function check_constraints($constraints, $file) { $path = $file->get_temporary_path(); if (!empty($constraints['mime_types'])) { if (!$file->mime_type_matches($constraints['mime_types'])) { final_response(415, "File is not of an allowed type."); } } if (!empty($constraints['extensions'])) { $filename_parts = explode('.', $file->get_filename()); $extension = strtolower(end($filename_parts)); if (!in_array($extension, $constraints['extensions'])) { final_response(415, "File is not of an allowed type."); } } if (!empty($constraints['max_size'])) { if ($file->get_size() > (int) $constraints['max_size']) { final_response(413, "File is unacceptably large."); } } if (!empty($constraints['validator'])) { list($file, $callback) = $constraints['validator']; reason_include_once($file); if (!call_user_func($callback, $file)) { final_response(406, "Invalid or unacceptable file uploaded."); } } }
$reason_session->start($_REQUEST['reason_sid']); } else { $reason_session->start(); } $upload_sid = @$_REQUEST['upload_sid']; $session = _get_async_upload_session($upload_sid); if (!$session) { if (empty($_REQUEST['upload_sid'])) { final_response(400, "Upload session (upload_sid) not provided."); } else { final_response(400, "No upload session with ID " . $upload_sid); } } // Permission check. if (!can_upload($session)) { final_response(403, "Permission denied."); } function can_upload($session) { if ($session['authenticator']) { $auth = $session['authenticator']; $reason_session =& get_reason_session(); $username = $reason_session->get("username"); if (isset($_REQUEST['user_id']) && !empty($_REQUEST['user_id'])) { $username = $reason_session->get('username'); $param_cleanup_rules = array('user_id' => array('function' => 'turn_into_int', 'extra_args' => array('zero_to_null' => 'true'))); $cleanRequest = array_merge($_REQUEST, carl_clean_vars($_REQUEST, $param_cleanup_rules)); $nametag = $cleanRequest['user_id']; $id = get_user_id($username); if (reason_user_has_privs($id, 'pose_as_other_user')) { $user = new Entity($nametag);
/** * Handles removing files that were uploaded asynchronously. * * @package reason * @subpackage scripts * @since Reason 4.0 beta 8 * @author Eric Naeseth <*****@*****.**> */ require 'common.inc.php'; if (empty($_POST['name']) || !isset($_POST['index'])) { final_response(400, "Invalid file removal request."); } $name = $_POST['name']; if (empty($session['files'][$name])) { final_response(404, "No files have been uploaded with that name."); } $index = $_POST['index']; if (empty($session['files'][$name][$index])) { final_response(404, "No file has been uploaded with that index."); } $info = $session['files'][$name][$index]; if ($info['path']) { @unlink($info['path']); } if ($info['original_path']) { @unlink($info['original_path']); } unset($session['files'][$name][$index]); $reason_session->set(_async_upload_session_key($upload_sid), $session); final_response(200, "File removed.");