if (isset($_GET['qqfile'])) { $file = new qqUploadedFileXhr(); } elseif (isset($_FILES['qqfile'])) { $file = new qqUploadedFileForm(); } else { $file = false; } if ($Settings->get('upload_maxkb') && $file->getSize() > $Settings->get('upload_maxkb') * 1024) { $message['text'] = '<span class="result_error">' . sprintf(T_('The file is too large: %s but the maximum allowed is %s.'), bytesreadable($file->getSize()), bytesreadable($Settings->get('upload_maxkb') * 1024)) . '</span>'; out_echo($message, $specialchars); exit; } $newName = $file->getName(); $oldName = $newName; // validate file name if ($error_filename = process_filename($newName)) { // Not a file name or not an allowed extension $message['text'] = '<span class="result_error"> ' . $error_filename . '</span>'; out_echo($message, $specialchars); exit; } list($newFile, $oldFile_thumb) = check_file_exists($fm_FileRoot, $path, $newName); $newName = $newFile->get('name'); // If everything is ok, save the file somewhere if (save_to_file($file->get_content(), $newFile->get_full_path(), 'wb')) { // Change to default chmod settings $newFile->chmod(NULL); // Refreshes file properties (type, size, perms...) $newFile->load_properties(); // save file into the db $newFile->dbsave();
/** * metaWeblog.newMediaObject image upload * wp.uploadFile * * Supplied image is encoded into the struct as bits * * @see http://www.xmlrpc.com/metaWeblogApi#metaweblognewmediaobject * @see http://codex.wordpress.org/XML-RPC_wp#wp.uploadFile * * @param xmlrpcmsg XML-RPC Message * 0 blogid (string): Unique identifier of the blog the post will be added to. * Currently ignored in b2evo, in favor of the category. * 1 username (string): Login for a Blogger user who has permission to edit the given * post (either the user who originally created it or an admin of the blog). * 2 password (string): Password for said username. * 3 struct (struct) * - name : filename * - type : mimetype * - bits : base64 encoded file * @return xmlrpcresp XML-RPC Response */ function _wp_mw_newmediaobject($m) { global $Settings, $Plugins, $force_upload_forbiddenext; // CHECK LOGIN: /** * @var User */ if (!($current_User =& xmlrpcs_login($m, 1, 2))) { // Login failed, return (last) error: return xmlrpcs_resperror(); } // GET BLOG: /** * @var Blog */ if (!($Blog =& xmlrpcs_get_Blog($m, 0))) { // Login failed, return (last) error: return xmlrpcs_resperror(); } // CHECK PERMISSION: if (!$current_User->check_perm('files', 'add', false, $Blog->ID)) { // Permission denied return xmlrpcs_resperror(3); // User error 3 } logIO('Permission granted.'); if (!$Settings->get('upload_enabled')) { return xmlrpcs_resperror(2, 'Object upload not allowed'); } $xcontent = $m->getParam(3); // Get the main data - and decode it properly for the image - sorry, binary object logIO('Decoding content...'); $contentstruct = xmlrpc_decode_recurse($xcontent); $data = $contentstruct['bits']; $file_mimetype = isset($contentstruct['type']) ? $contentstruct['type'] : '(none)'; logIO('Received MIME type: ' . $file_mimetype); $overwrite = false; if (isset($contentstruct['overwrite'])) { $overwrite = (bool) $contentstruct['overwrite']; } logIO('Overwrite if exists: ' . ($overwrite ? 'yes' : 'no')); load_funcs('files/model/_file.funcs.php'); $filesize = evo_bytes($data); if (($maxfilesize = $Settings->get('upload_maxkb') * 1024) && $filesize > $maxfilesize) { return xmlrpcs_resperror(4, sprintf(T_('The file is too large: %s but the maximum allowed is %s.'), bytesreadable($filesize, false), bytesreadable($maxfilesize, false))); } logIO('File size is OK: ' . bytesreadable($filesize, false)); $FileRootCache =& get_FileRootCache(); $fm_FileRoot =& $FileRootCache->get_by_type_and_ID('collection', $Blog->ID, true); if (!$fm_FileRoot) { // fileRoot not found: return xmlrpcs_resperror(14, 'File root not found'); } $rf_filepath = $contentstruct['name']; logIO('Received filepath: ' . $rf_filepath); // Split into path + name: $filepath_parts = explode('/', $rf_filepath); $filename = array_pop($filepath_parts); logIO('Original file name: ' . $filename); // Validate and sanitize filename if ($error_filename = process_filename($filename, true)) { return xmlrpcs_resperror(5, $error_filename); } logIO('Sanitized file name: ' . $filename); // Check valid path parts: $rds_subpath = ''; foreach ($filepath_parts as $filepath_part) { if (empty($filepath_part) || $filepath_part == '.') { // self ref not useful continue; } if ($error = validate_dirname($filepath_part)) { // invalid relative path: logIO($error); return xmlrpcs_resperror(6, $error); } $rds_subpath .= $filepath_part . '/'; } logIO('Subpath: ' . $rds_subpath); // Create temporary file and insert contents into it. $tmpfile_name = tempnam(sys_get_temp_dir(), 'fmupload'); if ($tmpfile_name) { if (save_to_file($data, $tmpfile_name, 'wb')) { $image_info = @getimagesize($tmpfile_name); } else { return xmlrpcs_resperror(13, 'Error while writing to temp file.'); } } if (!empty($image_info)) { // This is an image file, let's check mimetype and correct extension if ($image_info['mime'] != $file_mimetype) { // Invalid file type $FiletypeCache =& get_FiletypeCache(); // Get correct file type based on mime type $correct_Filetype = $FiletypeCache->get_by_mimetype($image_info['mime'], false, false); $file_mimetype = $image_info['mime']; // Check if file type is known by us, and if it is allowed for upload. // If we don't know this file type or if it isn't allowed we don't change the extension! The current extension is allowed for sure. if ($correct_Filetype && $correct_Filetype->is_allowed()) { // A FileType with the given mime type exists in database and it is an allowed file type for current User // The "correct" extension is a plausible one, proceed... $correct_extension = array_shift($correct_Filetype->get_extensions()); $path_info = pathinfo($filename); $current_extension = $path_info['extension']; // change file extension to the correct extension, but only if the correct extension is not restricted, this is an extra security check! if (strtolower($current_extension) != strtolower($correct_extension) && !in_array($correct_extension, $force_upload_forbiddenext)) { // change the file extension to the correct extension $old_filename = $filename; $filename = $path_info['filename'] . '.' . $correct_extension; } } } } // Get File object for requested target location: $FileCache =& get_FileCache(); $newFile =& $FileCache->get_by_root_and_path($fm_FileRoot->type, $fm_FileRoot->in_type_ID, trailing_slash($rds_subpath) . $filename, true); if ($newFile->exists()) { if ($overwrite && $newFile->unlink()) { // OK, file deleted // Delete thumb caches from old location: logIO('Old file deleted'); $newFile->rm_cache(); } else { return xmlrpcs_resperror(8, sprintf(T_('The file «%s» already exists.'), $filename)); } } // Trigger plugin event if ($Plugins->trigger_event_first_false('AfterFileUpload', array('File' => &$newFile, 'name' => &$filename, 'type' => &$file_mimetype, 'tmp_name' => &$tmpfile_name, 'size' => &$filesize))) { // Plugin returned 'false'. // Abort upload for this file: @unlink($tmpfile_name); return xmlrpcs_resperror(16, 'File upload aborted by a plugin.'); } if (!mkdir_r($newFile->get_dir())) { // Dir didn't already exist and could not be created return xmlrpcs_resperror(9, 'Error creating sub directories: ' . $newFile->get_rdfs_rel_path()); } if (!@rename($tmpfile_name, $newFile->get_full_path())) { return xmlrpcs_resperror(13, 'Error while writing to file.'); } // chmod the file $newFile->chmod(); // Initializes file properties (type, size, perms...) $newFile->load_properties(); // Load meta data AND MAKE SURE IT IS CREATED IN DB: $newFile->meta == 'unknown'; $newFile->load_meta(true); // Resize and rotate logIO('Running file post-processing (resize and rotate)...'); prepare_uploaded_files(array($newFile)); logIO('Done'); $url = $newFile->get_url(); logIO('URL of new file: ' . $url); $struct = new xmlrpcval(array('file' => new xmlrpcval($filename, 'string'), 'url' => new xmlrpcval($url, 'string'), 'type' => new xmlrpcval($file_mimetype, 'string')), 'struct'); logIO('OK.'); return new xmlrpcresp($struct); }
/** * Create links between users and image files from the users profile_pictures folder */ function create_profile_picture_links() { global $DB; load_class('files/model/_filelist.class.php', 'Filelist'); load_class('files/model/_fileroot.class.php', 'FileRoot'); $path = 'profile_pictures'; $FileRootCache =& get_FileRootCache(); $UserCache =& get_UserCache(); // SQL query to get all users and limit by page below $users_SQL = new SQL(); $users_SQL->SELECT('*'); $users_SQL->FROM('T_users'); $users_SQL->ORDER_BY('user_ID'); $page = 0; $page_size = 100; while (count($UserCache->cache) > 0 || $page == 0) { // Load users by 100 at one time to avoid errors about memory exhausting $users_SQL->LIMIT($page * $page_size . ', ' . $page_size); $UserCache->clear(); $UserCache->load_by_sql($users_SQL); while (($iterator_User =& $UserCache->get_next()) != NULL) { // Iterate through UserCache) $FileRootCache->clear(); $user_FileRoot =& $FileRootCache->get_by_type_and_ID('user', $iterator_User->ID); if (!$user_FileRoot) { // User FileRoot doesn't exist continue; } $ads_list_path = get_canonical_path($user_FileRoot->ads_path . $path); // Previously uploaded avatars if (!is_dir($ads_list_path)) { // profile_picture folder doesn't exists in the user root dir continue; } $user_avatar_Filelist = new Filelist($user_FileRoot, $ads_list_path); $user_avatar_Filelist->load(); if ($user_avatar_Filelist->count() > 0) { // profile_pictures folder is not empty $info_content = ''; $LinkOwner = new LinkUser($iterator_User); while ($lFile =& $user_avatar_Filelist->get_next()) { // Loop through all Files: $fileName = $lFile->get_name(); if (process_filename($fileName)) { // The file has invalid file name, don't create in the database // TODO: asimo> we should collect each invalid file name here, and send an email to the admin continue; } $lFile->load_meta(true); if ($lFile->is_image()) { $lFile->link_to_Object($LinkOwner); } } } } // Increase page number to get next portion of users $page++; } // Clear cache data $UserCache->clear(); $FileRootCache->clear(); }
/** * process attachments by saving into media directory and optionally creating image tag in post * * @param string message content that is optionally manipulated by adding image tags (by reference) * @param array $mailAttachments array containing path to attachment files * @param string $mediadir path to media directory of blog as seen by file system * @param string $media_url url to media directory as seen by user * @param bool $add_img_tags should img tags be added to the post (instead of linking through the file manager) * @param string $type defines attachment type: 'attach' or 'related' */ function pbm_process_attachments(&$content, $mailAttachments, $mediadir, $media_url, $add_img_tags = true, $type = 'attach') { global $Settings, $pbm_item_files, $filename_max_length; pbm_msg('<h4>Processing attachments</h4>'); foreach ($mailAttachments as $attachment) { if (isset($attachment['FileName'])) { $filename = trim(evo_strtolower($attachment['FileName'])); } else { // Related attachments may not have file name, we'll generate one below $filename = ''; } if ($filename == '') { $filename = 'upload_' . uniqid() . '.' . $attachment['SubType']; pbm_msg(sprintf('Attachment without name. Using "%s".', htmlspecialchars($filename))); } // Check valid filename/extension: (includes check for locked filenames) if ($error_filename = process_filename($filename, true)) { pbm_msg('Invalid filename: ' . $error_filename); continue; } // If file exists count up a number $cnt = 0; $prename = substr($filename, 0, strrpos($filename, '.')) . '-'; $sufname = strrchr($filename, '.'); $error_in_filename = false; while (file_exists($mediadir . $filename)) { $filename = $prename . $cnt . $sufname; if (strlen($filename) > $filename_max_length) { // This is a special case, when the filename is longer then the maximum allowed // Cut as many characters as required before the counter on the file name $filename = fix_filename_length($filename, strlen($prename) - 1); if ($error_in_filename = process_filename($filename, true)) { // The file name is not valid, this is an unexpected situation, because the file name was already validated before pbm_msg('Invalid filename: ' . $error_filename); break; } } ++$cnt; } if ($error_in_filename) { // Don't create file with invalid file name continue; } pbm_msg(sprintf('New file name is <b>%s</b>', $filename)); $imginfo = NULL; if (!$Settings->get('eblog_test_mode')) { pbm_msg('Saving file to: ' . htmlspecialchars($mediadir . $filename)); if (!copy($attachment['DataFile'], $mediadir . $filename)) { pbm_msg('Unable to copy uploaded file to ' . htmlspecialchars($mediadir . $filename)); continue; } // chmod uploaded file: $chmod = $Settings->get('fm_default_chmod_file'); @chmod($mediadir . $filename, octdec($chmod)); $imginfo = @getimagesize($mediadir . $filename); pbm_msg('Is this an image?: ' . (is_array($imginfo) ? 'yes' : 'no')); } if ($type == 'attach') { $content .= "\n"; if (is_array($imginfo) && $add_img_tags) { $content .= '<img src="' . $media_url . $filename . '" ' . $imginfo[3] . ' />'; } else { pbm_msg(sprintf('The file <b>%s</b> will be attached to the post later, after we save the post in the database.', $filename)); $pbm_item_files[] = $filename; } $content .= "\n"; } elseif (!empty($attachment['ContentID'])) { // Replace relative "cid:xxxxx" URIs with absolute URLs to media files $content = str_replace('cid:' . $attachment['ContentID'], $media_url . $filename, $content); } } }
out_echo($message, $specialchars); exit; } $newName = $file->getName(); $oldName = $newName; // validate file name if ($error_filename = process_filename($newName, true, true, $fm_FileRoot, $path)) { // Not a file name or not an allowed extension $message['text'] = $error_filename; $message['status'] = 'error'; out_echo($message, $specialchars); syslog_insert(sprintf('The uploaded file %s has an unrecognized extension', '<b>' . $newName . '</b>'), 'warning', 'file'); exit; } // Process a name of old name process_filename($oldName, true); list($newFile, $oldFile_thumb) = check_file_exists($fm_FileRoot, $path, $newName); $newName = $newFile->get('name'); // If everything is ok, save the file somewhere $file_content = $file->get_content(); if (is_array($file_content)) { // Error on upload $message = array_merge($message, $file_content); out_echo($message, $specialchars); exit; } if (!file_exists($newFile->get_dir())) { // Create a folder for new uploaded file if it doesn't exist yet mkdir_r($newFile->get_dir()); } if (save_to_file($file_content, $newFile->get_full_path(), 'wb')) {