/** * Create a new document //still needs some finetuning * @param array $_course * @return string */ public function create_document($_course) { $course_id = api_get_course_int_id(); global $charset; $dir = isset($_GET['dir']) ? $_GET['dir'] : $_POST['dir']; // Please, do not modify this dirname formatting. if (strstr($dir, '..')) { $dir = '/'; } if ($dir[0] == '.') { $dir = substr($dir, 1); } if ($dir[0] != '/') { $dir = '/' . $dir; } if ($dir[strlen($dir) - 1] != '/') { $dir .= '/'; } $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document' . $dir; if (empty($_POST['dir']) && empty($_GET['dir'])) { //Generates folder $result = $this->generate_lp_folder($_course); $dir = $result['dir']; $filepath = $result['filepath']; } if (!is_dir($filepath)) { $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/'; $dir = '/'; } // stripslashes() before calling api_replace_dangerous_char() because $_POST['title'] // is already escaped twice when it gets here. $title = api_replace_dangerous_char(stripslashes($_POST['title'])); $title = FileManager::disable_dangerous_file($title); $filename = $title; $content = $_POST['content_lp']; $tmp_filename = $filename; $i = 0; while (file_exists($filepath . $tmp_filename . '.html')) { $tmp_filename = $filename . '_' . ++$i; } $filename = $tmp_filename . '.html'; $content = stripslashes($content); $content = str_replace(api_get_path(WEB_COURSE_PATH), api_get_path(REL_PATH) . 'courses/', $content); // Change the path of mp3 to absolute. // The first regexp deals with ../../../ urls. $content = preg_replace("|(flashvars=\"file=)(\\.+/)+|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/', $content); // The second regexp deals with audio/ urls. $content = preg_replace("|(flashvars=\"file=)([^/]+)/|", "\$1" . api_get_path(REL_COURSE_PATH) . $_course['path'] . '/document/$2/', $content); // For flv player: To prevent edition problem with firefox, we have to use a strange tip (don't blame me please). $content = str_replace('</body>', '<style type="text/css">body{}</style></body>', $content); if (!file_exists($filepath . $filename)) { if ($fp = @fopen($filepath . $filename, 'w')) { fputs($fp, $content); fclose($fp); $file_size = filesize($filepath . $filename); $save_file_path = $dir . $filename; $document_id = FileManager::add_document($_course, $save_file_path, 'file', $file_size, $tmp_filename); if ($document_id) { api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentAdded', api_get_user_id(), null, null, null, null, api_get_session_id()); $new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : ''; $new_title = isset($_POST['title']) ? trim($_POST['title']) : ''; if ($new_comment || $new_title) { $tbl_doc = Database::get_course_table(TABLE_DOCUMENT); $ct = ''; if ($new_comment) { $ct .= ", comment='" . Database::escape_string($new_comment) . "'"; } if ($new_title) { $ct .= ", title='" . Database::escape_string(htmlspecialchars($new_title, ENT_QUOTES, $charset)) . "' "; } $sql_update = "UPDATE " . $tbl_doc . " SET " . substr($ct, 1) . " WHERE c_id = " . $course_id . " AND id = " . $document_id; Database::query($sql_update); } } return $document_id; } } }
/** * Check if a document width the choosen filename allready exists */ function document_exists($filename) { global $filepath; $filename = addslashes(trim($filename)); $filename = Security::remove_XSS($filename); $filename = api_replace_dangerous_char($filename); $filename = FileManager::disable_dangerous_file($filename); return !file_exists($filepath . $filename . '.html'); }
$webcamdir = $params['webcamdir']; $webcamuserid = $params['webcamuserid']; } else { api_not_allowed(); die; } if ($webcamuserid != api_get_user_id() || api_get_user_id() == 0 || $webcamuserid == 0) { api_not_allowed(); die; } //clean $webcamname = Security::remove_XSS($webcamname); $webcamname = Database::escape_string($webcamname); $webcamname = addslashes(trim($webcamname)); $webcamname = api_replace_dangerous_char($webcamname, 'strict'); $webcamname = FileManager::disable_dangerous_file($webcamname); $webcamdir = Security::remove_XSS($webcamdir); //security extension $ext = explode('.', $webcamname); $ext = strtolower($ext[sizeof($ext) - 1]); if ($ext != 'jpg') { die; } //Do not use here check Fileinfo method because return: text/plain //CHECK THIS BEFORE COMMIT $dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document'; $saveDir = $dirBaseDocuments . $webcamdir; $current_session_id = api_get_session_id(); $groupId = $_SESSION['_gid']; //avoid duplicates $webcamname_to_save = $webcamname; $title_to_save = str_replace('_', ' ', $webcamname);
/** This function changes the name of a certain file. It needs no global variables, it takes all info from parameters. It returns nothing. @todo check if this function is used */ function change_name($base_work_dir, $source_file, $rename_to, $dir, $doc) { $file_name_for_change = $base_work_dir . $dir . $source_file; //api_display_debug_info("call FileManager::my_rename: params $file_name_for_change, $rename_to"); $rename_to = FileManager::disable_dangerous_file($rename_to); // Avoid renaming to .htaccess file $rename_to = FileManager::my_rename($file_name_for_change, stripslashes($rename_to)); // fileManage API if ($rename_to) { if (isset($dir) && $dir != '') { $source_file = $dir . $source_file; $new_full_file_name = dirname($source_file) . '/' . $rename_to; } else { $source_file = '/' . $source_file; $new_full_file_name = '/' . $rename_to; } FileManager::update_db_info('update', $source_file, $new_full_file_name); // fileManage API $name_changed = get_lang('ElRen'); $info_message = get_lang('fileModified'); $GLOBALS['file_name'] = $rename_to; $GLOBALS['doc'] = $rename_to; return $info_message; } else { $dialogBox = get_lang('FileExists'); // TODO: This variable is not used. /* Return to step 1 */ $rename = $source_file; unset($source_file); } }
//Only teacher and all users into their group and any user into his/her shared folder if ($is_allowed_to_edit || $group_member_with_upload_rights || is_my_shared_folder(api_get_user_id(), $curdirpath, $session_id)) { // Create directory with $_POST data if (isset($_POST['create_dir']) && $_POST['dirname'] != '') { // Needed for directory creation $post_dir_name = $_POST['dirname']; if ($post_dir_name == '../' || $post_dir_name == '.' || $post_dir_name == '..') { Display::display_error_message(get_lang('CannotCreateDir')); } else { if (!empty($_POST['dir_id'])) { $document_data = DocumentManager::get_document_data_by_id($_POST['dir_id'], api_get_course_id()); $curdirpath = $document_data['path']; } $added_slash = $curdirpath == '/' ? '' : '/'; $dir_name = $curdirpath . $added_slash . api_replace_dangerous_char($post_dir_name); $dir_name = FileManager::disable_dangerous_file($dir_name); $dir_check = $base_work_dir . $dir_name; if (!is_dir($dir_check)) { $created_dir = FileManager::create_unexisting_directory($_course, api_get_user_id(), api_get_session_id(), $to_group_id, $to_user_id, $base_work_dir, $dir_name, $post_dir_name); if ($created_dir) { Display::display_confirmation_message('<span title="' . $created_dir . '">' . get_lang('DirCr') . '</span>', false); // Uncomment if you want to enter the created dir //$curdirpath = $created_dir; //$curdirpathurl = urlencode($curdirpath); } else { Display::display_error_message(get_lang('CannotCreateDir')); } } else { Display::display_error_message(get_lang('CannotCreateDir')); } }
$wamidir = $params['wamidir']; $wamiuserid = $params['wamiuserid']; } else { api_not_allowed(); die; } if ($wamiuserid != api_get_user_id() || api_get_user_id() == 0 || $wamiuserid == 0) { api_not_allowed(); die; } //clean $waminame = Security::remove_XSS($waminame); $waminame = Database::escape_string($waminame); $waminame = addslashes(trim($waminame)); $waminame = api_replace_dangerous_char($waminame, 'strict'); $waminame = FileManager::disable_dangerous_file($waminame); $wamidir = Security::remove_XSS($wamidir); $content = file_get_contents('php://input'); //security extension $ext = explode('.', $waminame); $ext = strtolower($ext[sizeof($ext) - 1]); if ($ext != 'wav') { die; } //Do not use here check Fileinfo method because return: text/plain $dirBaseDocuments = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document'; $saveDir = $dirBaseDocuments . $wamidir; $current_session_id = api_get_session_id(); $groupId = $_SESSION['_gid']; //avoid duplicates $waminame_to_save = $waminame;
// Create the audio folder if it does not exist yet. $_course = api_get_course_info(); $filepath = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/'; if (!is_dir($filepath . 'audio')) { mkdir($filepath . 'audio', api_get_permissions_for_new_directories()); $audio_id = FileManager::add_document($_course, '/audio', 'folder', 0, 'audio'); api_item_property_update($_course, TOOL_DOCUMENT, $audio_id, 'FolderCreated', api_get_user_id(), null, null, null, null, api_get_session_id()); } // Check if file already exits into document/audio/ $file_name = $_FILES[$key]['name']; $file_name = stripslashes($file_name); // Add extension to files without one (if possible). $file_name = FileManager::add_ext_on_mime($file_name, $_FILES[$key]['type']); $clean_name = api_replace_dangerous_char($file_name); // No "dangerous" files. $clean_name = FileManager::disable_dangerous_file($clean_name); $check_file_path = api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document/audio/' . $clean_name; // If the file exists we generate a new name. if (file_exists($check_file_path)) { $filename_components = explode('.', $clean_name); // Gettting the extension of the file. $file_extension = $filename_components[count($filename_components) - 1]; // Adding something random to prevent overwriting. $filename_components[count($filename_components) - 1] = time(); // Reconstructing the new filename. $clean_name = implode($filename_components) . '.' . $file_extension; // Using the new name in the $_FILES superglobal. $_FILES[$key]['name'] = $clean_name; } // Upload the file in the documents tool $file_path = FileManager::handle_uploaded_document($_course, $_FILES[$key], api_get_path(SYS_COURSE_PATH) . $_course['path'] . '/document', '/audio', api_get_user_id(), '', '', '', '', false);
/** * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in * a non-executable form (for PHP and htaccess, this is still vulnerable to * other languages' files extensions) * @param string Unfiltered filename * @param string Filtered filename */ public static function filter_filename($filename) { return FileManager::disable_dangerous_file($filename); }
/** * Upload a submitted user production. * * @param $user_id User id * @return The filename of the new production or FALSE if the upload has failed */ function upload_user_production($user_id) { $image_path = UserManager::get_user_picture_path_by_id($user_id, 'system', true); $production_repository = $image_path['dir'] . $user_id . '/'; if (!file_exists($production_repository)) { @mkdir($production_repository, api_get_permissions_for_new_directories(), true); } $filename = api_replace_dangerous_char($_FILES['production']['name']); $filename = FileManager::disable_dangerous_file($filename); if (FileManager::filter_extension($filename)) { if (@move_uploaded_file($_FILES['production']['tmp_name'], $production_repository . $filename)) { return $filename; } } return false; // this should be returned if anything went wrong with the upload }