/** * send response (save uploaded file, resize if required) * @access public * */ public function sendResponse() { $iErrorNumber = QFINDER_CONNECTOR_ERROR_NONE; $_config =& QFinder_Connector_Core_Factory::getInstance("Core_Config"); $oRegistry =& QFinder_Connector_Core_Factory::getInstance("Core_Registry"); $oRegistry->set("FileUpload_fileName", "unknown file"); $uploadedFile = array_shift($_FILES); if (!isset($uploadedFile['name'])) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_INVALID); } $sUnsafeFileName = QFinder_Connector_Utils_FileSystem::convertToFilesystemEncoding(QFinder_Connector_Utils_Misc::mbBasename($uploadedFile['name'])); $sFileName = QFinder_Connector_Utils_FileSystem::secureFileName($sUnsafeFileName); if ($sFileName != $sUnsafeFileName) { $iErrorNumber = QFINDER_CONNECTOR_ERROR_UPLOADED_INVALID_NAME_RENAMED; } $oRegistry->set("FileUpload_fileName", $sFileName); $this->checkConnector(); $this->checkRequest(); if (!$this->_currentFolder->checkAcl(QFINDER_CONNECTOR_ACL_FILE_UPLOAD)) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UNAUTHORIZED); } $_resourceTypeConfig = $this->_currentFolder->getResourceTypeConfig(); if (!QFinder_Connector_Utils_FileSystem::checkFileName($sFileName) || $_resourceTypeConfig->checkIsHiddenFile($sFileName)) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_INVALID_NAME); } $resourceTypeInfo = $this->_currentFolder->getResourceTypeConfig(); if (!$resourceTypeInfo->checkExtension($sFileName)) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_INVALID_EXTENSION); } $oRegistry->set("FileUpload_fileName", $sFileName); $oRegistry->set("FileUpload_url", $this->_currentFolder->getUrl()); $maxSize = $resourceTypeInfo->getMaxSize(); if (!$_config->checkSizeAfterScaling() && $maxSize && $uploadedFile['size'] > $maxSize) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_TOO_BIG); } $htmlExtensions = $_config->getHtmlExtensions(); $sExtension = QFinder_Connector_Utils_FileSystem::getExtension($sFileName); if ($htmlExtensions && !QFinder_Connector_Utils_Misc::inArrayCaseInsensitive($sExtension, $htmlExtensions) && ($detectHtml = QFinder_Connector_Utils_FileSystem::detectHtml($uploadedFile['tmp_name'])) === true) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_WRONG_HTML_FILE); } $secureImageUploads = $_config->getSecureImageUploads(); if ($secureImageUploads && ($isImageValid = QFinder_Connector_Utils_FileSystem::isImageValid($uploadedFile['tmp_name'], $sExtension)) === false) { $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_CORRUPT); } switch ($uploadedFile['error']) { case UPLOAD_ERR_OK: break; case UPLOAD_ERR_INI_SIZE: case UPLOAD_ERR_FORM_SIZE: $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_TOO_BIG); break; case UPLOAD_ERR_PARTIAL: case UPLOAD_ERR_NO_FILE: $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_CORRUPT); break; case UPLOAD_ERR_NO_TMP_DIR: $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_NO_TMP_DIR); break; case UPLOAD_ERR_CANT_WRITE: $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_ACCESS_DENIED); break; case UPLOAD_ERR_EXTENSION: $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_ACCESS_DENIED); break; } $sServerDir = $this->_currentFolder->getServerPath(); while (true) { $sFilePath = QFinder_Connector_Utils_FileSystem::combinePaths($sServerDir, $sFileName); if (file_exists($sFilePath)) { $sFileName = QFinder_Connector_Utils_FileSystem::autoRename($sServerDir, $sFileName); $oRegistry->set("FileUpload_fileName", $sFileName); $iErrorNumber = QFINDER_CONNECTOR_ERROR_UPLOADED_FILE_RENAMED; } else { if (false === move_uploaded_file($uploadedFile['tmp_name'], $sFilePath)) { $iErrorNumber = QFINDER_CONNECTOR_ERROR_ACCESS_DENIED; } else { if (isset($detectHtml) && $detectHtml === -1 && QFinder_Connector_Utils_FileSystem::detectHtml($sFilePath) === true) { @unlink($sFilePath); $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_WRONG_HTML_FILE); } else { if (isset($isImageValid) && $isImageValid === -1 && QFinder_Connector_Utils_FileSystem::isImageValid($sFilePath, $sExtension) === false) { @unlink($sFilePath); $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_CORRUPT); } } } if (is_file($sFilePath) && ($perms = $_config->getChmodFiles())) { $oldumask = umask(0); chmod($sFilePath, $perms); umask($oldumask); } break; } } if (!$_config->checkSizeAfterScaling()) { $this->_errorHandler->throwError($iErrorNumber, true, false); } //resize image if required require_once QFINDER_CONNECTOR_LIB_DIR . "/CommandHandler/Thumbnail.php"; $_imagesConfig = $_config->getImagesConfig(); if ($_imagesConfig->getMaxWidth() > 0 && $_imagesConfig->getMaxHeight() > 0 && $_imagesConfig->getQuality() > 0) { QFinder_Connector_CommandHandler_Thumbnail::createThumb($sFilePath, $sFilePath, $_imagesConfig->getMaxWidth(), $_imagesConfig->getMaxHeight(), $_imagesConfig->getQuality(), true); } if ($_config->checkSizeAfterScaling()) { //check file size after scaling, attempt to delete if too big clearstatcache(); if ($maxSize && filesize($sFilePath) > $maxSize) { @unlink($sFilePath); $this->_errorHandler->throwError(QFINDER_CONNECTOR_ERROR_UPLOADED_TOO_BIG); } else { $this->_errorHandler->throwError($iErrorNumber, true, false); } } QFinder_Connector_Core_Hooks::run('AfterFileUpload', array(&$this->_currentFolder, &$uploadedFile, &$sFilePath)); }
/** * Check one file for security reasons * * @param object $filePathInfo * @param string $originalFileName * @return mixed bool(false) - if security checks fails. Otherwise string - ralative zip archive path with secured filename. */ protected function checkOneFile($filePathInfo, $originalFileName) { $resourceTypeInfo = $this->_currentFolder->getResourceTypeConfig(); // checked if it is a folder $fileStat = $this->zip->statName($originalFileName); if (empty($filePathInfo['extension']) && empty($fileStat['size'])) { $sNewFolderName = QFinder_Connector_Utils_FileSystem::convertToFilesystemEncoding(rtrim($fileStat['name'], '/')); if ($this->_config->forceAscii()) { $sNewFolderName = QFinder_Connector_Utils_FileSystem::convertToAscii($sNewFolderName); } if (!QFinder_Connector_Utils_FileSystem::checkFolderPath($sNewFolderName) || $resourceTypeInfo->checkIsHiddenFolder($sNewFolderName)) { $this->errorCode = QFINDER_CONNECTOR_ERROR_INVALID_NAME; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } if (!is_writeable($this->_currentFolder->getServerPath())) { $this->errorCode = QFINDER_CONNECTOR_ERROR_ACCESS_DENIED; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } return $originalFileName; } $fileName = QFinder_Connector_Utils_FileSystem::convertToFilesystemEncoding($filePathInfo['basename']); $sFileName = QFinder_Connector_Utils_FileSystem::secureFileName($fileName); // max file size $maxSize = $resourceTypeInfo->getMaxSize(); if ($maxSize && $fileStat['size'] > $maxSize) { $this->errorCode = QFINDER_CONNECTOR_ERROR_UPLOADED_TOO_BIG; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } // extension if (!$resourceTypeInfo->checkExtension($sFileName)) { $this->errorCode = QFINDER_CONNECTOR_ERROR_INVALID_EXTENSION; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } // hidden file if (!QFinder_Connector_Utils_FileSystem::checkFileName($sFileName) || $resourceTypeInfo->checkIsHiddenFile($sFileName)) { $this->errorCode = QFINDER_CONNECTOR_ERROR_INVALID_REQUEST; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } // unpack file to tmp dir for detecting html and valid image $dir = QFinder_Connector_Utils_FileSystem::getTmpDir() . '/'; if (file_exists($dir . $sFileName) && !QFinder_Connector_Utils_FileSystem::unlink($dir . $sFileName)) { $this->errorCode = QFINDER_CONNECTOR_ERROR_INVALID_REQUEST; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } if (copy('zip://' . $this->filePath . '#' . $originalFileName, $dir . $sFileName)) { // html extensions $htmlExtensions = $this->_config->getHtmlExtensions(); $sExtension = QFinder_Connector_Utils_FileSystem::getExtension($dir . $sFileName); if ($htmlExtensions && !QFinder_Connector_Utils_Misc::inArrayCaseInsensitive($sExtension, $htmlExtensions) && QFinder_Connector_Utils_FileSystem::detectHtml($dir . $sFileName) === true) { $this->errorCode = QFINDER_CONNECTOR_ERROR_UPLOADED_INVALID; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } // proper image $secureImageUploads = $this->_config->getSecureImageUploads(); if ($secureImageUploads && ($isImageValid = QFinder_Connector_Utils_FileSystem::isImageValid($dir . $sFileName, $sExtension)) === false) { $this->errorCode = QFINDER_CONNECTOR_ERROR_UPLOADED_INVALID; $this->appendErrorNode($this->skippedFilesNode, $this->errorCode, $originalFileName); return false; } } $sDirName = $filePathInfo['dirname'] != '.' ? $filePathInfo['dirname'] . '/' : ''; return $sDirName . $sFileName; }