Project

General

Profile

1
<?php
2
/**
3
 *
4
 * @category        admin
5
 * @package         media
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.x
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id: upload.php 1484 2011-07-31 19:42:13Z Luisehahne $
14
 * @filesource		$HeadURL:  $
15
 * @lastmodified    $Date:  $
16
 *
17
 */
18

    
19
// Print admin header
20
require('../../config.php');
21
include_once('resize_img.php');
22
include_once('parameters.php');
23

    
24
require_once(WB_PATH.'/framework/class.admin.php');
25
// require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');	// Required to unzip file.
26
// suppress to print the header, so no new FTAN will be set
27
$admin = new admin('Media', 'media_upload', false);
28

    
29
if( !$admin->checkFTAN() )
30
{
31
	$admin->print_header();
32
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
33
}
34
// After check print the header
35
$admin->print_header();
36

    
37
// Target location
38
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
39
$target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
40

    
41
// Include the WB functions file
42
require_once(WB_PATH.'/framework/functions.php');
43

    
44
$directory = ($target == '/') ?  '' : $target;
45
$dirlink = 'index.php?dir='.$directory;
46
$rootlink = 'index.php?dir=';
47

    
48
// Check to see if target contains ../
49
if (!check_media_path($target, false))
50
{
51
	$admin->print_error($MESSAGE['MEDIA']['TARGET_DOT_DOT_SLASH'] );
52
}
53

    
54
// Create relative path of the target location for the file
55
$relative = WB_PATH.$target.'/';
56
$resizepath = str_replace(array('/',' '),'_',$target);
57

    
58
// Find out whether we should replace files or give an error
59
$overwrite = ($admin->get_post('overwrite') != '') ? true : false;
60

    
61
// Get list of file types to which we're supposed to append 'txt'
62
$get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
63
$file_extension_string='';
64
if ($get_result->numRows()>0) {
65
	$fetch_result=$get_result->fetchRow();
66
	$file_extension_string=$fetch_result['value'];
67
}
68

    
69
$file_extensions=explode(",",$file_extension_string);
70
// get from settings and add to forbidden list
71
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
72
// Loop through the files
73
$good_uploads = 0;
74
$sum_dirs = 0;
75
$sum_files = 0;
76

    
77
for($count = 1; $count <= 10; $count++)
78
{
79
	// If file was upload to tmp
80
	if(isset($_FILES["file$count"]['name']))
81
	{
82
		// Remove bad characters
83
		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
84
		// Check if there is still a filename left
85
		// if($filename != '') {
86
		$info = pathinfo($filename);
87
		$ext = isset($info['extension']) ? $info['extension'] : '';
88

    
89
		if ( ($filename != '') && !preg_match("/" . $forbidden_file_types . "$/i", $ext) )
90
		{
91
			// Move to relative path (in media folder)
92
			if(file_exists($relative.$filename) AND $overwrite == true) {
93
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
94
					$good_uploads++;
95
					$sum_files++;
96
					// Chmod the uploaded file
97
					change_mode($relative.$filename);
98
				}
99
			} elseif(!file_exists($relative.$filename)) {
100
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
101
					$good_uploads++;
102
					$sum_files++;
103
					// Chmod the uploaded file
104
					change_mode($relative.$filename);
105
				}
106
			}
107

    
108
			if(file_exists($relative.$filename)) {
109
				if ($pathsettings[$resizepath]['width'] || $pathsettings[$resizepath]['height'] ) {
110
					$rimg=new RESIZEIMAGE($relative.$filename);
111
					$rimg->resize_limitwh($pathsettings[$resizepath]['width'],$pathsettings[$resizepath]['height'],$relative.$filename);
112
					$rimg->close();
113
				}
114
			}
115

    
116
			// store file name of first file for possible unzip action
117
			if ($count == 1) {
118
				$filename1 = $relative . $filename;
119
			}
120
		}
121
	}
122
}
123
/*
124
 * Callback function to skip files in black-list
125
 */
126
function pclzipCheckValidFile($p_event, &$p_header)
127
{
128
    //  return 1;
129
// Check for potentially malicious files
130
	$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
131
	$info = pathinfo($p_header['filename']);
132
	$ext = isset($info['extension']) ? $info['extension'] : '';
133
	$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
134
	if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) && $dots != '.' )
135
	{	// ----- allowed file types are extracted
136
	  return 1;
137
	}else
138
	{	// ----- all other files are skiped
139
	  return 0;
140
	}
141
}
142
/* ********************************* */
143

    
144
// If the user chose to unzip the first file, unzip into the current folder
145
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
146
	// Required to unzip file.
147
	require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
148
	$archive = new PclZip($filename1);
149
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
150

    
151
	if($list == 0) {
152
		// error while trying to extract the archive (most likely wrong format)
153
		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
154
	}
155
	$sum_files = 0;
156
	// rename executable files!
157
	foreach ($list as $key => $val) {
158
	    if( ($val['folder'] ) && change_mode($val['filename']) ) {
159
		   $sum_dirs++;
160
		} elseif( is_writable($val['filename']) && ($val['status'] == 'ok') && change_mode($val['filename']) )  {
161
			$sum_files++;
162
		}
163
	}
164
	if (isset($_POST['delzip'])) { unlink($filename1); }
165
}
166
unset($list);
167
if($sum_files == 1) {
168
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
169
} elseif($sum_files > 1) {
170
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
171
} else {
172
	$admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );
173
}
174

    
175
// Print admin
176
$admin->print_footer();
(16-16/16)