/** * Process the data file info. Get its metadata and extension. * If valid, use it to sanitize the item name and update the * width, height, and mime type. */ private function _process_data_file_info() { try { if ($this->is_photo()) { list($this->width, $this->height, $this->mime_type, $extension) = photo::get_file_metadata($this->data_file); } else { if ($this->is_movie()) { list($this->width, $this->height, $this->mime_type, $extension) = movie::get_file_metadata($this->data_file); } else { // Albums don't have data files. $this->data_file = null; return; } } // Sanitize the name based on the idenified extension, but only set $this->name if different // to ensure it isn't unnecessarily marked as "changed" $name = legal_file::sanitize_filename($this->name, $extension, $this->type); if ($this->name != $name) { $this->name = $name; } // Data file valid - make sure the flag is reset to false. $this->data_file_error = false; } catch (Exception $e) { // Data file invalid - set the flag so it's reported during item validation. $this->data_file_error = true; } }
public function add() { access::verify_csrf(); $form = watermark::get_add_form(); // For TEST_MODE, we want to simulate a file upload. Because this is not a true upload, Forge's // validation logic will correctly reject it. So, we skip validation when we're running tests. if (TEST_MODE || $form->validate()) { $file = $_POST["file"]; // Forge prefixes files with "uploadfile-xxxxxxx" for uniqueness $name = preg_replace("/uploadfile-[^-]+-(.*)/", '$1', basename($file)); try { list($width, $height, $mime_type, $extension) = photo::get_file_metadata($file); // Sanitize filename, which ensures a valid extension. This renaming prevents the issues // addressed in ticket #1855, where an image that looked valid (header said jpg) with a // php extension was previously accepted without changing its extension. $name = legal_file::sanitize_filename($name, $extension, "photo"); } catch (Exception $e) { message::error(t("Invalid or unidentifiable image file")); system::delete_later($file); return; } rename($file, VARPATH . "modules/watermark/{$name}"); module::set_var("watermark", "name", $name); module::set_var("watermark", "width", $width); module::set_var("watermark", "height", $height); module::set_var("watermark", "mime_type", $mime_type); module::set_var("watermark", "position", $form->add_watermark->position->value); module::set_var("watermark", "transparency", $form->add_watermark->transparency->value); $this->_update_graphics_rules(); system::delete_later($file); message::success(t("Watermark saved")); log::success("watermark", t("Watermark saved")); json::reply(array("result" => "success", "location" => url::site("admin/watermarks"))); } else { json::reply(array("result" => "error", "html" => (string) $form)); } // Override the application/json mime type for iframe compatibility. See ticket #2022. header("Content-Type: text/plain; charset=" . Kohana::CHARSET); }
public function add() { access::verify_csrf(); $form = watermark::get_add_form(); // For TEST_MODE, we want to simulate a file upload. Because this is not a true upload, Forge's // validation logic will correctly reject it. So, we skip validation when we're running tests. if (TEST_MODE || $form->validate()) { $file = $_POST["file"]; // Forge prefixes files with "uploadfile-xxxxxxx" for uniqueness $name = preg_replace("/uploadfile-[^-]+-(.*)/", '$1', basename($file)); try { list($width, $height, $mime_type, $extension) = photo::get_file_metadata($file); // Sanitize filename, which ensures a valid extension. This renaming prevents the issues // addressed in ticket #1855, where an image that looked valid (header said jpg) with a // php extension was previously accepted without changing its extension. $name = legal_file::sanitize_filename($name, $extension, "photo"); } catch (Exception $e) { message::error(t("Invalid or unidentifiable image file")); system::delete_later($file); return; } rename($file, VARPATH . "modules/watermark/{$name}"); module::set_var("watermark", "name", $name); module::set_var("watermark", "width", $width); module::set_var("watermark", "height", $height); module::set_var("watermark", "mime_type", $mime_type); module::set_var("watermark", "position", $form->add_watermark->position->value); module::set_var("watermark", "transparency", $form->add_watermark->transparency->value); $this->_update_graphics_rules(); system::delete_later($file); message::success(t("Watermark saved")); log::success("watermark", t("Watermark saved")); json::reply(array("result" => "success", "location" => url::site("admin/watermarks"))); } else { // rawurlencode the results because the JS code that uploads the file buffers it in an // iframe which entitizes the HTML and makes it difficult for the JS to process. If we url // encode it now, it passes through cleanly. See ticket #797. json::reply(array("result" => "error", "html" => rawurlencode((string) $form))); } // Override the application/json mime type. The dialog based HTML uploader uses an iframe to // buffer the reply, and on some browsers (Firefox 3.6) it does not know what to do with the // JSON that it gets back so it puts up a dialog asking the user what to do with it. So force // the encoding type back to HTML for the iframe. // See: http://jquery.malsup.com/form/#file-upload header("Content-Type: text/html; charset=" . Kohana::CHARSET); }
public function sanitize_filename_with_invalid_arguments_test() { foreach (array("flv" => "photo", "jpg" => "movie", "php" => "photo", null => "movie", "jpg" => "album", "jpg" => null) as $extension => $type) { try { legal_file::sanitize_filename("foo.jpg", $extension, $type); $this->assert_true(false, "Shouldn't get here"); } catch (Exception $e) { // pass } } }