Safe::header('Status: 401 Unauthorized', TRUE, 401);
Logger::error(i18n::s('You are not allowed to perform this operation.'));
// process uploaded data
} elseif (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == 'POST') {
// nothing has been uploaded
if (!$_FILES['upload']['name'] || $_FILES['upload']['name'] == 'none') {
Logger::error(i18n::s('Nothing has been received.'));
} else {
// access the temporary uploaded file
$id = $_FILES['upload']['tmp_name'];
$name = $_FILES['upload']['name'];
// zero bytes transmitted
$_REQUEST['file_size'] = $_FILES['upload']['size'];
if (!$_FILES['upload']['size']) {
Logger::error(i18n::s('Nothing has been received.'));
} elseif (!Safe::is_uploaded_file($id)) {
Logger::error(i18n::s('Possible file attack.'));
}
}
// look in archives available locally
} else {
if (isset($_REQUEST['id'])) {
$id = $_REQUEST['id'];
} elseif (isset($context['arguments'][0])) {
$id = $context['arguments'][0];
}
// fight against hackers
$id = preg_replace(FORBIDDEN_IN_PATHS, '', strip_tags($id));
$name = basename($id);
// scope is limited to the inbox
if ($id) {
$enclosure = '"';
break;
case 'single':
$enclosure = "'";
break;
}
}
// no table name has been provided
if (!$_REQUEST['table_name']) {
$context['text'] .= '<p>' . i18n::s('No table name has been provided.') . "</p>\n";
} elseif (!$_FILES['upload']['name'] || $_FILES['upload']['name'] == 'none') {
$context['text'] .= '<p>' . i18n::s('Nothing has been received.') . "</p>\n";
} elseif (!$_FILES['upload']['size']) {
$context['text'] .= '<p>' . i18n::s('Nothing has been received.') . "</p>\n";
// check provided upload name
} elseif (!Safe::is_uploaded_file($_FILES['upload']['tmp_name'])) {
$context['text'] .= '<p>' . i18n::s('Possible file attack.') . "</p>\n";
} elseif (!($handle = Safe::fopen($_FILES['upload']['tmp_name'], 'rb'))) {
$context['text'] .= '<p>' . sprintf(i18n::s('Impossible to read %s.'), $_FILES['upload']['tmp_name']) . "</p>\n";
} elseif (!($tokens = fgetcsv($handle, 2048, $delimiter, $enclosure))) {
$context['text'] .= '<p>' . sprintf(i18n::s('No headers to read from %s.'), $_FILES['upload']['name']) . "</p>\n";
} else {
// importing data
$context['text'] .= '<p>' . sprintf(i18n::s('Importing data into %s from %s...'), $_REQUEST['table_name'], $_FILES['upload']['name']) . "</p>\n";
// ensure enough execution time
Safe::set_time_limit(30);
// drop the table, if it already exists
$query = "DROP TABLE IF EXISTS " . SQL::escape($_REQUEST['table_name']);
SQL::query($query);
// create a table
$query = "CREATE TABLE " . SQL::escape($_REQUEST['table_name']) . " (\n";
/**
* process uploaded file
*
* This function processes files from the temporary directory, and put them at their definitive
* place.
*
* It returns FALSE if there is a disk error, or if some virus has been detected, or if
* the operation fails for some other reason (e.g., file size).
*
* @param array usually, $_FILES['upload']
* @param string target location for the file
* @param mixed reference to the target anchor, of a function to parse every file individually
* @return mixed file name or array of file names or FALSE if an error has occured
*/
public static function upload($input, $file_path, $target = NULL, $overlay = NULL)
{
global $context, $_REQUEST;
// size exceeds php.ini settings -- UPLOAD_ERR_INI_SIZE
if (isset($input['error']) && $input['error'] == 1) {
Logger::error(i18n::s('The size of this file is over limit.'));
} elseif (isset($input['error']) && $input['error'] == 2) {
Logger::error(i18n::s('The size of this file is over limit.'));
} elseif (isset($input['error']) && $input['error'] == 3) {
Logger::error(i18n::s('No file has been transmitted.'));
} elseif (isset($input['error']) && $input['error'] == 4) {
Logger::error(i18n::s('No file has been transmitted.'));
} elseif (!$input['size']) {
Logger::error(i18n::s('No file has been transmitted.'));
}
// do we have a file?
if (!isset($input['name']) || !$input['name'] || $input['name'] == 'none') {
return FALSE;
}
// access the temporary uploaded file
$file_upload = $input['tmp_name'];
// $_FILES transcoding to utf8 is not automatic
$input['name'] = utf8::encode($input['name']);
// enhance file name
$file_name = $input['name'];
$file_extension = '';
$position = strrpos($input['name'], '.');
if ($position !== FALSE) {
$file_name = substr($input['name'], 0, $position);
$file_extension = strtolower(substr($input['name'], $position + 1));
}
$input['name'] = $file_name;
if ($file_extension) {
$input['name'] .= '.' . $file_extension;
}
// ensure we have a file name
$file_name = utf8::to_ascii($input['name']);
// uploads are not allowed
if (!Surfer::may_upload()) {
Logger::error(i18n::s('You are not allowed to perform this operation.'));
} elseif (!Files::is_authorized($input['name'])) {
Logger::error(i18n::s('This type of file is not allowed.'));
} elseif ($file_path && !Safe::is_uploaded_file($file_upload)) {
Logger::error(i18n::s('Possible file attack.'));
} else {
// create folders
if ($file_path) {
Safe::make_path($file_path);
}
// sanity check
if ($file_path && $file_path[strlen($file_path) - 1] != '/') {
$file_path .= '/';
}
// move the uploaded file
if ($file_path && !Safe::move_uploaded_file($file_upload, $context['path_to_root'] . $file_path . $file_name)) {
Logger::error(sprintf(i18n::s('Impossible to move the upload file to %s.'), $file_path . $file_name));
} else {
// process the file where it is
if (!$file_path) {
$file_path = str_replace($context['path_to_root'], '', dirname($file_upload));
$file_name = basename($file_upload);
}
// check against viruses
$result = Files::has_virus($context['path_to_root'] . $file_path . '/' . $file_name);
// no virus has been found in this file
if ($result == 'N') {
$context['text'] .= Skin::build_block(i18n::s('No virus has been found.'), 'note');
}
// this file has been infected!
if ($result == 'Y') {
// delete this file immediately
Safe::unlink($file_path . '/' . $file_name);
Logger::error(i18n::s('This file has been infected by a virus and has been rejected!'));
return FALSE;
}
// explode a .zip file
include_once $context['path_to_root'] . 'shared/zipfile.php';
if (preg_match('/\\.zip$/i', $file_name) && isset($_REQUEST['explode_files'])) {
$zipfile = new zipfile();
// check files extracted from the archive file
function explode_callback($name)
{
global $context;
// reject all files put in sub-folders
if (($path = substr($name, strlen($context['uploaded_path'] . '/'))) && strpos($path, '/') !== FALSE) {
Safe::unlink($name);
} elseif (!Files::is_authorized($name)) {
Safe::unlink($name);
} else {
// make it easy to download
$ascii = utf8::to_ascii(basename($name));
Safe::rename($name, $context['uploaded_path'] . '/' . $ascii);
// remember this name
$context['uploaded_files'][] = $ascii;
}
}
// extract archive components and save them in mentioned directory
$context['uploaded_files'] = array();
$context['uploaded_path'] = $file_path;
if (!($count = $zipfile->explode($context['path_to_root'] . $file_path . '/' . $file_name, $file_path, '', 'explode_callback'))) {
Logger::error(sprintf('Nothing has been extracted from %s.', $file_name));
return FALSE;
}
// one single file has been uploaded
} else {
$context['uploaded_files'] = array($file_name);
}
// ensure we know the surfer
Surfer::check_default_editor($_REQUEST);
// post-process all uploaded files
foreach ($context['uploaded_files'] as $file_name) {
// this will be filtered by umask anyway
Safe::chmod($context['path_to_root'] . $file_path . $file_name, $context['file_mask']);
// invoke post-processing function
if ($target && is_callable($target)) {
call_user_func($target, $file_name, $context['path_to_root'] . $file_path);
// we have to update an anchor page
} elseif ($target && is_string($target)) {
$fields = array();
// update a file with the same name for this anchor
if ($matching =& Files::get_by_anchor_and_name($target, $file_name)) {
$fields['id'] = $matching['id'];
} elseif (isset($input['id']) && ($matching = Files::get($input['id']))) {
$fields['id'] = $matching['id'];
// silently delete the previous version of the file
if (isset($matching['file_name'])) {
Safe::unlink($file_path . '/' . $matching['file_name']);
}
}
// prepare file record
$fields['file_name'] = $file_name;
$fields['file_size'] = filesize($context['path_to_root'] . $file_path . $file_name);
$fields['file_href'] = '';
$fields['anchor'] = $target;
// change title
if (isset($_REQUEST['title'])) {
$fields['title'] = $_REQUEST['title'];
}
// change has been documented
if (!isset($_REQUEST['version']) || !$_REQUEST['version']) {
$_REQUEST['version'] = '';
} else {
$_REQUEST['version'] = ' - ' . $_REQUEST['version'];
}
// always remember file uploads, for traceability
$_REQUEST['version'] = $fields['file_name'] . ' (' . Skin::build_number($fields['file_size'], i18n::s('bytes')) . ')' . $_REQUEST['version'];
// add to file history
$fields['description'] = Files::add_to_history($matching, $_REQUEST['version']);
// if this is an image, maybe we can derive a thumbnail for it?
if (Files::is_image($file_name)) {
include_once $context['path_to_root'] . 'images/image.php';
Image::shrink($context['path_to_root'] . $file_path . $file_name, $context['path_to_root'] . $file_path . 'thumbs/' . $file_name);
if (file_exists($context['path_to_root'] . $file_path . 'thumbs/' . $file_name)) {
$fields['thumbnail_url'] = $context['url_to_home'] . $context['url_to_root'] . $file_path . 'thumbs/' . rawurlencode($file_name);
}
}
// change active_set
if (isset($_REQUEST['active_set'])) {
$fields['active_set'] = $_REQUEST['active_set'];
}
// change source
if (isset($_REQUEST['source'])) {
$fields['source'] = $_REQUEST['source'];
}
// change keywords
if (isset($_REQUEST['keywords'])) {
$fields['keywords'] = $_REQUEST['keywords'];
}
// change alternate_href
if (isset($_REQUEST['alternate_href'])) {
$fields['alternate_href'] = $_REQUEST['alternate_href'];
}
// overlay, if any
if (is_object($overlay)) {
// allow for change detection
$overlay->snapshot();
// update the overlay from form content
$overlay->parse_fields($_REQUEST);
// save content of the overlay in this item
$fields['overlay'] = $overlay->save();
$fields['overlay_id'] = $overlay->get_id();
}
// create the record in the database
if (!($fields['id'] = Files::post($fields))) {
return FALSE;
}
// record surfer activity
Activities::post('file:' . $fields['id'], 'upload');
}
}
// so far so good
if (count($context['uploaded_files']) == 1) {
return $context['uploaded_files'][0];
} else {
return $context['uploaded_files'];
}
}
}
// some error has occured
return FALSE;
}
// manage the upload
} else {
// process uploaded data
if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == 'POST') {
// nothing has been uploaded
if (!isset($_FILES['upload']['name']) || !$_FILES['upload']['name'] || $_FILES['upload']['name'] == 'none') {
Logger::error(i18n::s('Nothing has been received.'));
} else {
// access the temporary uploaded file
$temporary = $_FILES['upload']['tmp_name'];
$name = $_FILES['upload']['name'];
// zero bytes transmitted
$_REQUEST['file_size'] = $_FILES['upload']['size'];
if (!$_FILES['upload']['size']) {
Logger::error(i18n::s('Nothing has been received.'));
} elseif (!Safe::is_uploaded_file($temporary)) {
Logger::error(i18n::s('Possible file attack.'));
}
// not yet a success
$success = FALSE;
// ensure file exists
if (!is_readable($temporary)) {
Logger::error(sprintf(i18n::s('Impossible to read %s.'), basename($temporary)));
} elseif (!preg_match('/\\.(bz2*|tar\\.gz|tgz|zip)$/i', $name)) {
$success = Safe::move_uploaded_file($temporary, $name);
} elseif (isset($name) && preg_match('/\\.zip$/i', $name)) {
include_once '../shared/zipfile.php';
$zipfile = new zipfile();
// extract archive components and save them in mentioned directory
if ($count = $zipfile->explode($temporary, $context['path_to_root'])) {
$context['text'] .= '<p>' . sprintf(i18n::s('%d files have been extracted.'), $count) . "</p>\n";
