; echo "{ \"success\": \"0\", \"ft_logout\": \"1\", \"message\": \"{$message}\"{$return_val_str} }"; exit; } switch ($action) { case "test_folder_permissions": list($success, $message) = ft_check_upload_folder($request["file_upload_dir"]); $success = $success ? 1 : 0; echo "{ \"success\": \"{$success}\", \"message\": \"{$message}\"{$return_val_str} }"; break; case "test_folder_url_match": list($success, $message) = ft_check_folder_url_match($request["file_upload_dir"], $request["file_upload_url"]); $success = $success ? 1 : 0; echo "{ \"success\": \"{$success}\", \"message\": \"{$message}\"{$return_val_str} }"; break; // expects the tabset name and inner_tab to contain an alphanumeric string only // expects the tabset name and inner_tab to contain an alphanumeric string only case "remember_inner_tab": $tabset = strip_tags($request["tabset"]); $tab = strip_tags($request["tab"]); if (!array_key_exists("inner_tabs", $_SESSION["ft"])) { $_SESSION["ft"]["inner_tabs"] = array();
/** * Called by administrators; updates the default user account settings. * * @param array $infohash this parameter should be a hash (e.g. $_POST or $_GET) containing the * various fields from the main settings admin page. * @return array Returns array with indexes:<br/> * [0]: true/false (success / failure)<br/> * [1]: message string<br/> */ function ft_update_file_settings($infohash) { global $g_table_prefix, $g_root_url, $LANG; $success = true; $message = $LANG["notify_setup_options_updated"]; $original_file_upload_dir = $infohash["original_file_upload_dir"]; $file_upload_dir = rtrim(trim($infohash["file_upload_dir"]), "/\\"); $file_upload_url = rtrim(trim($infohash["file_upload_url"]), "/\\"); $file_upload_max_size = $infohash["file_upload_max_size"]; $file_upload_filetypes = is_array($infohash["file_upload_filetypes"]) ? join(",", $infohash["file_upload_filetypes"]) : ""; if (!empty($infohash["file_upload_filetypes_other"])) { if (empty($file_upload_filetypes)) { $file_upload_filetypes = $infohash["file_upload_filetypes_other"]; } else { $file_upload_filetypes .= ",{$infohash["file_upload_filetypes_other"]}"; } } $file_upload_filetypes = mb_strtolower($file_upload_filetypes); $settings = array("file_upload_dir" => $file_upload_dir, "file_upload_url" => $file_upload_url, "file_upload_max_size" => $file_upload_max_size, "file_upload_filetypes" => $file_upload_filetypes); ft_set_settings($settings); // check the folder was valid list($is_valid_folder, $folder_message) = ft_check_upload_folder($file_upload_dir); if (!$is_valid_folder) { return array($is_valid_folder, $folder_message); } extract(ft_process_hook_calls("end", compact("infohash"), array("success", "message")), EXTR_OVERWRITE); return array($success, $message); }