protected function getInput() { $userId = (string) $this->form->getValue($this->element['name']); return PhocaDownloadUser::usersList($this->name, $this->id, $userId, 1, NULL,'name', 0 ); }
public static function canUpload( $file, &$err, $manager = '', $frontEnd = 0, $chunkEnabled = 0, $realSize = 0) { $paramsC = JComponentHelper::getParams( 'com_phocadownload' ); if ($frontEnd == 1) { $aft = $paramsC->get( 'allowed_file_types_upload', PhocaDownloadSettings::getDefaultAllowedMimeTypesUpload() ); $dft = $paramsC->get( 'disallowed_file_types_upload', '' ); $allowedMimeType = PhocaDownloadFile::getMimeTypeString($aft); $disallowedMimeType = PhocaDownloadFile::getMimeTypeString($dft); $ignoreUploadCh = 0; $ignoreUploadCheck = $params->get( 'ignore_file_types_check', 2 ); if ($ignoreUploadCheck == 1 || $ignoreUploadCheck == 4 ) { $ignoreUploadCh = 1; } } else { $aft = $paramsC->get( 'allowed_file_types_download', PhocaDownloadSettings::getDefaultAllowedMimeTypesDownload() ); $dft = $paramsC->get( 'disallowed_file_types_download', '' ); $allowedMimeType = PhocaDownloadFile::getMimeTypeString($aft); $disallowedMimeType = PhocaDownloadFile::getMimeTypeString($dft); $ignoreUploadCh = 0; $ignoreUploadCheck = $paramsC->get( 'ignore_file_types_check', 2 ); if ($ignoreUploadCheck == 5 || $ignoreUploadCheck == 5 ) { $ignoreUploadCh = 1; } } $paramsL = array(); $group = PhocaDownloadSettings::getManagerGroup($manager); if ($group['f'] == 2) { $paramsL['upload_extensions'] = 'gif,jpg,png,jpeg'; $paramsL['image_extensions'] = 'gif,jpg,png,jpeg'; $paramsL['upload_mime'] = 'image/jpeg,image/gif,image/png'; $paramsL['upload_mime_illegal'] ='application/x-shockwave-flash,application/msword,application/excel,application/pdf,application/powerpoint,text/plain,application/x-zip,text/html'; $paramsL['upload_ext_illegal'] = $disallowedMimeType['ext']; } else { $paramsL['upload_extensions'] = $allowedMimeType['ext']; $paramsL['image_extensions'] = 'bmp,gif,jpg,png,jpeg'; $paramsL['upload_mime'] = $allowedMimeType['mime']; $paramsL['upload_mime_illegal'] = $disallowedMimeType['mime']; $paramsL['upload_ext_illegal'] = $disallowedMimeType['ext']; } // The file doesn't exist if(empty($file['name'])) { $err = 'COM_PHOCADOWNLOAD_WARNING_INPUT_FILE_UPLOAD'; return false; } // Not safe file jimport('joomla.filesystem.file'); if ($file['name'] !== JFile::makesafe($file['name'])) { $err = 'COM_PHOCADOWNLOAD_WARNFILENAME'; return false; } $format = strtolower(JFile::getExt($file['name'])); if ($ignoreUploadCh == 1) { } else { $allowable = explode( ',', $paramsL['upload_extensions']); $notAllowable = explode( ',', $paramsL['upload_ext_illegal']); if(in_array($format, $notAllowable)) { $err = 'COM_PHOCADOWNLOAD_WARNFILETYPE_DISALLOWED'; return false; } //if (!in_array($format, $allowable)) { if ($format == '' || $format == false || (!in_array($format, $allowable))) { $err = 'COM_PHOCADOWNLOAD_WARNFILETYPE_NOT_ALLOWED'; return false; } } // Max size of image // If chunk method is used, we need to get computed size $maxSize = $paramsC->get( 'upload_maxsize', 3145728 ); if ((int)$frontEnd > 0) { $maxSize = $paramsC->get( 'user_file_upload_size', 3145728 ); } else { $maxSize = $paramsC->get( 'upload_maxsize', 3145728 ); } if ($chunkEnabled == 1) { if ((int)$maxSize > 0 && (int)$realSize > (int)$maxSize) { $err = 'COM_PHOCADOWNLOAD_WARNFILETOOLARGE'; return false; } } else { if ((int)$maxSize > 0 && (int)$file['size'] > (int)$maxSize) { $err = 'COM_PHOCADOWNLOAD_WARNFILETOOLARGE'; return false; } } // User (only in ucp) - Check the size of all files by users if ($frontEnd == 2) { $user = JFactory::getUser(); $maxUserUploadSize = (int)$paramsC->get( 'user_files_max_size', 20971520 ); $maxUserUploadCount = (int)$paramsC->get( 'user_files_max_count', 5 ); $allFile = PhocaDownloadUser:: getUserFileInfo($file, $user->id); if ($chunkEnabled == 1) { $fileSize = $realSize; } else { $fileSize = $file['size']; } if ((int)$maxUserUploadSize > 0 && (int) $allFile['size'] > $maxUserUploadSize) { $err = JText::_('COM_PHOCADOWNLOAD_WARNUSERFILESTOOLARGE'); return false; } if ((int) $allFile['count'] > $maxUserUploadCount) { $err = JText::_('COM_PHOCADOWNLOAD_WARNUSERFILESTOOMUCH'); return false; } } // Image check $imginfo = null; $images = explode( ',', $paramsL['image_extensions']); if(in_array($format, $images)) { // if its an image run it through getimagesize $group = PhocaDownloadSettings::getManagerGroup($manager); if($group['i'] == 1) { if ($chunkEnabled != 1) { if(($imginfo = getimagesize($file['tmp_name'])) === FALSE) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDIMG'; $err = $imginfo[0]; return false; } } } } else if(!in_array($format, $images)) { // if its not an image...and we're not ignoring it $allowed_mime = explode(',', $paramsL['upload_mime']); $illegal_mime = explode(',', $paramsL['upload_mime_illegal']); if(function_exists('finfo_open')) {// We have fileinfo $finfo = finfo_open(FILEINFO_MIME); $type = finfo_file($finfo, $file['tmp_name']); if(strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDMIME'; return false; } finfo_close($finfo); } else if(function_exists('mime_content_type')) { // we have mime magic $type = mime_content_type($file['tmp_name']); if(strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDMIME'; return false; } } } // XSS Check $xss_check = JFile::read($file['tmp_name'],false,256); $html_tags = PhocaDownloadSettings::getHTMLTagsUpload(); foreach($html_tags as $tag) { // A tag is '<tagname ', so we need to add < and a space or '<tagname>' if(stristr($xss_check, '<'.$tag.' ') || stristr($xss_check, '<'.$tag.'>')) { $err = 'COM_PHOCADOWNLOAD_WARNIEXSS'; return false; } } return true; }
function _save($data, $filename, &$errSaveMsg, $fileExists = 0) { $user = JFactory::getUser(); $fileId = false; if ($fileExists == 1) { // We not only owerwrite the file but we must update it if (isset($filename) && $filename != '') { $db = JFactory::getDBO(); $query = 'SELECT a.id AS id' .' FROM #__phocadownload AS a' .' WHERE a.filename = '.$db->Quote($filename); $db->setQuery($query, 0, 1); $fileId = $db->loadObject(); if (!$db->query()) { $this->setError($db->getErrorMsg()); return false; } } } $row = $this->getTable('phocadownload'); if (isset($fileId->id) && (int)$fileId->id > 0) { $data['id'] = (int)$fileId->id; } $data['filesize'] = PhocaDownloadFile::getFileSize($filename, 0); $data['userid'] = $user->id; $data['author_email'] = $data['email']; $data['author_url'] = $data['website']; $data['token'] = PhocaDownloadUtils::getToken($data['title'].$filename); //$data['token'] = PhocaDownloadUtils::getToken($data['title'].$data['filename']); // Bind the form fields to the Phoca gallery table if (!$row->bind($data)) { $this->setError($this->_db->getErrorMsg()); return false; } // Create the timestamp for the date //$row->date = gmdate('Y-m-d H:i:s'); //$row->publish_up = gmdate('Y-m-d H:i:s'); //$jnow =JFactory::getDate(); /*$jnowU = $jnow->toUnix(); if (isset($jnowU)) { $jnowU = (int)$jnowU - 2; // to not display pending because of 1 second }*/ $unow = time(); $unow = $unow - 2;//Frontend will display pending if standard $jnow->toSql(); will be used $jnow = JFactory::getDate($unow);// the class JDate construct works with unix date $now = $jnow->toSql(); $row->date = $now; $row->publish_up = $now; //date('Y-m-d H:i:s', $jnowU); $row->publish_down = null; $row->filename = $filename; $row->catid = $data['catidfiles']; // Lang $userLang = PhocaDownloadUser::getUserLang(); $row->language = $userLang['lang']; // if new item, order last in appropriate group if (!$row->id) { $where = 'catid = ' . (int) $row->catid ; $row->ordering = $row->getNextOrder( $where ); } // Make sure the Phoca gallery table is valid if (!$row->check()) { $this->setError($this->_db->getErrorMsg()); return false; } // Store the Phoca gallery table to the database if (!$row->store()) { $this->setError($this->_db->getErrorMsg()); return false; } PhocaDownloadLog::log($row->id, 2); return true; }