/**
* Saves a file, and outputs some feedback, if wanted.
*/
function write_file($filename, $output, $mode = 'w')
{
global $Paths, $VerboseGenerate;
if ($VerboseGenerate) {
echo lang('general', 'write') . ": " . $filename . "<br />\n";
}
// open up..
$opened = false;
if ($fh = @fopen($filename, $mode)) {
$opened = true;
} else {
if ($fh = @fopen(fixpath($Paths['pivot_path'] . $filename), 'w')) {
$opened = true;
}
}
// if opening failed it's no reason to continue
if (!$opened) {
debug("Unable to open (handle to) {$filename} - can not write to file");
if ($VerboseGenerate) {
echo lang('general', 'write_open_error') . ": " . $filename . "<br />\n";
}
return;
}
// wrrrriting!
if (!fwrite($fh, $output)) {
if ($VerboseGenerate) {
echo lang('general', 'write_write_error') . ": " . $filename . "<br />\n";
}
}
fclose($fh);
chmod_file($filename);
}
$tbkey_debug = false;
include_once "../../pv_core.php";
$keydir = $Paths["pivot_path"] . "db/tbkeys/";
$tburl = $Paths["host"] . $Paths["pivot_url"] . "tb.php?tb_id=" . $_GET["id"] . "&key=";
if (!strstr($_SERVER["HTTP_REFERER"], $_SERVER["SERVER_NAME"])) {
// Creating a bogus key
$tbkey = md5(microtime());
debug("hardened trackbacks: illegal request - creating bogus key");
} else {
makedir($keydir);
$tbkey = md5($Cfg['server_spam_key'] . $_SERVER["REMOTE_ADDR"] . $_GET["id"] . time());
if (!touch($keydir . $tbkey)) {
debug("hardened trackbacks: directory {$keydir} isn't writable - can't create key");
} else {
chmod_file($keydir . $tbkey);
}
}
// Getting the time offset between the web and file server (if there is any)
$offset = timediffwebfile($tbkey_debug);
// delete keys older than 15 minutes
$nNow = time();
$handle = opendir($keydir);
while (false !== ($file = readdir($handle))) {
$filepath = $keydir . $file;
if (!is_dir($filepath) && $file != "index.html") {
$Diff = $nNow - filectime($filepath);
if ($Diff > 60 * 15 + $offset && $tbkey_debug != true) {
unlink($filepath);
}
}
/**
* bool save_file ( string path[, int overwrite_mode] );
*
* Cleans up the filename, copies the file from PHP's temp location to $path,
* and checks the overwrite_mode
*
* @param path (string) File path to your upload directory
* @param overwrite_mode (int) 1 = overwrite existing file
* 2 = rename if filename already exists (file.txt becomes file_copy0.txt)
* 3 = do nothing if a file exists
*
*/
function save_file($path, $overwrite_mode = "3")
{
if ($this->error) {
return false;
}
if (strlen($path) > 0) {
if ($path[strlen($path) - 1] != "/") {
$path = $path . "/";
}
}
$this->path = $path;
$copy = "";
$n = 1;
$success = false;
if ($this->accepted) {
// Clean up file name (only lowercase letters, numbers, underscores and hyphens)
$this->file["name"] = ereg_replace("[^a-z0-9._-]", "", str_replace(" ", "_", str_replace("%20", "_", strtolower($this->file["name"]))));
// Clean up text file breaks
if (stristr($this->file["type"], "text")) {
$this->cleanup_text_file($this->file["tmp_name"]);
}
// Overriding default extension set in the upload
// functions, since it's the list in
// $allowed_extensions that is controlling.
if (!empty($ext) && $this->file["extention"] != $ext) {
$this->file["extention"] = "." . $ext;
}
// get the raw name of the file (without its extenstion)
if (ereg("(\\.)([a-z0-9]{2,5})\$", $this->file["name"])) {
$pos = strrpos($this->file["name"], ".");
if (!$this->file["extention"]) {
$this->file["extention"] = substr($this->file["name"], $pos, strlen($this->file["name"]));
}
$this->file['raw_name'] = substr($this->file["name"], 0, $pos);
} else {
$this->file['raw_name'] = $this->file["name"];
if ($this->file["extention"]) {
$this->file["name"] = $this->file["name"] . $this->file["extention"];
}
}
switch ((int) $overwrite_mode) {
case 1:
// overwrite mode
if (@move_uploaded_file($this->file["tmp_name"], $this->path . $this->file["name"])) {
$success = true;
chmod_file($this->path . $this->file["name"]);
} else {
$success = false;
$this->error = $this->get_error(5);
}
break;
case 2:
// create new with incremental extention
while (file_exists($this->path . $this->file['raw_name'] . $copy . $this->file["extention"])) {
$copy = "_copy" . $n;
$n++;
}
$this->file["name"] = $this->file['raw_name'] . $copy . $this->file["extention"];
if (@move_uploaded_file($this->file["tmp_name"], $this->path . $this->file["name"])) {
$success = true;
chmod_file($this->path . $this->file["name"]);
} else {
$success = false;
$this->error = $this->get_error(5);
}
break;
default:
// do nothing if exists, highest protection
if (file_exists($this->path . $this->file["name"])) {
$this->error = $this->get_error(4);
$success = false;
} else {
if (@move_uploaded_file($this->file["tmp_name"], $this->path . $this->file["name"])) {
$success = true;
chmod_file($this->path . $this->file["name"]);
} else {
$success = false;
$this->error = $this->get_error(5);
}
}
break;
}
// check if the uploaded file was something that could be used as an exploit, if so, add a .file extension
// Addition by Bob.
$allowed_extensions = explode(",", "gif,jpg,jpeg,png,pdf,ppt,tif,tiff,xls,csv,doc,txt,zip,rar,mp3,wmv,mpg,mpeg,avi,mov,htm,html,xml,swf,flv,svg");
$ext = getextension($this->file["name"]);
if (!in_array($ext, $allowed_extensions)) {
$this->file["name"] .= ".file";
$this->file["extention"] = ".file";
}
if (!$success) {
unset($this->file['tmp_name']);
}
return (bool) $success;
} else {
$this->error = $this->get_error(3);
return FALSE;
}
}
