/** * Check the uploaded files and move them to the target directory * * @param string $strTarget * * @return array * * @throws \Exception */ public function uploadTo($strTarget) { if ($strTarget == '' || \Validator::isInsecurePath($strTarget)) { throw new \InvalidArgumentException('Invalid target path ' . $strTarget); } $maxlength_kb = $this->getMaximumUploadSize(); $maxlength_kb_readable = $this->getReadableSize($maxlength_kb); $arrUploaded = array(); $arrFiles = $this->getFilesFromGlobal(); foreach ($arrFiles as $file) { // Sanitize the filename try { $file['name'] = \StringUtil::sanitizeFileName($file['name']); } catch (\InvalidArgumentException $e) { \Message::addError($GLOBALS['TL_LANG']['ERR']['filename']); $this->blnHasError = true; continue; } // Invalid file name if (!\Validator::isValidFileName($file['name'])) { \Message::addError($GLOBALS['TL_LANG']['ERR']['filename']); $this->blnHasError = true; } elseif (!is_uploaded_file($file['tmp_name'])) { if ($file['error'] == 1 || $file['error'] == 2) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filesize'], $maxlength_kb_readable)); $this->blnHasError = true; } elseif ($file['error'] == 3) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filepartial'], $file['name'])); $this->blnHasError = true; } elseif ($file['error'] > 0) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['fileerror'], $file['error'], $file['name'])); $this->blnHasError = true; } } elseif ($file['size'] > $maxlength_kb) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filesize'], $maxlength_kb_readable)); $this->blnHasError = true; } else { $strExtension = strtolower(substr($file['name'], strrpos($file['name'], '.') + 1)); // File type not allowed if (!in_array($strExtension, \StringUtil::trimsplit(',', strtolower(\Config::get('uploadTypes'))))) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filetype'], $strExtension)); $this->blnHasError = true; } else { $this->import('Files'); $strNewFile = $strTarget . '/' . $file['name']; // Set CHMOD and resize if neccessary if ($this->Files->move_uploaded_file($file['tmp_name'], $strNewFile)) { $this->Files->chmod($strNewFile, \Config::get('defaultFileChmod')); // Notify the user \Message::addConfirmation(sprintf($GLOBALS['TL_LANG']['MSC']['fileUploaded'], $file['name'])); $this->log('File "' . $strNewFile . '" has been uploaded', __METHOD__, TL_FILES); // Resize the uploaded image if necessary $this->resizeUploadedImage($strNewFile); $arrUploaded[] = $strNewFile; } } } } return $arrUploaded; }
/** * Find a particular template file and return its path * * @param string $strTemplate The name of the template * @param string $strFormat The file extension * * @return string The path to the template file * * @throws \InvalidArgumentException If $strFormat is unknown * @throws \RuntimeException If the template group folder is insecure */ public static function getTemplate($strTemplate, $strFormat = 'html5') { $arrAllowed = trimsplit(',', \Config::get('templateFiles')); array_push($arrAllowed, 'html5'); // see #3398 if (!in_array($strFormat, $arrAllowed)) { throw new \InvalidArgumentException('Invalid output format ' . $strFormat); } $strTemplate = basename($strTemplate); // Check for a theme folder if (TL_MODE == 'FE') { /** @var \PageModel $objPage */ global $objPage; if ($objPage->templateGroup != '') { if (\Validator::isInsecurePath($objPage->templateGroup)) { throw new \RuntimeException('Invalid path ' . $objPage->templateGroup); } return \TemplateLoader::getPath($strTemplate, $strFormat, $objPage->templateGroup); } } return \TemplateLoader::getPath($strTemplate, $strFormat); }
/** * Add a breadcrumb menu to the file tree * * @param string $strKey * * @throws \RuntimeException */ public static function addFilesBreadcrumb($strKey = 'tl_files_node') { $objSession = \Session::getInstance(); // Set a new node if (isset($_GET['node'])) { // Check the path (thanks to Arnaud Buchoux) if (\Validator::isInsecurePath(\Input::get('node', true))) { throw new \RuntimeException('Insecure path ' . \Input::get('node', true)); } $objSession->set($strKey, \Input::get('node', true)); \Controller::redirect(preg_replace('/(&|\\?)node=[^&]*/', '', \Environment::get('request'))); } $strNode = $objSession->get($strKey); if ($strNode == '') { return; } // Check the path (thanks to Arnaud Buchoux) if (\Validator::isInsecurePath($strNode)) { throw new \RuntimeException('Insecure path ' . $strNode); } // Currently selected folder does not exist if (!is_dir(TL_ROOT . '/' . $strNode)) { $objSession->set($strKey, ''); return; } $objUser = \BackendUser::getInstance(); $strPath = \Config::get('uploadPath'); $arrNodes = explode('/', preg_replace('/^' . preg_quote(\Config::get('uploadPath'), '/') . '\\//', '', $strNode)); $arrLinks = array(); // Add root link $arrLinks[] = '<img src="' . TL_FILES_URL . 'system/themes/' . \Backend::getTheme() . '/images/filemounts.gif" width="18" height="18" alt=""> <a href="' . \Controller::addToUrl('node=') . '" title="' . specialchars($GLOBALS['TL_LANG']['MSC']['selectAllNodes']) . '">' . $GLOBALS['TL_LANG']['MSC']['filterAll'] . '</a>'; // Generate breadcrumb trail foreach ($arrNodes as $strFolder) { $strPath .= '/' . $strFolder; // Do not show pages which are not mounted if (!$objUser->hasAccess($strPath, 'filemounts')) { continue; } // No link for the active folder if ($strPath == $strNode) { $arrLinks[] = '<img src="' . TL_FILES_URL . 'system/themes/' . \Backend::getTheme() . '/images/folderC.gif" width="18" height="18" alt=""> ' . $strFolder; } else { $arrLinks[] = '<img src="' . TL_FILES_URL . 'system/themes/' . \Backend::getTheme() . '/images/folderC.gif" width="18" height="18" alt=""> <a href="' . \Controller::addToUrl('node=' . $strPath) . '" title="' . specialchars($GLOBALS['TL_LANG']['MSC']['selectNode']) . '">' . $strFolder . '</a>'; } } // Check whether the node is mounted if (!$objUser->hasAccess($strNode, 'filemounts')) { $objSession->set($strKey, ''); \System::log('Folder ID ' . $strNode . ' was not mounted', __METHOD__, TL_ERROR); \Controller::redirect('contao/main.php?act=error'); } // Limit tree $GLOBALS['TL_DCA']['tl_files']['list']['sorting']['root'] = array($strNode); // Insert breadcrumb menu $GLOBALS['TL_DCA']['tl_files']['list']['sorting']['breadcrumb'] .= ' <ul id="tl_breadcrumb"> <li>' . implode(' > </li><li>', $arrLinks) . '</li> </ul>'; }
/** * Create a new template * * @return string */ public function addNewTemplate() { $strError = ''; // Copy an existing template if (Input::post('FORM_SUBMIT') == 'tl_create_template') { $strOriginal = Input::post('original'); if (Validator::isInsecurePath($strOriginal)) { throw new RuntimeException('Invalid path ' . $strOriginal); } $strTarget = Input::post('target'); if (Validator::isInsecurePath($strTarget)) { throw new RuntimeException('Invalid path ' . $strTarget); } // Validate the source path if (strncmp($strOriginal, 'system/modules/', 15) !== 0 || !file_exists(TL_ROOT . '/' . $strOriginal)) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['invalid'], $strOriginal); } else { // Validate the target path if (strncmp($strTarget, 'templates', 9) !== 0 || !is_dir(TL_ROOT . '/' . $strTarget)) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['invalid'], $strTarget); } else { $strTarget .= '/' . basename($strOriginal); // Check whether the target file exists if (file_exists(TL_ROOT . '/' . $strTarget)) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['exists'], $strTarget); } else { $this->import('Files'); $this->Files->copy($strOriginal, $strTarget); $this->redirect($this->getReferer()); } } } } $arrAllTemplates = array(); $arrAllowed = trimsplit(',', Config::get('templateFiles')); // Get all templates foreach (ModuleLoader::getActive() as $strModule) { // Continue if there is no templates folder if ($strModule == 'repository' || !is_dir(TL_ROOT . '/system/modules/' . $strModule . '/templates')) { continue; } /** @var \SplFileInfo[] $objFiles */ $objFiles = new SortedIterator(new RecursiveIteratorIterator(new RecursiveDirectoryIterator(TL_ROOT . '/system/modules/' . $strModule . '/templates', FilesystemIterator::UNIX_PATHS | FilesystemIterator::FOLLOW_SYMLINKS | FilesystemIterator::SKIP_DOTS))); foreach ($objFiles as $objFile) { $strExtension = pathinfo($objFile->getFilename(), PATHINFO_EXTENSION); if (in_array($strExtension, $arrAllowed)) { $strRelpath = str_replace(TL_ROOT . '/', '', $objFile->getPathname()); $arrAllTemplates[$strModule][basename($strRelpath)] = $strRelpath; } } } $strAllTemplates = ''; // Group the templates by module foreach ($arrAllTemplates as $k => $v) { $strAllTemplates .= '<optgroup label="' . $k . '">'; foreach ($v as $kk => $vv) { $strAllTemplates .= sprintf('<option value="%s"%s>%s</option>', $vv, Input::post('original') == $vv ? ' selected="selected"' : '', $kk); } $strAllTemplates .= '</optgroup>'; } // Show form return ' <div id="tl_buttons"> <a href="' . $this->getReferer(true) . '" class="header_back" title="' . specialchars($GLOBALS['TL_LANG']['MSC']['backBTTitle']) . '" accesskey="b" onclick="Backend.getScrollOffset()">' . $GLOBALS['TL_LANG']['MSC']['backBT'] . '</a> </div>' . ($strError != '' ? ' <div class="tl_message"> <p class="tl_error">' . $strError . '</p> </div>' : '') . ' <form action="' . ampersand(Environment::get('request')) . '" id="tl_create_template" class="tl_form" method="post"> <div class="tl_formbody_edit"> <input type="hidden" name="FORM_SUBMIT" value="tl_create_template"> <input type="hidden" name="REQUEST_TOKEN" value="' . REQUEST_TOKEN . '"> <div class="tl_tbox"> <div> <h3><label for="ctrl_original">' . $GLOBALS['TL_LANG']['tl_templates']['original'][0] . '</label></h3> <select name="original" id="ctrl_original" class="tl_select tl_chosen" onfocus="Backend.getScrollOffset()">' . $strAllTemplates . '</select>' . ($GLOBALS['TL_LANG']['tl_templates']['original'][1] && Config::get('showHelp') ? ' <p class="tl_help tl_tip">' . $GLOBALS['TL_LANG']['tl_templates']['original'][1] . '</p>' : '') . ' </div> <div> <h3><label for="ctrl_target">' . $GLOBALS['TL_LANG']['tl_templates']['target'][0] . '</label></h3> <select name="target" id="ctrl_target" class="tl_select" onfocus="Backend.getScrollOffset()"><option value="templates">templates</option>' . $this->getTargetFolders('templates') . '</select>' . ($GLOBALS['TL_LANG']['tl_templates']['target'][1] && Config::get('showHelp') ? ' <p class="tl_help tl_tip">' . $GLOBALS['TL_LANG']['tl_templates']['target'][1] . '</p>' : '') . ' </div> </div> </div> <div class="tl_formbody_submit"> <div class="tl_submit_container"> <input type="submit" name="create" id="create" class="tl_submit" accesskey="s" value="' . specialchars($GLOBALS['TL_LANG']['tl_templates']['newTpl']) . '"> </div> </div> </form>'; }
/** * Check a file operation * * @param string $strFile * * @return boolean */ protected function isValid($strFile) { $strFolder = \Input::get('pid', true); // Check the path if (\Validator::isInsecurePath($strFile)) { $this->log('Invalid file name "' . $strFile . '" (hacking attempt)', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } elseif (\Validator::isInsecurePath($strFolder)) { $this->log('Invalid folder name "' . $strFolder . '" (hacking attempt)', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } // Check for valid file types if (!empty($this->arrValidFileTypes) && is_file(TL_ROOT . '/' . $strFile)) { $fileinfo = preg_replace('/.*\\.(.*)$/ui', '$1', $strFile); if (!in_array(strtolower($fileinfo), $this->arrValidFileTypes)) { $this->log('File "' . $strFile . '" is not an allowed file type', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } } // Check whether the file is within the files directory if (!preg_match('/^' . preg_quote(\Config::get('uploadPath'), '/') . '/i', $strFile)) { $this->log('File or folder "' . $strFile . '" is not within the files directory', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } // Check whether the parent folder is within the files directory if ($strFolder && !preg_match('/^' . preg_quote(\Config::get('uploadPath'), '/') . '/i', $strFolder)) { $this->log('Parent folder "' . $strFolder . '" is not within the files directory', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } // Do not allow file operations on root folders if (\Input::get('act') == 'edit' || \Input::get('act') == 'paste' || \Input::get('act') == 'delete') { $this->import('BackendUser', 'User'); if (!$this->User->isAdmin && in_array($strFile, $this->User->filemounts)) { $this->log('Attempt to edit, copy, move or delete the root folder "' . $strFile . '"', __METHOD__, TL_ERROR); $this->redirect('contao/main.php?act=error'); } } return true; }
/** * Replace insert tags with their values * * @param string $strBuffer The text with the tags to be replaced * @param boolean $blnCache If false, non-cacheable tags will be replaced * * @return string The text with the replaced tags */ protected function doReplace($strBuffer, $blnCache) { /** @var PageModel $objPage */ global $objPage; // Preserve insert tags if (\Config::get('disableInsertTags')) { return \StringUtil::restoreBasicEntities($strBuffer); } $tags = preg_split('/{{([^{}]+)}}/', $strBuffer, -1, PREG_SPLIT_DELIM_CAPTURE); if (count($tags) < 2) { return \StringUtil::restoreBasicEntities($strBuffer); } $strBuffer = ''; // Create one cache per cache setting (see #7700) static $arrItCache; $arrCache =& $arrItCache[$blnCache]; for ($_rit = 0, $_cnt = count($tags); $_rit < $_cnt; $_rit += 2) { $strBuffer .= $tags[$_rit]; $strTag = $tags[$_rit + 1]; // Skip empty tags if ($strTag == '') { continue; } $flags = explode('|', $strTag); $tag = array_shift($flags); $elements = explode('::', $tag); // Load the value from cache if (isset($arrCache[$strTag]) && !in_array('refresh', $flags)) { $strBuffer .= $arrCache[$strTag]; continue; } // Skip certain elements if the output will be cached if ($blnCache) { if ($elements[0] == 'date' || $elements[0] == 'ua' || $elements[0] == 'post' || $elements[0] == 'file' || $elements[1] == 'back' || $elements[1] == 'referer' || $elements[0] == 'request_token' || $elements[0] == 'toggle_view' || strncmp($elements[0], 'cache_', 6) === 0 || in_array('uncached', $flags)) { $strBuffer .= '{{' . $strTag . '}}'; continue; } } $arrCache[$strTag] = ''; // Replace the tag switch (strtolower($elements[0])) { // Date case 'date': $arrCache[$strTag] = \Date::parse($elements[1] ?: \Config::get('dateFormat')); break; // Accessibility tags // Accessibility tags case 'lang': if ($elements[1] == '') { $arrCache[$strTag] = '</span>'; } else { $arrCache[$strTag] = $arrCache[$strTag] = '<span lang="' . $elements[1] . '">'; } break; // Line break // Line break case 'br': $arrCache[$strTag] = '<br>'; break; // E-mail addresses // E-mail addresses case 'email': case 'email_open': case 'email_url': if ($elements[1] == '') { $arrCache[$strTag] = ''; break; } $strEmail = \StringUtil::encodeEmail($elements[1]); // Replace the tag switch (strtolower($elements[0])) { case 'email': $arrCache[$strTag] = '<a href="mailto:' . $strEmail . '" class="email">' . preg_replace('/\\?.*$/', '', $strEmail) . '</a>'; break; case 'email_open': $arrCache[$strTag] = '<a href="mailto:' . $strEmail . '" title="' . $strEmail . '" class="email">'; break; case 'email_url': $arrCache[$strTag] = $strEmail; break; } break; // Label tags // Label tags case 'label': $keys = explode(':', $elements[1]); if (count($keys) < 2) { $arrCache[$strTag] = ''; break; } $file = $keys[0]; // Map the key (see #7217) switch ($file) { case 'CNT': $file = 'countries'; break; case 'LNG': $file = 'languages'; break; case 'MOD': case 'FMD': $file = 'modules'; break; case 'FFL': $file = 'tl_form_field'; break; case 'CACHE': $file = 'tl_page'; break; case 'XPL': $file = 'explain'; break; case 'XPT': $file = 'exception'; break; case 'MSC': case 'ERR': case 'CTE': case 'PTY': case 'FOP': case 'CHMOD': case 'DAYS': case 'MONTHS': case 'UNITS': case 'CONFIRM': case 'DP': case 'COLS': $file = 'default'; break; } \System::loadLanguageFile($file); if (count($keys) == 2) { $arrCache[$strTag] = $GLOBALS['TL_LANG'][$keys[0]][$keys[1]]; } else { $arrCache[$strTag] = $GLOBALS['TL_LANG'][$keys[0]][$keys[1]][$keys[2]]; } break; // Front end user // Front end user case 'user': if (FE_USER_LOGGED_IN) { $this->import('FrontendUser', 'User'); $value = $this->User->{$elements[1]}; if ($value == '') { $arrCache[$strTag] = $value; break; } $this->loadDataContainer('tl_member'); if ($GLOBALS['TL_DCA']['tl_member']['fields'][$elements[1]]['inputType'] == 'password') { $arrCache[$strTag] = ''; break; } $value = \StringUtil::deserialize($value); // Decrypt the value if ($GLOBALS['TL_DCA']['tl_member']['fields'][$elements[1]]['eval']['encrypt']) { $value = \Encryption::decrypt($value); } $rgxp = $GLOBALS['TL_DCA']['tl_member']['fields'][$elements[1]]['eval']['rgxp']; $opts = $GLOBALS['TL_DCA']['tl_member']['fields'][$elements[1]]['options']; $rfrc = $GLOBALS['TL_DCA']['tl_member']['fields'][$elements[1]]['reference']; if ($rgxp == 'date') { $arrCache[$strTag] = \Date::parse(\Config::get('dateFormat'), $value); } elseif ($rgxp == 'time') { $arrCache[$strTag] = \Date::parse(\Config::get('timeFormat'), $value); } elseif ($rgxp == 'datim') { $arrCache[$strTag] = \Date::parse(\Config::get('datimFormat'), $value); } elseif (is_array($value)) { $arrCache[$strTag] = implode(', ', $value); } elseif (is_array($opts) && array_is_assoc($opts)) { $arrCache[$strTag] = isset($opts[$value]) ? $opts[$value] : $value; } elseif (is_array($rfrc)) { $arrCache[$strTag] = isset($rfrc[$value]) ? is_array($rfrc[$value]) ? $rfrc[$value][0] : $rfrc[$value] : $value; } else { $arrCache[$strTag] = $value; } // Convert special characters (see #1890) $arrCache[$strTag] = \StringUtil::specialchars($arrCache[$strTag]); } break; // Link // Link case 'link': case 'link_open': case 'link_url': case 'link_title': case 'link_target': case 'link_name': $strTarget = null; // Back link if ($elements[1] == 'back') { $strUrl = 'javascript:history.go(-1)'; $strTitle = $GLOBALS['TL_LANG']['MSC']['goBack']; // No language files if the page is cached if (!strlen($strTitle)) { $strTitle = 'Go back'; } $strName = $strTitle; } elseif (strncmp($elements[1], 'http://', 7) === 0 || strncmp($elements[1], 'https://', 8) === 0) { $strUrl = $elements[1]; $strTitle = $elements[1]; $strName = str_replace(array('http://', 'https://'), '', $elements[1]); } else { // User login page if ($elements[1] == 'login') { if (!FE_USER_LOGGED_IN) { break; } $this->import('FrontendUser', 'User'); $elements[1] = $this->User->loginPage; } $objNextPage = \PageModel::findByIdOrAlias($elements[1]); if ($objNextPage === null) { break; } // Page type specific settings (thanks to Andreas Schempp) switch ($objNextPage->type) { case 'redirect': $strUrl = $objNextPage->url; if (strncasecmp($strUrl, 'mailto:', 7) === 0) { $strUrl = \StringUtil::encodeEmail($strUrl); } break; case 'forward': if ($objNextPage->jumpTo) { /** @var PageModel $objNext */ $objNext = $objNextPage->getRelated('jumpTo'); } else { $objNext = \PageModel::findFirstPublishedRegularByPid($objNextPage->id); } if ($objNext instanceof PageModel) { $strUrl = $objNext->getFrontendUrl(); break; } // DO NOT ADD A break; STATEMENT // DO NOT ADD A break; STATEMENT default: $strUrl = $objNextPage->getFrontendUrl(); break; } $strName = $objNextPage->title; $strTarget = $objNextPage->target ? ' target="_blank"' : ''; $strTitle = $objNextPage->pageTitle ?: $objNextPage->title; } // Replace the tag switch (strtolower($elements[0])) { case 'link': $arrCache[$strTag] = sprintf('<a href="%s" title="%s"%s>%s</a>', $strUrl, \StringUtil::specialchars($strTitle), $strTarget, $strName); break; case 'link_open': $arrCache[$strTag] = sprintf('<a href="%s" title="%s"%s>', $strUrl, \StringUtil::specialchars($strTitle), $strTarget); break; case 'link_url': $arrCache[$strTag] = $strUrl; break; case 'link_title': $arrCache[$strTag] = \StringUtil::specialchars($strTitle); break; case 'link_target': $arrCache[$strTag] = $strTarget; break; case 'link_name': $arrCache[$strTag] = $strName; break; } break; // Closing link tag // Closing link tag case 'link_close': case 'email_close': $arrCache[$strTag] = '</a>'; break; // Insert article // Insert article case 'insert_article': if (($strOutput = $this->getArticle($elements[1], false, true)) !== false) { $arrCache[$strTag] = ltrim($strOutput); } else { $arrCache[$strTag] = '<p class="error">' . sprintf($GLOBALS['TL_LANG']['MSC']['invalidPage'], $elements[1]) . '</p>'; } break; // Insert content element // Insert content element case 'insert_content': $arrCache[$strTag] = $this->getContentElement($elements[1]); break; // Insert module // Insert module case 'insert_module': $arrCache[$strTag] = $this->getFrontendModule($elements[1]); break; // Insert form // Insert form case 'insert_form': $arrCache[$strTag] = $this->getForm($elements[1]); break; // Article // Article case 'article': case 'article_open': case 'article_url': case 'article_title': if (($objArticle = \ArticleModel::findByIdOrAlias($elements[1])) === null || !($objPid = $objArticle->getRelated('pid')) instanceof PageModel) { break; } /** @var PageModel $objPid */ $strUrl = $objPid->getFrontendUrl('/articles/' . ($objArticle->alias ?: $objArticle->id)); // Replace the tag switch (strtolower($elements[0])) { case 'article': $arrCache[$strTag] = sprintf('<a href="%s" title="%s">%s</a>', $strUrl, \StringUtil::specialchars($objArticle->title), $objArticle->title); break; case 'article_open': $arrCache[$strTag] = sprintf('<a href="%s" title="%s">', $strUrl, \StringUtil::specialchars($objArticle->title)); break; case 'article_url': $arrCache[$strTag] = $strUrl; break; case 'article_title': $arrCache[$strTag] = \StringUtil::specialchars($objArticle->title); break; } break; // Article teaser // Article teaser case 'article_teaser': $objTeaser = \ArticleModel::findByIdOrAlias($elements[1]); if ($objTeaser !== null) { $arrCache[$strTag] = \StringUtil::toHtml5($objTeaser->teaser); } break; // Last update // Last update case 'last_update': $strQuery = "SELECT MAX(tstamp) AS tc"; $bundles = \System::getContainer()->getParameter('kernel.bundles'); if (isset($bundles['ContaoNewsBundle'])) { $strQuery .= ", (SELECT MAX(tstamp) FROM tl_news) AS tn"; } if (isset($bundles['ContaoCalendarBundle'])) { $strQuery .= ", (SELECT MAX(tstamp) FROM tl_calendar_events) AS te"; } $strQuery .= " FROM tl_content"; $objUpdate = \Database::getInstance()->query($strQuery); if ($objUpdate->numRows) { $arrCache[$strTag] = \Date::parse($elements[1] ?: \Config::get('datimFormat'), max($objUpdate->tc, $objUpdate->tn, $objUpdate->te)); } break; // Version // Version case 'version': $arrCache[$strTag] = VERSION . '.' . BUILD; break; // Request token // Request token case 'request_token': $arrCache[$strTag] = REQUEST_TOKEN; break; // POST data // POST data case 'post': $arrCache[$strTag] = \Input::post($elements[1]); break; // Mobile/desktop toggle (see #6469) // Mobile/desktop toggle (see #6469) case 'toggle_view': $strUrl = ampersand(\Environment::get('request')); $strGlue = strpos($strUrl, '?') === false ? '?' : '&'; if (\Input::cookie('TL_VIEW') == 'mobile' || \Environment::get('agent')->mobile && \Input::cookie('TL_VIEW') != 'desktop') { $arrCache[$strTag] = '<a href="' . $strUrl . $strGlue . 'toggle_view=desktop" class="toggle_desktop" title="' . \StringUtil::specialchars($GLOBALS['TL_LANG']['MSC']['toggleDesktop'][1]) . '">' . $GLOBALS['TL_LANG']['MSC']['toggleDesktop'][0] . '</a>'; } else { $arrCache[$strTag] = '<a href="' . $strUrl . $strGlue . 'toggle_view=mobile" class="toggle_mobile" title="' . \StringUtil::specialchars($GLOBALS['TL_LANG']['MSC']['toggleMobile'][1]) . '">' . $GLOBALS['TL_LANG']['MSC']['toggleMobile'][0] . '</a>'; } break; // Conditional tags (if) // Conditional tags (if) case 'iflng': if ($elements[1] != '' && $elements[1] != $objPage->language) { for (; $_rit < $_cnt; $_rit += 2) { if ($tags[$_rit + 1] == 'iflng' || $tags[$_rit + 1] == 'iflng::' . $objPage->language) { break; } } } unset($arrCache[$strTag]); break; // Conditional tags (if not) // Conditional tags (if not) case 'ifnlng': if ($elements[1] != '') { $langs = \StringUtil::trimsplit(',', $elements[1]); if (in_array($objPage->language, $langs)) { for (; $_rit < $_cnt; $_rit += 2) { if ($tags[$_rit + 1] == 'ifnlng') { break; } } } } unset($arrCache[$strTag]); break; // Environment // Environment case 'env': switch ($elements[1]) { case 'host': $arrCache[$strTag] = \Idna::decode(\Environment::get('host')); break; case 'http_host': $arrCache[$strTag] = \Idna::decode(\Environment::get('httpHost')); break; case 'url': $arrCache[$strTag] = \Idna::decode(\Environment::get('url')); break; case 'path': $arrCache[$strTag] = \Idna::decode(\Environment::get('base')); break; case 'request': $arrCache[$strTag] = \Environment::get('indexFreeRequest'); break; case 'ip': $arrCache[$strTag] = \Environment::get('ip'); break; case 'referer': $arrCache[$strTag] = $this->getReferer(true); break; case 'files_url': $arrCache[$strTag] = TL_FILES_URL; break; case 'assets_url': case 'plugins_url': case 'script_url': $arrCache[$strTag] = TL_ASSETS_URL; break; case 'base_url': $arrCache[$strTag] = \System::getContainer()->get('request_stack')->getCurrentRequest()->getBaseUrl(); break; } break; // Page // Page case 'page': if ($elements[1] == 'pageTitle' && $objPage->pageTitle == '') { $elements[1] = 'title'; } elseif ($elements[1] == 'parentPageTitle' && $objPage->parentPageTitle == '') { $elements[1] = 'parentTitle'; } elseif ($elements[1] == 'mainPageTitle' && $objPage->mainPageTitle == '') { $elements[1] = 'mainTitle'; } // Do not use \StringUtil::specialchars() here (see #4687) $arrCache[$strTag] = $objPage->{$elements[1]}; break; // User agent // User agent case 'ua': $ua = \Environment::get('agent'); if ($elements[1] != '') { $arrCache[$strTag] = $ua->{$elements[1]}; } else { $arrCache[$strTag] = ''; } break; // Abbreviations // Abbreviations case 'abbr': case 'acronym': if ($elements[1] != '') { $arrCache[$strTag] = '<abbr title="' . $elements[1] . '">'; } else { $arrCache[$strTag] = '</abbr>'; } break; // Images // Images case 'image': case 'picture': $width = null; $height = null; $alt = ''; $class = ''; $rel = ''; $strFile = $elements[1]; $mode = ''; $size = null; $strTemplate = 'picture_default'; // Take arguments if (strpos($elements[1], '?') !== false) { $arrChunks = explode('?', urldecode($elements[1]), 2); $strSource = \StringUtil::decodeEntities($arrChunks[1]); $strSource = str_replace('[&]', '&', $strSource); $arrParams = explode('&', $strSource); foreach ($arrParams as $strParam) { list($key, $value) = explode('=', $strParam); switch ($key) { case 'width': $width = $value; break; case 'height': $height = $value; break; case 'alt': $alt = \StringUtil::specialchars($value); break; case 'class': $class = $value; break; case 'rel': $rel = $value; break; case 'mode': $mode = $value; break; case 'size': $size = (int) $value; break; case 'template': $strTemplate = preg_replace('/[^a-z0-9_]/i', '', $value); break; } } $strFile = $arrChunks[0]; } if (\Validator::isUuid($strFile)) { // Handle UUIDs $objFile = \FilesModel::findByUuid($strFile); if ($objFile === null) { $arrCache[$strTag] = ''; break; } $strFile = $objFile->path; } elseif (is_numeric($strFile)) { // Handle numeric IDs (see #4805) $objFile = \FilesModel::findByPk($strFile); if ($objFile === null) { $arrCache[$strTag] = ''; break; } $strFile = $objFile->path; } else { // Check the path if (\Validator::isInsecurePath($strFile)) { throw new \RuntimeException('Invalid path ' . $strFile); } } // Check the maximum image width if (\Config::get('maxImageWidth') > 0 && $width > \Config::get('maxImageWidth')) { $width = \Config::get('maxImageWidth'); $height = null; } // Generate the thumbnail image try { // Image if (strtolower($elements[0]) == 'image') { $dimensions = ''; $imageObj = \Image::create($strFile, array($width, $height, $mode)); $src = $imageObj->executeResize()->getResizedPath(); $objFile = new \File(rawurldecode($src)); // Add the image dimensions if (($imgSize = $objFile->imageSize) !== false) { $dimensions = ' width="' . $imgSize[0] . '" height="' . $imgSize[1] . '"'; } $arrCache[$strTag] = '<img src="' . TL_FILES_URL . $src . '" ' . $dimensions . ' alt="' . $alt . '"' . ($class != '' ? ' class="' . $class . '"' : '') . '>'; } else { $picture = \Picture::create($strFile, array(0, 0, $size))->getTemplateData(); $picture['alt'] = $alt; $picture['class'] = $class; $pictureTemplate = new \FrontendTemplate($strTemplate); $pictureTemplate->setData($picture); $arrCache[$strTag] = $pictureTemplate->parse(); } // Add a lightbox link if ($rel != '') { if (strncmp($rel, 'lightbox', 8) !== 0) { $attribute = ' rel="' . $rel . '"'; } else { $attribute = ' data-lightbox="' . substr($rel, 8) . '"'; } $arrCache[$strTag] = '<a href="' . TL_FILES_URL . $strFile . '"' . ($alt != '' ? ' title="' . $alt . '"' : '') . $attribute . '>' . $arrCache[$strTag] . '</a>'; } } catch (\Exception $e) { $arrCache[$strTag] = ''; } break; // Files (UUID or template path) // Files (UUID or template path) case 'file': if (\Validator::isUuid($elements[1])) { $objFile = \FilesModel::findByUuid($elements[1]); if ($objFile !== null) { $arrCache[$strTag] = $objFile->path; break; } } $arrGet = $_GET; \Input::resetCache(); $strFile = $elements[1]; // Take arguments and add them to the $_GET array if (strpos($elements[1], '?') !== false) { $arrChunks = explode('?', urldecode($elements[1])); $strSource = \StringUtil::decodeEntities($arrChunks[1]); $strSource = str_replace('[&]', '&', $strSource); $arrParams = explode('&', $strSource); foreach ($arrParams as $strParam) { $arrParam = explode('=', $strParam); $_GET[$arrParam[0]] = $arrParam[1]; } $strFile = $arrChunks[0]; } // Check the path if (\Validator::isInsecurePath($strFile)) { throw new \RuntimeException('Invalid path ' . $strFile); } // Include .php, .tpl, .xhtml and .html5 files if (preg_match('/\\.(php|tpl|xhtml|html5)$/', $strFile) && file_exists(TL_ROOT . '/templates/' . $strFile)) { ob_start(); include TL_ROOT . '/templates/' . $strFile; $arrCache[$strTag] = ob_get_clean(); } $_GET = $arrGet; \Input::resetCache(); break; // HOOK: pass unknown tags to callback functions // HOOK: pass unknown tags to callback functions default: if (isset($GLOBALS['TL_HOOKS']['replaceInsertTags']) && is_array($GLOBALS['TL_HOOKS']['replaceInsertTags'])) { foreach ($GLOBALS['TL_HOOKS']['replaceInsertTags'] as $callback) { $this->import($callback[0]); $varValue = $this->{$callback[0]}->{$callback[1]}($tag, $blnCache, $arrCache[$strTag], $flags, $tags, $arrCache, $_rit, $_cnt); // see #6672 // Replace the tag and stop the loop if ($varValue !== false) { $arrCache[$strTag] = $varValue; break; } } } if (\Config::get('debugMode')) { $GLOBALS['TL_DEBUG']['unknown_insert_tags'][] = $strTag; } break; } // Handle the flags if (!empty($flags)) { foreach ($flags as $flag) { switch ($flag) { case 'addslashes': case 'stripslashes': case 'standardize': case 'ampersand': case 'specialchars': case 'nl2br': case 'nl2br_pre': case 'strtolower': case 'utf8_strtolower': case 'strtoupper': case 'utf8_strtoupper': case 'ucfirst': case 'lcfirst': case 'ucwords': case 'trim': case 'rtrim': case 'ltrim': case 'utf8_romanize': case 'strrev': case 'urlencode': case 'rawurlencode': $arrCache[$strTag] = $flag($arrCache[$strTag]); break; case 'encodeEmail': case 'decodeEntities': $arrCache[$strTag] = \StringUtil::$flag($arrCache[$strTag]); break; case 'number_format': $arrCache[$strTag] = \System::getFormattedNumber($arrCache[$strTag], 0); break; case 'currency_format': $arrCache[$strTag] = \System::getFormattedNumber($arrCache[$strTag], 2); break; case 'readable_size': $arrCache[$strTag] = \System::getReadableSize($arrCache[$strTag]); break; case 'flatten': if (!is_array($arrCache[$strTag])) { break; } $it = new \RecursiveIteratorIterator(new \RecursiveArrayIterator($arrCache[$strTag])); $result = array(); foreach ($it as $leafValue) { $keys = array(); foreach (range(0, $it->getDepth()) as $depth) { $keys[] = $it->getSubIterator($depth)->key(); } $result[] = implode('.', $keys) . ': ' . $leafValue; } $arrCache[$strTag] = implode(', ', $result); break; // HOOK: pass unknown flags to callback functions // HOOK: pass unknown flags to callback functions default: if (isset($GLOBALS['TL_HOOKS']['insertTagFlags']) && is_array($GLOBALS['TL_HOOKS']['insertTagFlags'])) { foreach ($GLOBALS['TL_HOOKS']['insertTagFlags'] as $callback) { $this->import($callback[0]); $varValue = $this->{$callback[0]}->{$callback[1]}($flag, $tag, $arrCache[$strTag], $flags, $blnCache, $tags, $arrCache, $_rit, $_cnt); // see #5806 // Replace the tag and stop the loop if ($varValue !== false) { $arrCache[$strTag] = $varValue; break; } } } if (\Config::get('debugMode')) { $GLOBALS['TL_DEBUG']['unknown_insert_tag_flags'][] = $flag; } break; } } } $strBuffer .= $arrCache[$strTag]; } return \StringUtil::restoreBasicEntities($strBuffer); }
/** * Create a new template * * @return string */ public function addNewTemplate() { $arrAllTemplates = array(); $arrAllowed = StringUtil::trimsplit(',', strtolower(Config::get('templateFiles'))); /** @var SplFileInfo[] $files */ $files = System::getContainer()->get('contao.resource_finder')->findIn('templates')->files()->name('/\\.(' . implode('|', $arrAllowed) . ')$/'); foreach ($files as $file) { $strRelpath = str_replace(TL_ROOT . DIRECTORY_SEPARATOR, '', $file->getPathname()); $strModule = preg_replace('@^(vendor|system/modules)/([^/]+(/.*-bundle)?)/.*$@', '$2', strtr($strRelpath, '\\', '/')); $arrAllTemplates[$strModule][$strRelpath] = basename($strRelpath); } $strError = ''; // Copy an existing template if (Input::post('FORM_SUBMIT') == 'tl_create_template') { $strOriginal = Input::post('original', true); if (Validator::isInsecurePath($strOriginal)) { throw new RuntimeException('Invalid path ' . $strOriginal); } $strTarget = Input::post('target', true); if (Validator::isInsecurePath($strTarget)) { throw new RuntimeException('Invalid path ' . $strTarget); } // Validate the target path if (strncmp($strTarget, 'templates', 9) !== 0 || !is_dir(TL_ROOT . '/' . $strTarget)) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['invalid'], $strTarget); } else { $blnFound = false; // Validate the source path foreach ($arrAllTemplates as $arrTemplates) { if (isset($arrTemplates[$strOriginal])) { $blnFound = true; break; } } if (!$blnFound) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['invalid'], $strOriginal); } else { $strTarget .= '/' . basename($strOriginal); // Check whether the target file exists if (file_exists(TL_ROOT . '/' . $strTarget)) { $strError = sprintf($GLOBALS['TL_LANG']['tl_templates']['exists'], $strTarget); } else { $this->import('Files'); $this->Files->copy($strOriginal, $strTarget); $this->redirect($this->getReferer()); } } } } $strAllTemplates = ''; // Group the templates by module foreach ($arrAllTemplates as $k => $v) { $strAllTemplates .= '<optgroup label="' . $k . '">'; foreach ($v as $kk => $vv) { $strAllTemplates .= sprintf('<option value="%s"%s>%s</option>', $kk, Input::post('original') == $kk ? ' selected="selected"' : '', $vv); } $strAllTemplates .= '</optgroup>'; } // Show form return ' <div id="tl_buttons"> <a href="' . $this->getReferer(true) . '" class="header_back" title="' . StringUtil::specialchars($GLOBALS['TL_LANG']['MSC']['backBTTitle']) . '" accesskey="b" onclick="Backend.getScrollOffset()">' . $GLOBALS['TL_LANG']['MSC']['backBT'] . '</a> </div>' . ($strError != '' ? ' <div class="tl_message"> <p class="tl_error">' . $strError . '</p> </div>' : '') . ' <form action="' . ampersand(Environment::get('request')) . '" id="tl_create_template" class="tl_form" method="post"> <div class="tl_formbody_edit"> <input type="hidden" name="FORM_SUBMIT" value="tl_create_template"> <input type="hidden" name="REQUEST_TOKEN" value="' . REQUEST_TOKEN . '"> <fieldset class="tl_tbox nolegend"> <div> <h3><label for="ctrl_original">' . $GLOBALS['TL_LANG']['tl_templates']['original'][0] . '</label></h3> <select name="original" id="ctrl_original" class="tl_select tl_chosen" onfocus="Backend.getScrollOffset()">' . $strAllTemplates . '</select>' . ($GLOBALS['TL_LANG']['tl_templates']['original'][1] && Config::get('showHelp') ? ' <p class="tl_help tl_tip">' . $GLOBALS['TL_LANG']['tl_templates']['original'][1] . '</p>' : '') . ' </div> <div> <h3><label for="ctrl_target">' . $GLOBALS['TL_LANG']['tl_templates']['target'][0] . '</label></h3> <select name="target" id="ctrl_target" class="tl_select" onfocus="Backend.getScrollOffset()"><option value="templates">templates</option>' . $this->getTargetFolders('templates') . '</select>' . ($GLOBALS['TL_LANG']['tl_templates']['target'][1] && Config::get('showHelp') ? ' <p class="tl_help tl_tip">' . $GLOBALS['TL_LANG']['tl_templates']['target'][1] . '</p>' : '') . ' </div> </fieldset> </div> <div class="tl_formbody_submit"> <div class="tl_submit_container"> <button type="submit" name="create" id="create" class="tl_submit" accesskey="s">' . $GLOBALS['TL_LANG']['tl_templates']['newTpl'] . '</button> </div> </div> </form>'; }
/** * Add templates to the archive * * @param \ZipWriter $objArchive * @param string $strFolder */ protected function addTemplatesToArchive(\ZipWriter $objArchive, $strFolder) { // Strip the templates folder name $strFolder = preg_replace('@^templates/@', '', $strFolder); // Re-add the templates folder name if ($strFolder == '') { $strFolder = 'templates'; } else { $strFolder = 'templates/' . $strFolder; } if (\Validator::isInsecurePath($strFolder)) { throw new \RuntimeException('Insecure path ' . $strFolder); } // Return if the folder does not exist if (!is_dir(TL_ROOT . '/' . $strFolder)) { return; } $arrAllowed = trimsplit(',', \Config::get('templateFiles')); array_push($arrAllowed, 'sql'); // see #7048 // Add all template files to the archive foreach (scan(TL_ROOT . '/' . $strFolder) as $strFile) { if (preg_match('/\\.(' . implode('|', $arrAllowed) . ')$/', $strFile) && strncmp($strFile, 'be_', 3) !== 0 && strncmp($strFile, 'nl_', 3) !== 0) { $objArchive->addFile($strFolder . '/' . $strFile); } } }
/** * Check the given file path string if it is a regular file an UUID or an numeric ID * * @param string $filePath * @return \File */ protected static function checkFile($filePath) { if (\Validator::isUuid($filePath)) { // Handle UUIDs $objFile = \FilesModel::findByUuid($filePath); $filePath = $objFile->path; } elseif (is_numeric($filePath)) { // Handle numeric IDs (see #4805) $objFile = \FilesModel::findByPk($filePath); $filePath = $objFile->path; } else { // Check the path if (\Validator::isInsecurePath($filePath)) { throw new \RuntimeException('Invalid path ' . $filePath); } } return new \File($filePath, true); }
/** * Check the upload path * * @param mixed $varValue * * @return mixed * * @throws Exception */ public function checkUploadPath($varValue) { if ($varValue == '' || Validator::isInsecurePath($varValue)) { throw new Exception($GLOBALS['TL_LANG']['ERR']['invalidName']); } if (preg_match('@^(assets|contao|plugins|share|system|templates|vendor)(/|$)@', $varValue)) { throw new Exception($GLOBALS['TL_LANG']['ERR']['invalidName']); } return $varValue; }
/** * Validate a path * * @throws \RuntimeException If the given paths are not valid */ protected function validate() { foreach (func_get_args() as $strPath) { if ($strPath == '') { throw new \RuntimeException('No file or folder name given'); } elseif (\Validator::isInsecurePath($strPath)) { throw new \RuntimeException('Invalid file or folder name ' . $strPath); } } }
/** * Check the uploaded files and move them to the target directory * * @param string $strTarget * * @return array * * @throws \Exception */ public function uploadTo($strTarget) { if ($strTarget == '' || \Validator::isInsecurePath($strTarget)) { throw new \InvalidArgumentException('Invalid target path ' . $strTarget); } $maxlength_kb = $this->getMaximumUploadSize(); $maxlength_kb_readable = $this->getReadableSize($maxlength_kb); $arrUploaded = array(); $arrFiles = $this->getFilesFromGlobal(); foreach ($arrFiles as $file) { // Sanitize the filename try { $file['name'] = \String::sanitizeFileName($file['name']); } catch (\InvalidArgumentException $e) { \Message::addError($GLOBALS['TL_LANG']['ERR']['filename']); $this->blnHasError = true; continue; } // Invalid file name if (!\Validator::isValidFileName($file['name'])) { \Message::addError($GLOBALS['TL_LANG']['ERR']['filename']); $this->blnHasError = true; } elseif (!is_uploaded_file($file['tmp_name'])) { if ($file['error'] == 1 || $file['error'] == 2) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filesize'], $maxlength_kb_readable)); $this->log('File "' . $file['name'] . '" exceeds the maximum file size of ' . $maxlength_kb_readable, __METHOD__, TL_ERROR); $this->blnHasError = true; } elseif ($file['error'] == 3) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filepartial'], $file['name'])); $this->log('File "' . $file['name'] . '" was only partially uploaded', __METHOD__, TL_ERROR); $this->blnHasError = true; } elseif ($file['error'] > 0) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['fileerror'], $file['error'], $file['name'])); $this->log('File "' . $file['name'] . '" could not be uploaded (error ' . $file['error'] . ')', __METHOD__, TL_ERROR); $this->blnHasError = true; } } elseif ($file['size'] > $maxlength_kb) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filesize'], $maxlength_kb_readable)); $this->log('File "' . $file['name'] . '" exceeds the maximum file size of ' . $maxlength_kb_readable, __METHOD__, TL_ERROR); $this->blnHasError = true; } else { $strExtension = pathinfo($file['name'], PATHINFO_EXTENSION); $arrAllowedTypes = trimsplit(',', strtolower(\Config::get('uploadTypes'))); // File type not allowed if (!in_array(strtolower($strExtension), $arrAllowedTypes)) { \Message::addError(sprintf($GLOBALS['TL_LANG']['ERR']['filetype'], $strExtension)); $this->log('File type "' . $strExtension . '" is not allowed to be uploaded (' . $file['name'] . ')', __METHOD__, TL_ERROR); $this->blnHasError = true; } else { $this->import('Files'); $strNewFile = $strTarget . '/' . $file['name']; // Set CHMOD and resize if neccessary if ($this->Files->move_uploaded_file($file['tmp_name'], $strNewFile)) { $this->Files->chmod($strNewFile, \Config::get('defaultFileChmod')); $blnResized = $this->resizeUploadedImage($strNewFile, $file); // Notify the user if (!$blnResized) { \Message::addConfirmation(sprintf($GLOBALS['TL_LANG']['MSC']['fileUploaded'], $file['name'])); $this->log('File "' . $file['name'] . '" uploaded successfully', __METHOD__, TL_FILES); } $arrUploaded[] = $strNewFile; } } } } return $arrUploaded; }