if (isset($_GET['qqfile'])) {
$file = new qqUploadedFileXhr();
} elseif (isset($_FILES['qqfile'])) {
$file = new qqUploadedFileForm();
} else {
$file = false;
}
if ($Settings->get('upload_maxkb') && $file->getSize() > $Settings->get('upload_maxkb') * 1024) {
$message['text'] = '<span class="result_error">' . sprintf(T_('The file is too large: %s but the maximum allowed is %s.'), bytesreadable($file->getSize()), bytesreadable($Settings->get('upload_maxkb') * 1024)) . '</span>';
out_echo($message, $specialchars);
exit;
}
$newName = $file->getName();
$oldName = $newName;
// validate file name
if ($error_filename = process_filename($newName)) {
// Not a file name or not an allowed extension
$message['text'] = '<span class="result_error"> ' . $error_filename . '</span>';
out_echo($message, $specialchars);
exit;
}
list($newFile, $oldFile_thumb) = check_file_exists($fm_FileRoot, $path, $newName);
$newName = $newFile->get('name');
// If everything is ok, save the file somewhere
if (save_to_file($file->get_content(), $newFile->get_full_path(), 'wb')) {
// Change to default chmod settings
$newFile->chmod(NULL);
// Refreshes file properties (type, size, perms...)
$newFile->load_properties();
// save file into the db
$newFile->dbsave();
/**
* metaWeblog.newMediaObject image upload
* wp.uploadFile
*
* Supplied image is encoded into the struct as bits
*
* @see http://www.xmlrpc.com/metaWeblogApi#metaweblognewmediaobject
* @see http://codex.wordpress.org/XML-RPC_wp#wp.uploadFile
*
* @param xmlrpcmsg XML-RPC Message
* 0 blogid (string): Unique identifier of the blog the post will be added to.
* Currently ignored in b2evo, in favor of the category.
* 1 username (string): Login for a Blogger user who has permission to edit the given
* post (either the user who originally created it or an admin of the blog).
* 2 password (string): Password for said username.
* 3 struct (struct)
* - name : filename
* - type : mimetype
* - bits : base64 encoded file
* @return xmlrpcresp XML-RPC Response
*/
function _wp_mw_newmediaobject($m)
{
global $Settings, $Plugins, $force_upload_forbiddenext;
// CHECK LOGIN:
/**
* @var User
*/
if (!($current_User =& xmlrpcs_login($m, 1, 2))) {
// Login failed, return (last) error:
return xmlrpcs_resperror();
}
// GET BLOG:
/**
* @var Blog
*/
if (!($Blog =& xmlrpcs_get_Blog($m, 0))) {
// Login failed, return (last) error:
return xmlrpcs_resperror();
}
// CHECK PERMISSION:
if (!$current_User->check_perm('files', 'add', false, $Blog->ID)) {
// Permission denied
return xmlrpcs_resperror(3);
// User error 3
}
logIO('Permission granted.');
if (!$Settings->get('upload_enabled')) {
return xmlrpcs_resperror(2, 'Object upload not allowed');
}
$xcontent = $m->getParam(3);
// Get the main data - and decode it properly for the image - sorry, binary object
logIO('Decoding content...');
$contentstruct = xmlrpc_decode_recurse($xcontent);
$data = $contentstruct['bits'];
$file_mimetype = isset($contentstruct['type']) ? $contentstruct['type'] : '(none)';
logIO('Received MIME type: ' . $file_mimetype);
$overwrite = false;
if (isset($contentstruct['overwrite'])) {
$overwrite = (bool) $contentstruct['overwrite'];
}
logIO('Overwrite if exists: ' . ($overwrite ? 'yes' : 'no'));
load_funcs('files/model/_file.funcs.php');
$filesize = evo_bytes($data);
if (($maxfilesize = $Settings->get('upload_maxkb') * 1024) && $filesize > $maxfilesize) {
return xmlrpcs_resperror(4, sprintf(T_('The file is too large: %s but the maximum allowed is %s.'), bytesreadable($filesize, false), bytesreadable($maxfilesize, false)));
}
logIO('File size is OK: ' . bytesreadable($filesize, false));
$FileRootCache =& get_FileRootCache();
$fm_FileRoot =& $FileRootCache->get_by_type_and_ID('collection', $Blog->ID, true);
if (!$fm_FileRoot) {
// fileRoot not found:
return xmlrpcs_resperror(14, 'File root not found');
}
$rf_filepath = $contentstruct['name'];
logIO('Received filepath: ' . $rf_filepath);
// Split into path + name:
$filepath_parts = explode('/', $rf_filepath);
$filename = array_pop($filepath_parts);
logIO('Original file name: ' . $filename);
// Validate and sanitize filename
if ($error_filename = process_filename($filename, true)) {
return xmlrpcs_resperror(5, $error_filename);
}
logIO('Sanitized file name: ' . $filename);
// Check valid path parts:
$rds_subpath = '';
foreach ($filepath_parts as $filepath_part) {
if (empty($filepath_part) || $filepath_part == '.') {
// self ref not useful
continue;
}
if ($error = validate_dirname($filepath_part)) {
// invalid relative path:
logIO($error);
return xmlrpcs_resperror(6, $error);
}
$rds_subpath .= $filepath_part . '/';
}
logIO('Subpath: ' . $rds_subpath);
// Create temporary file and insert contents into it.
$tmpfile_name = tempnam(sys_get_temp_dir(), 'fmupload');
if ($tmpfile_name) {
if (save_to_file($data, $tmpfile_name, 'wb')) {
$image_info = @getimagesize($tmpfile_name);
} else {
return xmlrpcs_resperror(13, 'Error while writing to temp file.');
}
}
if (!empty($image_info)) {
// This is an image file, let's check mimetype and correct extension
if ($image_info['mime'] != $file_mimetype) {
// Invalid file type
$FiletypeCache =& get_FiletypeCache();
// Get correct file type based on mime type
$correct_Filetype = $FiletypeCache->get_by_mimetype($image_info['mime'], false, false);
$file_mimetype = $image_info['mime'];
// Check if file type is known by us, and if it is allowed for upload.
// If we don't know this file type or if it isn't allowed we don't change the extension! The current extension is allowed for sure.
if ($correct_Filetype && $correct_Filetype->is_allowed()) {
// A FileType with the given mime type exists in database and it is an allowed file type for current User
// The "correct" extension is a plausible one, proceed...
$correct_extension = array_shift($correct_Filetype->get_extensions());
$path_info = pathinfo($filename);
$current_extension = $path_info['extension'];
// change file extension to the correct extension, but only if the correct extension is not restricted, this is an extra security check!
if (strtolower($current_extension) != strtolower($correct_extension) && !in_array($correct_extension, $force_upload_forbiddenext)) {
// change the file extension to the correct extension
$old_filename = $filename;
$filename = $path_info['filename'] . '.' . $correct_extension;
}
}
}
}
// Get File object for requested target location:
$FileCache =& get_FileCache();
$newFile =& $FileCache->get_by_root_and_path($fm_FileRoot->type, $fm_FileRoot->in_type_ID, trailing_slash($rds_subpath) . $filename, true);
if ($newFile->exists()) {
if ($overwrite && $newFile->unlink()) {
// OK, file deleted
// Delete thumb caches from old location:
logIO('Old file deleted');
$newFile->rm_cache();
} else {
return xmlrpcs_resperror(8, sprintf(T_('The file «%s» already exists.'), $filename));
}
}
// Trigger plugin event
if ($Plugins->trigger_event_first_false('AfterFileUpload', array('File' => &$newFile, 'name' => &$filename, 'type' => &$file_mimetype, 'tmp_name' => &$tmpfile_name, 'size' => &$filesize))) {
// Plugin returned 'false'.
// Abort upload for this file:
@unlink($tmpfile_name);
return xmlrpcs_resperror(16, 'File upload aborted by a plugin.');
}
if (!mkdir_r($newFile->get_dir())) {
// Dir didn't already exist and could not be created
return xmlrpcs_resperror(9, 'Error creating sub directories: ' . $newFile->get_rdfs_rel_path());
}
if (!@rename($tmpfile_name, $newFile->get_full_path())) {
return xmlrpcs_resperror(13, 'Error while writing to file.');
}
// chmod the file
$newFile->chmod();
// Initializes file properties (type, size, perms...)
$newFile->load_properties();
// Load meta data AND MAKE SURE IT IS CREATED IN DB:
$newFile->meta == 'unknown';
$newFile->load_meta(true);
// Resize and rotate
logIO('Running file post-processing (resize and rotate)...');
prepare_uploaded_files(array($newFile));
logIO('Done');
$url = $newFile->get_url();
logIO('URL of new file: ' . $url);
$struct = new xmlrpcval(array('file' => new xmlrpcval($filename, 'string'), 'url' => new xmlrpcval($url, 'string'), 'type' => new xmlrpcval($file_mimetype, 'string')), 'struct');
logIO('OK.');
return new xmlrpcresp($struct);
}
/**
* Create links between users and image files from the users profile_pictures folder
*/
function create_profile_picture_links()
{
global $DB;
load_class('files/model/_filelist.class.php', 'Filelist');
load_class('files/model/_fileroot.class.php', 'FileRoot');
$path = 'profile_pictures';
$FileRootCache =& get_FileRootCache();
$UserCache =& get_UserCache();
// SQL query to get all users and limit by page below
$users_SQL = new SQL();
$users_SQL->SELECT('*');
$users_SQL->FROM('T_users');
$users_SQL->ORDER_BY('user_ID');
$page = 0;
$page_size = 100;
while (count($UserCache->cache) > 0 || $page == 0) {
// Load users by 100 at one time to avoid errors about memory exhausting
$users_SQL->LIMIT($page * $page_size . ', ' . $page_size);
$UserCache->clear();
$UserCache->load_by_sql($users_SQL);
while (($iterator_User =& $UserCache->get_next()) != NULL) {
// Iterate through UserCache)
$FileRootCache->clear();
$user_FileRoot =& $FileRootCache->get_by_type_and_ID('user', $iterator_User->ID);
if (!$user_FileRoot) {
// User FileRoot doesn't exist
continue;
}
$ads_list_path = get_canonical_path($user_FileRoot->ads_path . $path);
// Previously uploaded avatars
if (!is_dir($ads_list_path)) {
// profile_picture folder doesn't exists in the user root dir
continue;
}
$user_avatar_Filelist = new Filelist($user_FileRoot, $ads_list_path);
$user_avatar_Filelist->load();
if ($user_avatar_Filelist->count() > 0) {
// profile_pictures folder is not empty
$info_content = '';
$LinkOwner = new LinkUser($iterator_User);
while ($lFile =& $user_avatar_Filelist->get_next()) {
// Loop through all Files:
$fileName = $lFile->get_name();
if (process_filename($fileName)) {
// The file has invalid file name, don't create in the database
// TODO: asimo> we should collect each invalid file name here, and send an email to the admin
continue;
}
$lFile->load_meta(true);
if ($lFile->is_image()) {
$lFile->link_to_Object($LinkOwner);
}
}
}
}
// Increase page number to get next portion of users
$page++;
}
// Clear cache data
$UserCache->clear();
$FileRootCache->clear();
}
/**
* process attachments by saving into media directory and optionally creating image tag in post
*
* @param string message content that is optionally manipulated by adding image tags (by reference)
* @param array $mailAttachments array containing path to attachment files
* @param string $mediadir path to media directory of blog as seen by file system
* @param string $media_url url to media directory as seen by user
* @param bool $add_img_tags should img tags be added to the post (instead of linking through the file manager)
* @param string $type defines attachment type: 'attach' or 'related'
*/
function pbm_process_attachments(&$content, $mailAttachments, $mediadir, $media_url, $add_img_tags = true, $type = 'attach')
{
global $Settings, $pbm_item_files, $filename_max_length;
pbm_msg('<h4>Processing attachments</h4>');
foreach ($mailAttachments as $attachment) {
if (isset($attachment['FileName'])) {
$filename = trim(evo_strtolower($attachment['FileName']));
} else {
// Related attachments may not have file name, we'll generate one below
$filename = '';
}
if ($filename == '') {
$filename = 'upload_' . uniqid() . '.' . $attachment['SubType'];
pbm_msg(sprintf('Attachment without name. Using "%s".', htmlspecialchars($filename)));
}
// Check valid filename/extension: (includes check for locked filenames)
if ($error_filename = process_filename($filename, true)) {
pbm_msg('Invalid filename: ' . $error_filename);
continue;
}
// If file exists count up a number
$cnt = 0;
$prename = substr($filename, 0, strrpos($filename, '.')) . '-';
$sufname = strrchr($filename, '.');
$error_in_filename = false;
while (file_exists($mediadir . $filename)) {
$filename = $prename . $cnt . $sufname;
if (strlen($filename) > $filename_max_length) {
// This is a special case, when the filename is longer then the maximum allowed
// Cut as many characters as required before the counter on the file name
$filename = fix_filename_length($filename, strlen($prename) - 1);
if ($error_in_filename = process_filename($filename, true)) {
// The file name is not valid, this is an unexpected situation, because the file name was already validated before
pbm_msg('Invalid filename: ' . $error_filename);
break;
}
}
++$cnt;
}
if ($error_in_filename) {
// Don't create file with invalid file name
continue;
}
pbm_msg(sprintf('New file name is <b>%s</b>', $filename));
$imginfo = NULL;
if (!$Settings->get('eblog_test_mode')) {
pbm_msg('Saving file to: ' . htmlspecialchars($mediadir . $filename));
if (!copy($attachment['DataFile'], $mediadir . $filename)) {
pbm_msg('Unable to copy uploaded file to ' . htmlspecialchars($mediadir . $filename));
continue;
}
// chmod uploaded file:
$chmod = $Settings->get('fm_default_chmod_file');
@chmod($mediadir . $filename, octdec($chmod));
$imginfo = @getimagesize($mediadir . $filename);
pbm_msg('Is this an image?: ' . (is_array($imginfo) ? 'yes' : 'no'));
}
if ($type == 'attach') {
$content .= "\n";
if (is_array($imginfo) && $add_img_tags) {
$content .= '<img src="' . $media_url . $filename . '" ' . $imginfo[3] . ' />';
} else {
pbm_msg(sprintf('The file <b>%s</b> will be attached to the post later, after we save the post in the database.', $filename));
$pbm_item_files[] = $filename;
}
$content .= "\n";
} elseif (!empty($attachment['ContentID'])) {
// Replace relative "cid:xxxxx" URIs with absolute URLs to media files
$content = str_replace('cid:' . $attachment['ContentID'], $media_url . $filename, $content);
}
}
}
out_echo($message, $specialchars);
exit;
}
$newName = $file->getName();
$oldName = $newName;
// validate file name
if ($error_filename = process_filename($newName, true, true, $fm_FileRoot, $path)) {
// Not a file name or not an allowed extension
$message['text'] = $error_filename;
$message['status'] = 'error';
out_echo($message, $specialchars);
syslog_insert(sprintf('The uploaded file %s has an unrecognized extension', '<b>' . $newName . '</b>'), 'warning', 'file');
exit;
}
// Process a name of old name
process_filename($oldName, true);
list($newFile, $oldFile_thumb) = check_file_exists($fm_FileRoot, $path, $newName);
$newName = $newFile->get('name');
// If everything is ok, save the file somewhere
$file_content = $file->get_content();
if (is_array($file_content)) {
// Error on upload
$message = array_merge($message, $file_content);
out_echo($message, $specialchars);
exit;
}
if (!file_exists($newFile->get_dir())) {
// Create a folder for new uploaded file if it doesn't exist yet
mkdir_r($newFile->get_dir());
}
if (save_to_file($file_content, $newFile->get_full_path(), 'wb')) {