/** * logic for uploading an image * * @access public * @return void * */ function uploadimage() { $app = JFactory::getApplication(); // Check for request forgeries JSession::checkToken() or jexit('Invalid token'); $jemsettings = JEMAdmin::config(); $file = JFactory::getApplication()->input->files->get('userfile', array(), 'array'); $task = JFactory::getApplication()->input->get('task', ''); // Set FTP credentials, if given jimport('joomla.client.helper'); JClientHelper::setCredentialsFromRequest('ftp'); //$ftp = JClientHelper::getCredentials('ftp'); //set the target directory if ($task == 'venueimgup') { $base_Dir = JPATH_SITE.'/images/jem/venues/'; } else if ($task == 'eventimgup') { $base_Dir = JPATH_SITE.'/images/jem/events/'; } else if ($task == 'categoriesimgup') { $base_Dir = JPATH_SITE.'/images/jem/categories/'; } //do we have an upload? if (empty($file['name'])) { echo "<script> alert('".JText::_('COM_JEM_IMAGE_EMPTY')."'); window.history.go(-1); </script>\n"; $app->close(); } //check the image $check = JEMImage::check($file, $jemsettings); if ($check === false) { $app->redirect($_SERVER['HTTP_REFERER']); } //sanitize the image filename $filename = JEMImage::sanitize($base_Dir, $file['name']); $filepath = $base_Dir . $filename; //upload the image if (!JFile::upload($file['tmp_name'], $filepath)) { echo "<script> alert('".JText::_('COM_JEM_UPLOAD_FAILED')."'); window.history.go(-1); </script>\n"; $app->close(); } else { echo "<script> alert('".JText::_('COM_JEM_UPLOAD_COMPLETE')."'); window.history.go(-1); window.parent.SelectImage('$filename', '$filename'); </script>\n"; $app->close(); } }
/** * upload files for the specified object * * @param array data from JInput 'files' * @param string object identification (should be event<eventid>, category<categoryid>, etc...) */ static function postUpload($post_files, $object) { require_once JPATH_SITE.'/components/com_jem/classes/image.class.php'; $user = JemFactory::getUser(); $jemsettings = JEMHelper::config(); $path = JPATH_SITE.'/'.$jemsettings->attachments_path.'/'.$object; if (!(is_array($post_files) && count($post_files))) { return false; } $allowed = explode(",", $jemsettings->attachments_types); foreach ($allowed as $k => $v) { $allowed[$k] = trim($v); } $maxsizeinput = $jemsettings->attachments_maxsize*1024; //size in kb foreach ($post_files['name'] as $k => $file) { if (empty($file)) { continue; } // check if the filetype is valid $fileext = strtolower(JFile::getExt($file)); if (!in_array($fileext, $allowed)) { JError::raiseWarning(0, JText::_('COM_JEM_ERROR_ATTACHEMENT_EXTENSION_NOT_ALLOWED').': '.$file); continue; } // check size if ($post_files['size'][$k] > $maxsizeinput) { JError::raiseWarning(0, JText::sprintf('COM_JEM_ERROR_ATTACHEMENT_FILE_TOO_BIG', $file, $post_files['size'][$k], $maxsizeinput)); continue; } if (!JFolder::exists($path)) { // try to create it $res = JFolder::create($path); if (!$res) { JError::raiseWarning(0, JText::_('COM_JEM_ERROR_COULD_NOT_CREATE_FOLDER').': '.$path); return false; } } // TODO: Probably move this to a helper class $sanitizedFilename = JEMImage::sanitize($path, $file); // Make sure that the full file path is safe. $filepath = JPath::clean( $path.'/'.$sanitizedFilename); // Since Joomla! 3.4.0 JFile::upload has some more params to control new security parsing // Unfortunately this parsing is partially stupid so it may reject archives for non-understandable reason. if (version_compare(JVERSION, '3.4', 'lt')) { JFile::upload($post_files['tmp_name'][$k], $filepath); } else { // switch off parsing archives for byte sequences looking like a script file extension // but keep all other checks running JFile::upload($post_files['tmp_name'][$k], $filepath, false, false, array('fobidden_ext_in_content' => false)); } $table = JTable::getInstance('jem_attachments', ''); $table->file = $sanitizedFilename; $table->object = $object; if (isset($post_files['customname'][$k]) && !empty($post_files['customname'][$k])) { $table->name = $post_files['customname'][$k]; } if (isset($post_files['description'][$k]) && !empty($post_files['description'][$k])) { $table->description = $post_files['description'][$k]; } if (isset($post_files['access'][$k])) { $table->access = intval($post_files['access'][$k]); } $table->added = strftime('%F %T'); $table->added_by = $user->get('id'); if (!($table->check() && $table->store())) { JError::raiseWarning(0, JText::_('COM_JEM_ATTACHMENT_ERROR_SAVING_TO_DB').': '.$table->getError()); } } return true; }
/** * Overloaded store method for the Venue table. */ public function store($updateNulls = false) { $date = JFactory::getDate(); $user = JemFactory::getUser(); $userid = $user->get('id'); $app = JFactory::getApplication(); $jinput = $app->input; $jemsettings = JEMHelper::config(); // Check if we're in the front or back if ($app->isAdmin()) $backend = true; else $backend = false; if ($this->id) { // Existing event $this->modified = $date->toSql(); $this->modified_by = $userid; } else { // New event if (!intval($this->created)){ $this->created = $date->toSql(); } if (empty($this->created_by)){ $this->created_by = $userid; } } // Check if image was selected jimport('joomla.filesystem.file'); $image_dir = JPATH_SITE.'/images/jem/venues/'; $allowable = array ('gif', 'jpg', 'png'); $image_to_delete = false; // get image (frontend) - allow "removal on save" (Hoffi, 2014-06-07) if (!$backend) { if (($jemsettings->imageenabled == 2 || $jemsettings->imageenabled == 1)) { $file = $jinput->files->get('userfile', array(), 'array'); $removeimage = $jinput->getInt('removeimage', 0); if (!empty($file['name'])) { //check the image $check = JEMImage::check($file, $jemsettings); if ($check !== false) { //sanitize the image filename $filename = JEMImage::sanitize($image_dir, $file['name']); $filepath = $image_dir . $filename; if (JFile::upload($file['tmp_name'], $filepath)) { $image_to_delete = $this->locimage; // delete previous image $this->locimage = $filename; } } } elseif (!empty($removeimage)) { // if removeimage is non-zero remove image from venue // (file will be deleted later (e.g. housekeeping) if unused) $image_to_delete = $this->locimage; $this->locimage = ''; } } // end image if } // if (!backend) $format = JFile::getExt($image_dir . $this->locimage); if (!in_array($format, $allowable)) { $this->locimage = ''; } if (!$backend) { /* check if the user has the required rank for autopublish new venues */ if (!$this->id && !$user->can('publish', 'venue', $this->id, $this->created_by)) { $this->published = 0; } } // item must be stored BEFORE image deletion $ret = parent::store($updateNulls); if ($ret && $image_to_delete) { JemHelper::delete_unused_image_files('venue', $image_to_delete); } return $ret; }