/**
* Performs any necessary cleanup on a filename to make it safe to use.
* @access protected
* @param string $filename the name of an uploaded file
* @return string the cleaned-up filename
*/
function _clean_filename($filename)
{
return sanitize_filename_for_web_hosting($filename);
}
function _run_error_checks_callback()
{
$this->write_delivery_methods_to_fields();
$this->set_default_delivery_method();
$this->check_parts_input();
$file_uploaded = false;
if ($this->manager->_is_element('upload_file')) {
$file = $this->manager->get_element('upload_file');
if (($file->state == 'received' or $file->state == 'pending') and file_exists($file->tmp_full_path)) {
// name our file with the friendly uploaded file name
$new_filename = sanitize_filename_for_web_hosting($file->file['name']);
$new_path = dirname($file->tmp_full_path) . '/' . $new_filename;
copy($file->tmp_full_path, $new_path);
$file_uploaded = true;
$user = new entity($this->manager->admin_page->user_id);
$stream = new $this->file_transfer_utility_class($user->get_value('name'), $new_path);
$this->check_if_file_has_been_previously_imported($stream, $user);
if (!$this->manager->_has_errors()) {
$this->transfer_uploaded_file($stream, $user, $new_path);
unlink($file->tmp_full_path);
} else {
unlink($new_path);
}
}
}
if (!$file_uploaded && $this->manager->get_value('import_file')) {
$user = new entity($this->manager->admin_page->user_id);
$stream = new $this->file_transfer_utility_class($user->get_value('name'));
$this->check_if_file_has_been_previously_imported($stream, $user);
if (!$this->manager->_has_errors()) {
$this->do_file_import($stream, $user);
}
}
if ($this->manager->get_value('reason_managed_media') && $this->manager->get_value('delivery_methods') && $this->manager->get_value('url')) {
$this->do_protocol_switch();
}
if (!$this->manager->get_value('reason_managed_media') && !$this->manager->get_value('import_file')) {
$this->check_delivery_method_sanity();
$this->check_url_sanity();
}
}
function place_local_media($entity_id = "", $new_local_file = "")
{
if ($this->ssh == null) {
return;
}
// ssh is null if the streaming object is incomplete (no netid or no streaming_media folder)
if ($entity_id == "") {
return 0;
}
if (strcmp($new_local_file, "") != 0) {
$this->local_file = $new_local_file;
}
// if passed a new file, use it instead
if ($this->local_file == "") {
return 0;
}
$entity_prefix = $this->_entity_prefix($entity_id);
$this->_create_entity_directory($entity_id);
$this->_move_old_media($entity_id);
// determine file path details
$local_path_parts = pathinfo($this->local_file);
// chop up the local path into an array
$local_path = $local_path_parts['dirname'];
// full path sans filename
$local_filename = $local_path_parts['basename'];
// filename only
$remote_filename = sanitize_filename_for_web_hosting($local_filename);
// filename only
$destination_path = REASON_STREAM_BASE_PATH . REASON_STREAM_DIR . '/' . $this->_entity_prefix($entity_id) . "/" . $entity_id . "/" . $remote_filename;
if (!$this->_check_for_allowed_path($destination_path)) {
$this->last_error = "streaming_server.php: place_media() destination path \"{$destination_path}\" forbidden.";
error_log($this->last_error);
return 0;
}
// copy the file to it's entity location
$remote_path_parts = pathinfo($destination_path);
// chop up the remote path into an array
$this->ssh->local_path = $local_path_parts['dirname'];
$this->ssh->remote_path = $remote_path_parts['dirname'];
$this->ssh->_scp_exec_to($local_path_parts['basename'], $remote_path_parts['basename']);
// verify that it exists there
if (!$this->ssh->remote_file_exists($destination_path)) {
$this->last_error = "streaming_server.php: place_local_media() copy to destination path \"{$destination_path}\" failed.";
error_log($this->last_error);
return 0;
}
return 1;
}
}
}
if (empty($session['files'][$name]))
$session['files'][$name] = array();
$index = get_next_index($session['files'][$name]);
$session['files'][$name][$index] = array(
'name' => $filename,
'path' => $temp_path,
'original_path' => $unscaled_path
);
$response[$name] = array(
'index' => $index,
'filename' => sanitize_filename_for_web_hosting($filename),
'uri' => $temp_uri,
'size' => $filesize
);
if ($img_info) {
$response[$name]['dimensions'] = array(
'width' => $width,
'height' => $height
);
$response[$name]['orig_dimensions'] = array(
'width' => $orig_width,
'height' => $orig_height
);
}
}
* This next part has been commented out because the final_response function seems unable to handle reuse of one error code with
* two different messages (it currently prints out the other error message passed with the 422 code to final_response)
*/
/*
if ($img_info)
{
if (!($img_info[0] > REASON_STANDARD_MIN_IMAGE_WIDTH && $img_info[1] > REASON_STANDARD_MIN_IMAGE_HEIGHT))
final_response(422, 'Uploaded image dimensions are too small. Please upload another image.');
}
*/
if (empty($session['files'][$name])) {
$session['files'][$name] = array();
}
$index = get_next_index($session['files'][$name]);
$session['files'][$name][$index] = array('name' => $filename, 'path' => $temp_path, 'original_path' => $unscaled_path);
$response[$name] = array('index' => $index, 'filename' => sanitize_filename_for_web_hosting($filename), 'uri' => $temp_uri, 'size' => $filesize);
if ($img_info) {
$response[$name]['dimensions'] = array('width' => $width, 'height' => $height);
$response[$name]['orig_dimensions'] = array('width' => $orig_width, 'height' => $orig_height);
}
}
$reason_session->set(_async_upload_session_key($upload_sid), $session);
final_response(200, $response);
function check_constraints($constraints, $file)
{
$path = $file->get_temporary_path();
if (!empty($constraints['mime_types'])) {
if (!$file->mime_type_matches($constraints['mime_types'])) {
final_response(415, "File is not of an allowed type.");
}
}
/**
* Alter and/or hide the file name field depending upon the state of the asset
*
* - if just received, find a safe name, populate the field, and hide it - after the redirect
* - if state is "existing" - don't do anything - the field remains editable
* - if state is "pending" or "ready" (new) hide the field
*
*/
function pre_error_check_actions()
{
$asset = $this->get_element('asset');
// on an upload, set the file_name field to a safe value
$filename = $asset->state == 'received' ? $asset->file["name"] : $this->get_value('file_name');
if ($filename) {
$filename = $this->get_safer_filename($filename);
$filename = sanitize_filename_for_web_hosting($filename);
$filename = reason_get_unique_asset_filename($filename, $this->get_value("site_id"), $this->_id);
$this->set_value('file_name', $filename);
}
// hide the file_name field unless it is an existing valid asset
if ($asset->state != 'existing') {
$this->change_element_type('file_name', 'hidden');
} else {
$this->add_required('file_name');
}
}
/**
* This function gets rid of any non filename friendly characters and adds .txt to extensions thought to be dangerous.
*
* It is called safer because it doesn't stop necessarily stop someone from uploading a file that could be dangerous.
*
* If your asset directory is web accessible and executable, there may well be other files one could upload and execute.
*
* @todo the crazy logic used in this function should be simplified
* @todo the notion of "safer" should be replaced with better security ... whitelist of uploadable extensions probably - add .txt to all others.
*/
function _reason_get_safer_asset_filename($filename)
{
$unsafe_to_safer = array('py' => 'py.txt', 'php' => 'php.txt', 'asp' => 'asp.txt', 'aspx' => 'aspx.txt', 'pl' => 'pl.txt', 'shtml' => 'shtml.txt', 'cfm' => 'cfm.txt', 'woa' => 'woa.txt', 'php3' => 'php3.txt', 'jsp' => 'jsp.txt', 'js' => 'js.txt', 'exe' => 'exe.txt', 'cgi' => 'cgi.txt', 'vb' => 'vb.txt', 'bat' => 'bat.txt');
$parts = explode('.', $filename);
if (count($parts) <= 1) {
$parts_array = array(basename($filename), '');
} else {
$extension = array_pop($parts);
$parts_array = array(basename($filename, ".{$extension}"), $extension);
}
list($filename, $fext) = $parts_array;
if (!empty($unsafe_to_safer[$fext])) {
$fext = $unsafe_to_safer[$fext];
}
if (!empty($fext)) {
$filename .= '.' . $fext;
}
$filename = sanitize_filename_for_web_hosting($filename);
return $filename;
}
