/**
  * Send the file.
  *
  * @param $form_id
  * @param $file
  */
 private static function deliver($form_id, $file)
 {
     $path = GFFormsModel::get_upload_path($form_id);
     $file_path = trailingslashit($path) . $file;
     if (file_exists($file_path)) {
         $content_type = self::get_content_type($file_path);
         nocache_headers();
         header('Robots: none');
         header('Content-Type: ' . $content_type);
         header('Content-Description: File Transfer');
         header('Content-Disposition: attachment; filename="' . basename($file) . '"');
         header('Content-Transfer-Encoding: binary');
         self::readfile_chunked($file_path);
         die;
     } else {
         self::die_404();
     }
 }
 /**
  * Send the file.
  *
  * @param $form_id
  * @param $file
  */
 private static function deliver($form_id, $file)
 {
     $path = GFFormsModel::get_upload_path($form_id);
     $file_path = trailingslashit($path) . $file;
     GFCommon::log_debug("delivering file: {$file_path}");
     if (file_exists($file_path)) {
         GFCommon::log_debug("file exists - starting delivery");
         $content_type = self::get_content_type($file_path);
         $content_disposition = rgget('dl') ? 'attachment' : 'inline';
         nocache_headers();
         header('Robots: none');
         header('Content-Type: ' . $content_type);
         header('Content-Description: File Transfer');
         header('Content-Disposition: ' . $content_disposition . '; filename="' . basename($file) . '"');
         header('Content-Transfer-Encoding: binary');
         self::readfile_chunked($file_path);
         die;
     } else {
         GFCommon::log_debug("file does not exist. abort with 404");
         self::die_404();
     }
 }
 public function move_temp_file($form_id, $tempfile_info)
 {
     $target = GFFormsModel::get_file_upload_path($form_id, $tempfile_info['uploaded_filename']);
     $source = GFFormsModel::get_upload_path($form_id) . '/tmp/' . $tempfile_info['temp_filename'];
     GFCommon::log_debug(__METHOD__ . '(): Moving temp file from: ' . $source);
     if (rename($source, $target['path'])) {
         GFCommon::log_debug(__METHOD__ . '(): File successfully moved.');
         $this->set_permissions($target['path']);
         return $target['url'];
     } else {
         GFCommon::log_debug(__METHOD__ . '(): FAILED (Temporary file could not be moved.)');
         return 'FAILED (Temporary file could not be moved.)';
     }
 }
Exemple #4
0
 private static function upload_files($form, $files)
 {
     $form_upload_path = GFFormsModel::get_upload_path($form['id']);
     //Creating temp folder if it does not exist
     $target_path = $form_upload_path . '/tmp/';
     wp_mkdir_p($target_path);
     GFCommon::recursive_add_index_file($form_upload_path);
     foreach ($form['fields'] as $field) {
         $input_name = "input_{$field->id}";
         //skip fields that are not file upload fields or that don't have a file to be uploaded or that have failed validation
         $input_type = RGFormsModel::get_input_type($field);
         if (!in_array($input_type, array('fileupload', 'post_image')) || $field->multipleFiles) {
             continue;
         }
         if ($field->failed_validation || empty($_FILES[$input_name]['name'])) {
             GFCommon::log_debug("GFFormDisplay::upload_files(): Skipping field: {$field->label}({$field->id} - {$field->type}).");
             continue;
         }
         $file_info = RGFormsModel::get_temp_filename($form['id'], $input_name);
         GFCommon::log_debug('GFFormDisplay::upload_files(): Temp file info: ' . print_r($file_info, true));
         if ($file_info && move_uploaded_file($_FILES[$input_name]['tmp_name'], $target_path . $file_info['temp_filename'])) {
             GFFormsModel::set_permissions($target_path . $file_info['temp_filename']);
             $files[$input_name] = $file_info['uploaded_filename'];
             GFCommon::log_debug("GFFormDisplay::upload_files(): File uploaded successfully: {$file_info['uploaded_filename']}");
         } else {
             GFCommon::log_error("GFFormDisplay::upload_files(): File could not be uploaded: tmp_name: {$_FILES[$input_name]['tmp_name']} - target location: " . $target_path . $file_info['temp_filename']);
         }
     }
     return $files;
 }
 private static function upload_files($form, $files)
 {
     $form_upload_path = GFFormsModel::get_upload_path($form['id']);
     GFCommon::log_debug("GFFormDisplay::upload_files(): Upload path {$form_upload_path}");
     //Creating temp folder if it does not exist
     $target_path = $form_upload_path . '/tmp/';
     wp_mkdir_p($target_path);
     GFCommon::recursive_add_index_file($form_upload_path);
     foreach ($form['fields'] as $field) {
         $input_name = "input_{$field->id}";
         //skip fields that are not file upload fields or that don't have a file to be uploaded or that have failed validation
         $input_type = RGFormsModel::get_input_type($field);
         if (!in_array($input_type, array('fileupload', 'post_image')) || $field->multipleFiles) {
             continue;
         }
         /*if ( $field->failed_validation || empty( $_FILES[ $input_name ]['name'] ) ) {
         			GFCommon::log_debug( "GFFormDisplay::upload_files(): Skipping field: {$field->label}({$field->id} - {$field->type})." );
         			continue;
         		}*/
         if ($field->failed_validation) {
             GFCommon::log_debug("GFFormDisplay::upload_files(): Skipping field because it failed validation: {$field->label}({$field->id} - {$field->type}).");
             continue;
         }
         if (empty($_FILES[$input_name]['name'])) {
             GFCommon::log_debug("GFFormDisplay::upload_files(): Skipping field because " . $_FILES[$input_name]['name'] . " could not be found: {$field->label}({$field->id} - {$field->type}).");
             continue;
         }
         $file_name = $_FILES[$input_name]['name'];
         if (GFCommon::file_name_has_disallowed_extension($file_name)) {
             GFCommon::log_debug(__METHOD__ . "(): Illegal file extension: {$file_name}");
             continue;
         }
         $allowed_extensions = !empty($field->allowedExtensions) ? GFCommon::clean_extensions(explode(',', strtolower($field->allowedExtensions))) : array();
         if (!empty($allowed_extensions)) {
             if (!GFCommon::match_file_extension($file_name, $allowed_extensions)) {
                 GFCommon::log_debug(__METHOD__ . "(): The uploaded file type is not allowed: {$file_name}");
                 continue;
             }
         }
         /**
          * Allows the disabling of file upload whitelisting
          *
          * @param bool false Set to 'true' to disable whitelisting.  Defaults to 'false'.
          */
         $whitelisting_disabled = apply_filters('gform_file_upload_whitelisting_disabled', false);
         if (empty($allowed_extensions) && !$whitelisting_disabled) {
             // Whitelist the file type
             $valid_file_name = GFCommon::check_type_and_ext($_FILES[$input_name], $file_name);
             if (is_wp_error($valid_file_name)) {
                 GFCommon::log_debug(__METHOD__ . "(): The uploaded file type is not allowed: {$file_name}");
                 continue;
             }
         }
         $file_info = RGFormsModel::get_temp_filename($form['id'], $input_name);
         GFCommon::log_debug('GFFormDisplay::upload_files(): Temp file info: ' . print_r($file_info, true));
         if ($file_info && move_uploaded_file($_FILES[$input_name]['tmp_name'], $target_path . $file_info['temp_filename'])) {
             GFFormsModel::set_permissions($target_path . $file_info['temp_filename']);
             $files[$input_name] = $file_info['uploaded_filename'];
             GFCommon::log_debug("GFFormDisplay::upload_files(): File uploaded successfully: {$file_info['uploaded_filename']}");
         } else {
             GFCommon::log_error("GFFormDisplay::upload_files(): File could not be uploaded: tmp_name: {$_FILES[$input_name]['tmp_name']} - target location: " . $target_path . $file_info['temp_filename']);
         }
     }
     return $files;
 }
Exemple #6
0
 public static function upload()
 {
     GFCommon::log_debug('GFAsyncUpload::upload(): Starting.');
     if ($_SERVER['REQUEST_METHOD'] != 'POST') {
         status_header(404);
         die;
     }
     header('Content-Type: text/html; charset=' . get_option('blog_charset'));
     send_nosniff_header();
     nocache_headers();
     status_header(200);
     // If the file is bigger than the server can accept then the form_id might not arrive.
     // This might happen if the file is bigger than the max post size ini setting.
     // Validation in the browser reduces the risk of this happening.
     if (!isset($_REQUEST['form_id'])) {
         GFCommon::log_debug('GFAsyncUpload::upload(): File upload aborted because the form_id was not found. The file may have been bigger than the max post size ini setting.');
         self::die_error(500, __('Failed to upload file.', 'gravityforms'));
     }
     $form_id = absint($_REQUEST['form_id']);
     $form_unique_id = rgpost('gform_unique_id');
     $form = GFAPI::get_form($form_id);
     if (empty($form) || !$form['is_active']) {
         die;
     }
     if (rgar($form, 'requireLogin')) {
         if (!is_user_logged_in()) {
             die;
         }
         check_admin_referer('gform_file_upload_' . $form_id, '_gform_file_upload_nonce_' . $form_id);
     }
     if (!ctype_alnum($form_unique_id)) {
         die;
     }
     $target_dir = GFFormsModel::get_upload_path($form_id) . DIRECTORY_SEPARATOR . 'tmp' . DIRECTORY_SEPARATOR;
     if (!is_dir($target_dir)) {
         if (!wp_mkdir_p($target_dir)) {
             GFCommon::log_debug("GFAsyncUpload::upload(): Couldn't create the tmp folder: " . $target_dir);
             self::die_error(500, __('Failed to upload file.', 'gravityforms'));
         }
     }
     $time = current_time('mysql');
     $y = substr($time, 0, 4);
     $m = substr($time, 5, 2);
     //adding index.html files to all subfolders
     if (!file_exists(GFFormsModel::get_upload_root() . '/index.html')) {
         GFForms::add_security_files();
     } else {
         if (!file_exists(GFFormsModel::get_upload_path($form_id) . '/index.html')) {
             GFCommon::recursive_add_index_file(GFFormsModel::get_upload_path($form_id));
         } else {
             if (!file_exists(GFFormsModel::get_upload_path($form_id) . "/{$y}/index.html")) {
                 GFCommon::recursive_add_index_file(GFFormsModel::get_upload_path($form_id) . "/{$y}");
             } else {
                 GFCommon::recursive_add_index_file(GFFormsModel::get_upload_path($form_id) . "/{$y}/{$m}");
             }
         }
     }
     if (!file_exists($target_dir . '/index.html')) {
         GFCommon::recursive_add_index_file($target_dir);
     }
     $uploaded_filename = $_FILES['file']['name'];
     $file_name = isset($_REQUEST['name']) ? $_REQUEST['name'] : '';
     $field_id = rgpost('field_id');
     $field_id = absint($field_id);
     $field = GFFormsModel::get_field($form, $field_id);
     if (empty($field) || GFFormsModel::get_input_type($field) != 'fileupload') {
         die;
     }
     $file_name = sanitize_file_name($file_name);
     $uploaded_filename = sanitize_file_name($uploaded_filename);
     $allowed_extensions = !empty($field->allowedExtensions) ? GFCommon::clean_extensions(explode(',', strtolower($field->allowedExtensions))) : array();
     $max_upload_size_in_bytes = $field->maxFileSize > 0 ? $field->maxFileSize * 1048576 : wp_max_upload_size();
     $max_upload_size_in_mb = $max_upload_size_in_bytes / 1048576;
     if ($_FILES['file']['size'] > 0 && $_FILES['file']['size'] > $max_upload_size_in_bytes) {
         self::die_error(104, sprintf(__('File exceeds size limit. Maximum file size: %dMB', 'gravityforms'), $max_upload_size_in_mb));
     }
     if (GFCommon::file_name_has_disallowed_extension($file_name) || GFCommon::file_name_has_disallowed_extension($uploaded_filename)) {
         GFCommon::log_debug("GFAsyncUpload::upload(): Illegal file extension: {$file_name}");
         self::die_error(104, __('The uploaded file type is not allowed.', 'gravityforms'));
     }
     if (!empty($allowed_extensions)) {
         if (!GFCommon::match_file_extension($file_name, $allowed_extensions) || !GFCommon::match_file_extension($uploaded_filename, $allowed_extensions)) {
             GFCommon::log_debug("GFAsyncUpload::upload(): The uploaded file type is not allowed: {$file_name}");
             self::die_error(104, sprintf(__('The uploaded file type is not allowed. Must be one of the following: %s', 'gravityforms'), strtolower($field['allowedExtensions'])));
         }
     }
     $whitelisting_disabled = apply_filters('gform_file_upload_whitelisting_disabled', false);
     if (empty($allowed_extensions) && !$whitelisting_disabled) {
         // Whitelist the file type
         $valid_uploaded_filename = GFCommon::check_type_and_ext($_FILES['file'], $uploaded_filename);
         if (is_wp_error($valid_uploaded_filename)) {
             self::die_error($valid_uploaded_filename->get_error_code(), $valid_uploaded_filename->get_error_message());
         }
         $valid_file_name = GFCommon::check_type_and_ext($_FILES['file'], $file_name);
         if (is_wp_error($valid_uploaded_filename)) {
             self::die_error($valid_file_name->get_error_code(), $valid_file_name->get_error_message());
         }
     }
     $tmp_file_name = $form_unique_id . '_input_' . $field_id . '_' . $file_name;
     $tmp_file_name = sanitize_file_name($tmp_file_name);
     $file_path = $target_dir . $tmp_file_name;
     $cleanup_target_dir = true;
     // Remove old files
     $max_file_age = 5 * 3600;
     // Temp file age in seconds
     // Remove old temp files
     if ($cleanup_target_dir) {
         if (is_dir($target_dir) && ($dir = opendir($target_dir))) {
             while (($file = readdir($dir)) !== false) {
                 $tmp_file_path = $target_dir . $file;
                 // Remove temp file if it is older than the max age and is not the current file
                 if (preg_match('/\\.part$/', $file) && filemtime($tmp_file_path) < time() - $max_file_age && $tmp_file_path != "{$file_path}.part") {
                     GFCommon::log_debug('GFAsyncUpload::upload(): Deleting file: ' . $tmp_file_path);
                     @unlink($tmp_file_path);
                 }
             }
             closedir($dir);
         } else {
             GFCommon::log_debug('GFAsyncUpload::upload(): Failed to open temp directory: ' . $target_dir);
             self::die_error(100, __('Failed to open temp directory.', 'gravityforms'));
         }
     }
     if (isset($_SERVER['HTTP_CONTENT_TYPE'])) {
         $contentType = $_SERVER['HTTP_CONTENT_TYPE'];
     }
     if (isset($_SERVER['CONTENT_TYPE'])) {
         $contentType = $_SERVER['CONTENT_TYPE'];
     }
     $chunk = isset($_REQUEST['chunk']) ? intval($_REQUEST['chunk']) : 0;
     $chunks = isset($_REQUEST['chunks']) ? intval($_REQUEST['chunks']) : 0;
     // Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
     if (strpos($contentType, 'multipart') !== false) {
         if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
             // Open temp file
             $out = @fopen("{$file_path}.part", $chunk == 0 ? 'wb' : 'ab');
             if ($out) {
                 // Read binary input stream and append it to temp file
                 $in = @fopen($_FILES['file']['tmp_name'], 'rb');
                 if ($in) {
                     while ($buff = fread($in, 4096)) {
                         fwrite($out, $buff);
                     }
                 } else {
                     self::die_error(101, __('Failed to open input stream.', 'gravityforms'));
                 }
                 @fclose($in);
                 @fclose($out);
                 @unlink($_FILES['file']['tmp_name']);
             } else {
                 self::die_error(102, __('Failed to open output stream.', 'gravityforms'));
             }
         } else {
             self::die_error(103, __('Failed to move uploaded file.', 'gravityforms'));
         }
     } else {
         // Open temp file
         $out = @fopen("{$file_path}.part", $chunk == 0 ? 'wb' : 'ab');
         if ($out) {
             // Read binary input stream and append it to temp file
             $in = @fopen('php://input', 'rb');
             if ($in) {
                 while ($buff = fread($in, 4096)) {
                     fwrite($out, $buff);
                 }
             } else {
                 self::die_error(101, __('Failed to open input stream.', 'gravityforms'));
             }
             @fclose($in);
             @fclose($out);
         } else {
             self::die_error(102, __('Failed to open output stream.', 'gravityforms'));
         }
     }
     // Check if file has been uploaded
     if (!$chunks || $chunk == $chunks - 1) {
         // Strip the temp .part suffix off
         rename("{$file_path}.part", $file_path);
     }
     if (file_exists($file_path)) {
         GFFormsModel::set_permissions($file_path);
     } else {
         self::die_error(105, __('Upload unsuccessful', 'gravityforms') . ' ' . $uploaded_filename);
     }
     $output = array('status' => 'ok', 'data' => array('temp_filename' => $tmp_file_name, 'uploaded_filename' => str_replace("\\'", "'", urldecode($uploaded_filename))));
     $output = json_encode($output);
     GFCommon::log_debug(sprintf('GFAsyncUpload::upload(): File upload complete. temp_filename: %s  uploaded_filename: %s ', $tmp_file_name, $uploaded_filename));
     gf_do_action('gform_post_multifile_upload', $form['id'], $form, $field, $uploaded_filename, $tmp_file_name, $file_path);
     die($output);
 }
Exemple #7
0
 public static function upload()
 {
     GFCommon::log_debug("GFAsyncUpload::upload() - Starting");
     header('Content-Type: text/html; charset=' . get_option('blog_charset'));
     send_nosniff_header();
     nocache_headers();
     status_header(200);
     // If the file is bigger than the server can accept then the form_id might not arrive.
     // This might happen if the file is bigger than the max post size ini setting.
     // Validation in the browser reduces the risk of this happening.
     if (!isset($_REQUEST["form_id"])) {
         GFCommon::log_debug("GFAsyncUpload::upload() - File upload aborted because the form_id was not found. The file may have been bigger than the max post size ini setting.");
         die('{"status" : "error", "error" : {"code": 500, "message": "' . __("Failed to upload file.", "gravityforms") . '"}}');
     }
     $form_id = $_REQUEST["form_id"];
     $form_unique_id = rgpost("gform_unique_id");
     $form = GFFormsModel::get_form_meta($form_id);
     $target_dir = GFFormsModel::get_upload_path($form_id) . DIRECTORY_SEPARATOR . "tmp" . DIRECTORY_SEPARATOR;
     wp_mkdir_p($target_dir);
     $cleanup_target_dir = true;
     // Remove old files
     $maxFileAge = 5 * 3600;
     // Temp file age in seconds
     // Chunking is not currently implemented in the front-end because it's not widely supported. The code is left here for when browsers catch up.
     $chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
     $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
     $file_name = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
     $field_id = rgpost("field_id");
     $field = GFFormsModel::get_field($form, $field_id);
     // Clean the fileName for security reasons
     $file_name = preg_replace('/[^\\w\\._]+/', '_', $file_name);
     $ext_pos = strrpos($file_name, '.');
     $extension = strtolower(substr($file_name, $ext_pos + 1));
     $allowed_extensions = isset($field["allowedExtensions"]) && !empty($field["allowedExtensions"]) ? GFCommon::clean_extensions(explode(",", strtolower($field["allowedExtensions"]))) : array();
     $disallowed_extensions = GFCommon::get_disallowed_file_extensions();
     if (empty($field["allowedExtensions"]) && in_array($extension, $disallowed_extensions)) {
         GFCommon::log_debug("GFAsyncUpload::upload() - illegal file extension: {$file_name})");
         die('{"status" : "error", "error" : {"code": 104, "message": "' . __("The uploaded file type is not allowed.", "gravityforms") . '"}}');
     } elseif (!empty($allowed_extensions) && !in_array($extension, $allowed_extensions)) {
         GFCommon::log_debug("GFAsyncUpload::upload() - The uploaded file type is not allowed: {$file_name})");
         die('{"status" : "error", "error" : {"code": 104, "message": "' . sprintf(__("The uploaded file type is not allowed. Must be one of the following: %s", "gravityforms"), strtolower($field["allowedExtensions"])) . '"}}');
     }
     $tmp_file_name = $form_unique_id . "_input_" . $field_id . "_" . $file_name;
     $file_path = $target_dir . $tmp_file_name;
     // Remove old temp files
     if ($cleanup_target_dir) {
         if (is_dir($target_dir) && ($dir = opendir($target_dir))) {
             while (($file = readdir($dir)) !== false) {
                 $tmp_file_path = $target_dir . $file;
                 // Remove temp file if it is older than the max age and is not the current file
                 if (preg_match('/\\.part$/', $file) && filemtime($tmp_file_path) < time() - $maxFileAge && $tmp_file_path != "{$file_path}.part") {
                     GFCommon::log_debug("GFAsyncUpload::upload() - Deleting file: " . $tmp_file_path);
                     @unlink($tmp_file_path);
                 }
             }
             closedir($dir);
         } else {
             GFCommon::log_debug("GFAsyncUpload::upload() - Failed to open temp directory: " . $target_dir);
             die('{"status" : "error", "error" : {"code": 100, "message": "' . __("Failed to open temp directory.", "gravityforms") . '"}}');
         }
     }
     // Look for the content type header
     if (isset($_SERVER["HTTP_CONTENT_TYPE"])) {
         $contentType = $_SERVER["HTTP_CONTENT_TYPE"];
     }
     if (isset($_SERVER["CONTENT_TYPE"])) {
         $contentType = $_SERVER["CONTENT_TYPE"];
     }
     // Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
     if (strpos($contentType, "multipart") !== false) {
         if (isset($_FILES["file"]['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
             // Open temp file
             $out = @fopen("{$file_path}.part", $chunk == 0 ? "wb" : "ab");
             if ($out) {
                 // Read binary input stream and append it to temp file
                 $in = @fopen($_FILES["file"]['tmp_name'], "rb");
                 if ($in) {
                     while ($buff = fread($in, 4096)) {
                         fwrite($out, $buff);
                     }
                 } else {
                     die('{"status" : "error", "error" : {"code": 101, "message": "' . __("Failed to open input stream.", "gravityforms") . '"}}');
                 }
                 @fclose($in);
                 @fclose($out);
                 @unlink($_FILES["file"]['tmp_name']);
             } else {
                 die('{"status" : "error", "error" : {"code": 102, "message": "' . __("Failed to open output stream.", "gravityforms") . '"}}');
             }
         } else {
             die('{"status" : "error", "error" : {"code": 103, "message": "' . __("Failed to move uploaded file.", "gravityforms") . '"}}');
         }
     } else {
         // Open temp file
         $out = @fopen("{$file_path}.part", $chunk == 0 ? "wb" : "ab");
         if ($out) {
             // Read binary input stream and append it to temp file
             $in = @fopen("php://input", "rb");
             if ($in) {
                 while ($buff = fread($in, 4096)) {
                     fwrite($out, $buff);
                 }
             } else {
                 die('{"status" : "error", "error" : {"code": 101, "message": "' . __("Failed to open input stream.", "gravityforms") . '"}}');
             }
             @fclose($in);
             @fclose($out);
         } else {
             die('{"status" : "error", "error" : {"code": 102, "message": "' . __("Failed to open output stream.", "gravityforms") . '"}}');
         }
     }
     // Check if file has been uploaded
     if (!$chunks || $chunk == $chunks - 1) {
         // Strip the temp .part suffix off
         rename("{$file_path}.part", $file_path);
     }
     $uploaded_filename = $_FILES["file"]["name"];
     $output = '{"status" : "ok", "data" : {"temp_filename" : "' . $tmp_file_name . '", "uploaded_filename" : "' . $uploaded_filename . '"}}';
     GFCommon::log_debug(sprintf("GFAsyncUpload::upload() - File upload complete. temp_filename: %s  uploaded_filename: %s ", $tmp_file_name, $uploaded_filename));
     die($output);
 }