Project

General

Profile

1
<?php
2
/**
3
 *
4
 * @category        admin
5
 * @package         media
6
 * @author          WebsiteBaker Project
7
 * @copyright       Ryan Djurovich
8
 * @copyright       WebsiteBaker Org. e.V.
9
 * @link            http://websitebaker.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.3
12
 * @requirements    PHP 5.3.6 and higher
13
 * @version         $Id: upload.php 2 2017-07-02 15:14:29Z Manuela $
14
 * @filesource      $HeadURL: svn://isteam.dynxs.de/wb/2.10.x/branches/main/admin/media/upload.php $
15
 * @lastmodified    $Date: 2017-07-02 17:14:29 +0200 (Sun, 02 Jul 2017) $
16
 *
17
 */
18

    
19
// Print admin header
20
if ( !defined( 'WB_PATH' ) ){ require( dirname(dirname((__DIR__))).'/config.php' ); }
21
include_once('resize_img.php');
22
include_once('parameters.php');
23

    
24
require_once(WB_PATH.'/framework/class.admin.php');
25
// require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');    // Required to unzip file.
26
// suppress to print the header, so no new FTAN will be set
27
$admin = new admin('Media', 'media_upload', false);
28

    
29
if( !$admin->checkFTAN() )
30
{
31
    $admin->print_header();
32
    $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL );
33
}
34
// After check print the header
35
$admin->print_header();
36

    
37
// Target location
38
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
39
$target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
40

    
41
// Include the WB functions file
42
require_once(WB_PATH.'/framework/functions.php');
43

    
44
$directory = ($target == '/') ?  '' : $target;
45
$dirlink = 'index.php?dir='.$directory;
46
$rootlink = 'index.php?dir=';
47

    
48
// Check to see if target contains ../
49
if (!check_media_path($target, false))
50
{
51
    $admin->print_error($MESSAGE['MEDIA_TARGET_DOT_DOT_SLASH'] );
52
}
53

    
54
// Create relative path of the target location for the file
55
$relative = WB_PATH.$target.'/';
56
$resizepath = str_replace(array('/',' '),'_',$target);
57

    
58
// Find out whether we should replace files or give an error
59
$overwrite = ($admin->get_post('overwrite') != '') ? true : false;
60

    
61
// Get list of file types to which we're supposed to append 'txt'
62
$get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload'");
63
$file_extension_string='';
64
if ($get_result->numRows()>0) {
65
    $fetch_result=$get_result->fetchRow();
66
    $file_extension_string=$fetch_result['value'];
67
}
68

    
69
$file_extensions=explode(",",$file_extension_string);
70
// get from settings and add to forbidden list
71
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
72
// Loop through the files
73
$good_uploads = 0;
74
$sum_dirs = 0;
75
$sum_files = 0;
76
for($count = 1; $count <= 10; $count++)
77
{
78
    // If file was upload to tmp
79
    if(isset($_FILES["file$count"]['name']))
80
    {
81
        // Remove bad characters
82
        $filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
83
        // Check if there is still a filename left
84
        // if($filename != '') {
85
        $info = pathinfo($filename);
86
        $ext = isset($info['extension']) ? $info['extension'] : '';
87

    
88
        if ( ($filename != '') && !preg_match("/" . $forbidden_file_types . "$/i", $ext) )
89
        {
90
            // Move to relative path (in media folder)
91
            if(file_exists($relative.$filename) AND $overwrite == true) {
92
                if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
93
                    $good_uploads++;
94
                    $sum_files++;
95
                    // Chmod the uploaded file
96
                    change_mode($relative.$filename);
97
                }
98
            } elseif(!file_exists($relative.$filename)) {
99
                if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
100
                    $good_uploads++;
101
                    $sum_files++;
102
                    // Chmod the uploaded file
103
                    change_mode($relative.$filename);
104
                }
105
            }
106

    
107
            if(file_exists($relative.$filename)) {
108
                if ($pathsettings[$resizepath]['width'] || $pathsettings[$resizepath]['height'] ) {
109
                    $rimg=new RESIZEIMAGE($relative.$filename);
110
                    $rimg->resize_limitwh($pathsettings[$resizepath]['width'],$pathsettings[$resizepath]['height'],$relative.$filename);
111
                    $rimg->close();
112
                }
113
            }
114

    
115
            // store file name of first file for possible unzip action
116
            if ($count == 1) {
117
                $filename1 = $relative . $filename;
118
            }
119
        }
120
    }
121
}
122
/*
123
 * Callback function to skip files in black-list
124
 */
125
function pclzipCheckValidFile($p_event, &$p_header)
126
{
127
    //  return 1;
128
// Check for potentially malicious files
129
    $forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
130
    $info = pathinfo($p_header['filename']);
131
    $ext = isset($info['extension']) ? $info['extension'] : '';
132
    $dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
133
    if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) && $dots != '.' )
134
    {    // ----- allowed file types are extracted
135
      return 1;
136
    }else
137
    {    // ----- all other files are skiped
138
      return 0;
139
    }
140
}
141
/* ********************************* */
142

    
143
// If the user chose to unzip the first file, unzip into the current folder
144
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
145
    // Required to unzip file.
146
    require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
147
    $archive = new PclZip($filename1);
148
    $list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
149

    
150
    if($list == 0) {
151
        // error while trying to extract the archive (most likely wrong format)
152
        $admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
153
    }
154
    $sum_files = 0;
155
    // rename executable files!
156
    foreach ($list as $key => $val) {
157
        if( ($val['folder'] ) && change_mode($val['filename']) ) {
158
           $sum_dirs++;
159
        } elseif( is_writable($val['filename']) && ($val['status'] == 'ok') && change_mode($val['filename']) )  {
160
            $sum_files++;
161
        }
162
    }
163
    if (isset($_POST['delzip'])) { unlink($filename1); }
164
    $dir = dirname($filename1);
165
    if(file_exists($dir)) {
166
        $array = createFolderProtectFile($dir);
167
    }
168
}
169
unset($list);
170

    
171
if($sum_files == 1) {
172
    $admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
173
} elseif($sum_files > 1) {
174
    $admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
175
} else {
176
    $admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );
177
}
178

    
179
// Print admin
180
$admin->print_footer();
(16-16/16)