/** * Upload a file * Does filename sanitizing as well as MIME-type determination * Also adds the file to the database using add_file() * * @param string $fname Name of the HTML form field POSTed from * @param string $ziel Destination directory * @param int $project Project ID of the associated project * @return bool */ function upload($fname, $ziel, $project, $folder = 0) { $name = $_FILES[$fname]['name']; $typ = $_FILES[$fname]['type']; $size = $_FILES[$fname]['size']; $tmp_name = $_FILES[$fname]['tmp_name']; $tstr = $fname . "-title"; $tastr = $fname . "-tags"; $visible = $_POST["visible"]; if (!empty($visible[0])) { $visstr = serialize($visible); } else { $visstr = ""; } $title = $_POST[$tstr]; $tags = $_POST[$tastr]; $error = $_FILES[$fname]['error']; $root = CL_ROOT; if (empty($name)) { return false; } $desc = $_POST['desc']; $tagobj = new tags(); $tags = $tagobj->formatInputTags($tags); // find the extension $teilnamen = explode(".", $name); $teile = count($teilnamen); $workteile = $teile - 1; $erweiterung = $teilnamen[$workteile]; $subname = ""; // if its a php file, treat it as plaintext so its not executed when opened in the browser. if (stristr($erweiterung, "php")) { $erweiterung = "txt"; $typ = "text/plain"; } for ($i = 0; $i < $workteile; $i++) { $subname .= $teilnamen[$i]; } $randval = mt_rand(1, 99999); // only allow a-z , 0-9 in filenames, substitute other chars with _ $subname = str_replace("ä", "ae", $subname); $subname = str_replace("ö", "oe", $subname); $subname = str_replace("ü", "ue", $subname); $subname = str_replace("ß", "ss", $subname); $subname = preg_replace("/[^-_0-9a-zA-Z]/", "_", $subname); // remove whitespace $subname = preg_replace("/\\W/", "", $subname); // if filename is longer than 200 chars, cut it. if (strlen($subname) > 200) { $subname = substr($subname, 0, 200); } $name = $subname . "_" . $randval . "." . $erweiterung; $datei_final = $root . "/" . $ziel . "/" . $name; $datei_final2 = $ziel . "/" . $name; if (!file_exists($datei_final)) { if (move_uploaded_file($tmp_name, $datei_final)) { // $filesize = filesize($datei_final); if ($project > 0) { /** * file did not already exist, was uploaded, and a project is set * add the file to the database, add the upload event to the log and return the file ID. */ chmod($datei_final, 0755); $fid = $this->add_file($name, $desc, $project, 0, "{$tags}", $datei_final2, "{$typ}", $title, $folder, $visstr); if (!empty($title)) { $this->mylog->add($title, 'file', 1, $project); } else { $this->mylog->add($name, 'file', 1, $project); } return $fid; } else { // no project means the file is not added to the database wilfully. return file name. return $name; } } else { // file was not uploaded / error occured. return false return false; } } else { // file already exists. return false return false; } }
$template->assign("title", $title); $template->assign("file", $file); $template->assign("projectname", $projectname); $template->display("editfileform.tpl"); } elseif ($action == "edit") { if (!$userpermissions["files"]["edit"]) { $errtxt = $langfile["nopermission"]; $noperm = $langfile["accessdenied"]; $template->assign("errortext", "<h2>$errtxt</h2><br>$noperm"); $template->display("error.tpl"); die(); } $tagobj = new tags(); $tags = $tagobj->formatInputTags($tags); if ($myfile->edit($thisfile, $title, $desc, $tags)) { $loc = $url .= "managefile.php?action=showproject&id=$id&mode=edited"; header("Location: $loc"); } } elseif ($action == "delete") { if (!$userpermissions["files"]["del"]) { $errtxt = $langfile["nopermission"]; $noperm = $langfile["accessdenied"]; $template->assign("errortext", "<h2>$errtxt</h2><br>$noperm"); $template->display("error.tpl"); die(); } if ($myfile->loeschen($thisfile)) { echo "ok"; }
$fin = array("val" => $lang, "str" => $lang2); } array_push($languages_fin, $fin); } $template->assign("languages_fin", $languages_fin); $user = $user->getProfile($id); $roleobj = (object) new roles(); $roles = $roleobj->getAllRoles(); $title = $langfile['useradministration']; $template->assign("title", $title); $template->assign("user", $user); $template->assign("roles", $roles); $template->display("edituseradminform.tpl"); } elseif ($action == "edituser") { $thetag = new tags(); $tags = $thetag->formatInputTags($tags); $roleobj = new roles(); $roleobj->assign($role, $id); if ($id == $userid) { $_SESSION['userlocale'] = $locale; $_SESSION['username'] = $name; } if (!isset($isadmin)) { $isadmin = 1; } // Upload of avatar if (!empty($_FILES['userfile']['name'])) { $fname = $_FILES['userfile']['name']; $typ = $_FILES['userfile']['type']; $size = $_FILES['userfile']['size']; $tmp_name = $_FILES['userfile']['tmp_name'];