/** * Make sure the file is a css or js file and that it exists * @static */ public static function CheckFile(&$file) { global $dataDir; $comment_start = '<!--'; $comment_end = '-->'; $file = self::TrimQuery($file); if (empty($file)) { return false; } //translate addon paths $pos = strpos($file, '/data/_addoncode/'); if ($pos !== false) { $file_parts = substr($file, $pos + 17); $file_parts = explode('/', $file_parts); $addon_key = array_shift($file_parts); $addon_config = \gp\tool\Plugins::GetAddonConfig($addon_key); if ($addon_config) { $file = $addon_config['code_folder_rel'] . '/' . implode('/', $file_parts); } } //remove null charachters $file = \gp\tool\Files::NoNull($file); //require .js or .css $ext = \gp\tool::Ext($file); if ($ext !== 'js' && $ext !== 'css' && $ext !== 'less' && $ext !== 'scss') { echo "\n{$comment_start} File Not CSS, LESS or JS {$file} {$comment_end}\n"; return false; } //paths that have been urlencoded if (strpos($file, '%') !== false) { $decoded_file = rawurldecode($file); if ($full_path = self::CheckFileSub($decoded_file)) { $file = $decoded_file; return $full_path; } } //paths that have not been encoded if ($full_path = self::CheckFileSub($file)) { return $full_path; } echo "\n{$comment_start} File Not Found {$dataDir}{$file} {$comment_end}\n"; return false; }
/** * Check the path of the img, return full path of image if the requested image is found * */ function __construct() { global $dataDir; if (!isset($_GET['w']) || !isset($_GET['h']) || !isset($_GET['img'])) { self::Send404(); //dies } $img = $_GET['img']; $height = $_GET['h']; $width = $_GET['w']; $index = $_GET['i']; if (!is_numeric($height) || !is_numeric($width)) { self::Send404(); //dies } $img = \gp\tool\Files::NoNull($img); //check file path if (strpos($img, './') !== false || strpos($img, '%2f') !== false || strpos($img, '%2F') !== false) { return false; } //make sure the index is set gp_resized::SetIndex(); if (!isset(self::$index[$index])) { self::Send404(); //dies } //if the image has been renamed, redirect to the new name $index_img = self::$index[$index]; if ($index_img != $img) { $path = \gp\tool::GetDir('/include/image.php', false) . '?i=' . $index . '&w=' . $width . '&h=' . $height . '&img=' . rawurlencode($index_img); \gp\tool::Redirect($path); } $info = self::ImageInfo($img, $width, $height); $folder = $dataDir . '/data/_resized/' . $info['index']; $full_path = $folder . '/' . $info['name']; //if it exists return true if (file_exists($full_path)) { header('Cache-Control: public, max-age=5184000'); //60 days //attempt to send 304 $stats = lstat($full_path); if ($stats) { \gp\tool::Send304(\gp\tool::GenEtag($stats['mtime'], $stats['size'])); } header('Content-Transfer-Encoding: binary'); header('Content-Type: ' . $info['ctype']); readfile($full_path); die; } //redirect to next largest image if available $usage = self::GetUsage($info['index']); foreach ($usage as $size => $data) { if (!$data['uses']) { continue; } list($use_width, $use_height) = explode('x', $size); if ($use_width >= $width && $use_height > $height || $use_width > $width && $use_height >= $height) { $path = \gp\tool::GetDir('/include/image.php', false) . '?i=' . $index . '&w=' . $use_width . '&h=' . $use_height . '&img=' . rawurlencode($img); \gp\tool::Redirect($path); //dies } } //redirect to full size image $original = \gp\tool::GetDir('/data/_uploaded' . $img, false); \gp\tool::Redirect($original); //dies }
/** * Check the file extension agains $allowed_types * */ public static function AllowedExtension(&$file, $fix = true) { global $upload_extensions_allow, $upload_extensions_deny; static $allowed_types = false; $file = \gp\tool\Files::NoNull($file); if (!gp_restrict_uploads) { return true; } $parts = explode('.', $file); if (count($parts) < 2) { return true; } //build list of allowed extensions once if (!$allowed_types) { if (is_string($upload_extensions_deny) && strtolower($upload_extensions_deny) === 'all') { $allowed_types = array(); } else { $allowed_types = array('bmp', 'gif', 'jpeg', 'jpg', 'png', 'tif', 'tiff', 'wav', 'wma', 'svg', 'aiff', 'asf', 'avi', 'fla', 'flv', 'm4v', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ogg', 'oga', 'ogv', 'opus', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'webm', 'wmv', '7z', 'bz', 'gz', 'gzip', 'rar', 'sdc', 'sitd', 'tar', 'tgz', 'zip', 'css', 'csv', 'doc', 'docx', 'htm', 'html', 'js', 'json', 'less', 'md', 'ods', 'odt', 'pdf', 'ppt', 'pptx', 'rtf', 'txt', 'sxc', 'sxw', 'vsd', 'xls', 'xlsx', 'xml'); } if (is_array($upload_extensions_allow)) { $upload_extensions_allow = array_map('trim', $upload_extensions_allow); $upload_extensions_allow = array_map('strtolower', $upload_extensions_allow); $allowed_types = array_merge($allowed_types, $upload_extensions_allow); } if (is_array($upload_extensions_deny)) { $upload_extensions_allow = array_map('trim', $upload_extensions_allow); $upload_extensions_allow = array_map('strtolower', $upload_extensions_allow); $allowed_types = array_diff($allowed_types, $upload_extensions_deny); } } $allowed_types = \gp\tool\Plugins::Filter('AllowedTypes', array($allowed_types)); //make sure the extension is allowed $file_type = array_pop($parts); if (!in_array(strtolower($file_type), $allowed_types)) { return false; } if ($fix) { return implode('_', $parts) . '.' . $file_type; } else { return implode('.', $parts) . '.' . $file_type; } }