/** * Performs any necessary cleanup on a filename to make it safe to use. * @access protected * @param string $filename the name of an uploaded file * @return string the cleaned-up filename */ function _clean_filename($filename) { return sanitize_filename_for_web_hosting($filename); }
function _run_error_checks_callback() { $this->write_delivery_methods_to_fields(); $this->set_default_delivery_method(); $this->check_parts_input(); $file_uploaded = false; if ($this->manager->_is_element('upload_file')) { $file = $this->manager->get_element('upload_file'); if (($file->state == 'received' or $file->state == 'pending') and file_exists($file->tmp_full_path)) { // name our file with the friendly uploaded file name $new_filename = sanitize_filename_for_web_hosting($file->file['name']); $new_path = dirname($file->tmp_full_path) . '/' . $new_filename; copy($file->tmp_full_path, $new_path); $file_uploaded = true; $user = new entity($this->manager->admin_page->user_id); $stream = new $this->file_transfer_utility_class($user->get_value('name'), $new_path); $this->check_if_file_has_been_previously_imported($stream, $user); if (!$this->manager->_has_errors()) { $this->transfer_uploaded_file($stream, $user, $new_path); unlink($file->tmp_full_path); } else { unlink($new_path); } } } if (!$file_uploaded && $this->manager->get_value('import_file')) { $user = new entity($this->manager->admin_page->user_id); $stream = new $this->file_transfer_utility_class($user->get_value('name')); $this->check_if_file_has_been_previously_imported($stream, $user); if (!$this->manager->_has_errors()) { $this->do_file_import($stream, $user); } } if ($this->manager->get_value('reason_managed_media') && $this->manager->get_value('delivery_methods') && $this->manager->get_value('url')) { $this->do_protocol_switch(); } if (!$this->manager->get_value('reason_managed_media') && !$this->manager->get_value('import_file')) { $this->check_delivery_method_sanity(); $this->check_url_sanity(); } }
function place_local_media($entity_id = "", $new_local_file = "") { if ($this->ssh == null) { return; } // ssh is null if the streaming object is incomplete (no netid or no streaming_media folder) if ($entity_id == "") { return 0; } if (strcmp($new_local_file, "") != 0) { $this->local_file = $new_local_file; } // if passed a new file, use it instead if ($this->local_file == "") { return 0; } $entity_prefix = $this->_entity_prefix($entity_id); $this->_create_entity_directory($entity_id); $this->_move_old_media($entity_id); // determine file path details $local_path_parts = pathinfo($this->local_file); // chop up the local path into an array $local_path = $local_path_parts['dirname']; // full path sans filename $local_filename = $local_path_parts['basename']; // filename only $remote_filename = sanitize_filename_for_web_hosting($local_filename); // filename only $destination_path = REASON_STREAM_BASE_PATH . REASON_STREAM_DIR . '/' . $this->_entity_prefix($entity_id) . "/" . $entity_id . "/" . $remote_filename; if (!$this->_check_for_allowed_path($destination_path)) { $this->last_error = "streaming_server.php: place_media() destination path \"{$destination_path}\" forbidden."; error_log($this->last_error); return 0; } // copy the file to it's entity location $remote_path_parts = pathinfo($destination_path); // chop up the remote path into an array $this->ssh->local_path = $local_path_parts['dirname']; $this->ssh->remote_path = $remote_path_parts['dirname']; $this->ssh->_scp_exec_to($local_path_parts['basename'], $remote_path_parts['basename']); // verify that it exists there if (!$this->ssh->remote_file_exists($destination_path)) { $this->last_error = "streaming_server.php: place_local_media() copy to destination path \"{$destination_path}\" failed."; error_log($this->last_error); return 0; } return 1; }
} } if (empty($session['files'][$name])) $session['files'][$name] = array(); $index = get_next_index($session['files'][$name]); $session['files'][$name][$index] = array( 'name' => $filename, 'path' => $temp_path, 'original_path' => $unscaled_path ); $response[$name] = array( 'index' => $index, 'filename' => sanitize_filename_for_web_hosting($filename), 'uri' => $temp_uri, 'size' => $filesize ); if ($img_info) { $response[$name]['dimensions'] = array( 'width' => $width, 'height' => $height ); $response[$name]['orig_dimensions'] = array( 'width' => $orig_width, 'height' => $orig_height ); } }
* This next part has been commented out because the final_response function seems unable to handle reuse of one error code with * two different messages (it currently prints out the other error message passed with the 422 code to final_response) */ /* if ($img_info) { if (!($img_info[0] > REASON_STANDARD_MIN_IMAGE_WIDTH && $img_info[1] > REASON_STANDARD_MIN_IMAGE_HEIGHT)) final_response(422, 'Uploaded image dimensions are too small. Please upload another image.'); } */ if (empty($session['files'][$name])) { $session['files'][$name] = array(); } $index = get_next_index($session['files'][$name]); $session['files'][$name][$index] = array('name' => $filename, 'path' => $temp_path, 'original_path' => $unscaled_path); $response[$name] = array('index' => $index, 'filename' => sanitize_filename_for_web_hosting($filename), 'uri' => $temp_uri, 'size' => $filesize); if ($img_info) { $response[$name]['dimensions'] = array('width' => $width, 'height' => $height); $response[$name]['orig_dimensions'] = array('width' => $orig_width, 'height' => $orig_height); } } $reason_session->set(_async_upload_session_key($upload_sid), $session); final_response(200, $response); function check_constraints($constraints, $file) { $path = $file->get_temporary_path(); if (!empty($constraints['mime_types'])) { if (!$file->mime_type_matches($constraints['mime_types'])) { final_response(415, "File is not of an allowed type."); } }
/** * Alter and/or hide the file name field depending upon the state of the asset * * - if just received, find a safe name, populate the field, and hide it - after the redirect * - if state is "existing" - don't do anything - the field remains editable * - if state is "pending" or "ready" (new) hide the field * */ function pre_error_check_actions() { $asset = $this->get_element('asset'); // on an upload, set the file_name field to a safe value $filename = $asset->state == 'received' ? $asset->file["name"] : $this->get_value('file_name'); if ($filename) { $filename = $this->get_safer_filename($filename); $filename = sanitize_filename_for_web_hosting($filename); $filename = reason_get_unique_asset_filename($filename, $this->get_value("site_id"), $this->_id); $this->set_value('file_name', $filename); } // hide the file_name field unless it is an existing valid asset if ($asset->state != 'existing') { $this->change_element_type('file_name', 'hidden'); } else { $this->add_required('file_name'); } }
/** * This function gets rid of any non filename friendly characters and adds .txt to extensions thought to be dangerous. * * It is called safer because it doesn't stop necessarily stop someone from uploading a file that could be dangerous. * * If your asset directory is web accessible and executable, there may well be other files one could upload and execute. * * @todo the crazy logic used in this function should be simplified * @todo the notion of "safer" should be replaced with better security ... whitelist of uploadable extensions probably - add .txt to all others. */ function _reason_get_safer_asset_filename($filename) { $unsafe_to_safer = array('py' => 'py.txt', 'php' => 'php.txt', 'asp' => 'asp.txt', 'aspx' => 'aspx.txt', 'pl' => 'pl.txt', 'shtml' => 'shtml.txt', 'cfm' => 'cfm.txt', 'woa' => 'woa.txt', 'php3' => 'php3.txt', 'jsp' => 'jsp.txt', 'js' => 'js.txt', 'exe' => 'exe.txt', 'cgi' => 'cgi.txt', 'vb' => 'vb.txt', 'bat' => 'bat.txt'); $parts = explode('.', $filename); if (count($parts) <= 1) { $parts_array = array(basename($filename), ''); } else { $extension = array_pop($parts); $parts_array = array(basename($filename, ".{$extension}"), $extension); } list($filename, $fext) = $parts_array; if (!empty($unsafe_to_safer[$fext])) { $fext = $unsafe_to_safer[$fext]; } if (!empty($fext)) { $filename .= '.' . $fext; } $filename = sanitize_filename_for_web_hosting($filename); return $filename; }