/branches/2.8.x/wb/admin/media/upload.php - Annotate - WB 2.08.x - Tracking

wb-archiv283/branches/2.8.x/wb/admin/media/upload.php @ 1459

-            ryan
+<?php
-            FrankH
+/**
+ *
  * @category        admin
  * @package         admintools
  * @author          WebsiteBaker Project
  * @copyright       2004-2009, Ryan Djurovich
  * @copyright       2009-2011, Website Baker Org. e.V.
  * @link			http://www.websitebaker2.org/
  * @license         http://www.gnu.org/licenses/gpl.html
  * @platform        WebsiteBaker 2.8.x
  * @requirements    PHP 5.2.2 and higher
  * @version         $Id$
  * @filesource		$HeadURL:  $
  * @lastmodified    $Date:  $
+ *
  */
             ryan
 // Print admin header
 require('../../config.php');
-            Ruebenwurz
+include_once('resize_img.php');
 include_once('parameters.php');
-            ryan
+require_once(WB_PATH.'/framework/class.admin.php');
-            Ruebenwurz
+require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');	// Required to unzip file.
-            Luisehahne
+// suppress to print the header, so no new FTAN will be set
 $admin = new admin('Media', 'media_upload', false);
             ryan
-            Luisehahne
+if( !$admin->checkFTAN() )
             FrankH
-            Luisehahne
+	$admin->print_header();
 	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
             FrankH
-            Luisehahne
+// After check print the header
 $admin->print_header();
             FrankH
-            Luisehahne
+// Target location
 $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
 $target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
-            ryan
+// Include the WB functions file
 require_once(WB_PATH.'/framework/functions.php');
 // Check to see if target contains ../
-            Luisehahne
+if (!check_media_path($target, false))
+{
-            Luisehahne
+	$admin->print_error($MESSAGE['MEDIA']['TARGET_DOT_DOT_SLASH'] );
             ryan
 // Create relative path of the target location for the file
 $relative = WB_PATH.$target.'/';
-            ruud
+$resizepath = str_replace(array('/',' '),'_',$target);
             ryan
 // Find out whether we should replace files or give an error
 if($admin->get_post('overwrite') != '') {
 	$overwrite = true;
 } else {
 	$overwrite = false;
+}
-            stefan
+// Get list of file types to which we're supposed to append 'txt'
 $get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
 $file_extension_string='';
 if ($get_result->numRows()>0) {
 	$fetch_result=$get_result->fetchRow();
 	$file_extension_string=$fetch_result['value'];
+}
 $file_extensions=explode(",",$file_extension_string);
-            ryan
+// Loop through the files
 $good_uploads = 0;
 for($count = 1; $count <= 10; $count++) {
 	// If file was upload to tmp
 	if(isset($_FILES["file$count"]['name'])) {
 		// Remove bad characters
 		$filename = media_filename($_FILES["file$count"]['name']);
 		// Check if there is still a filename left
 		if($filename != '') {
-            stefan
+			// Check for potentially malicious files and append 'txt' to their name
 			foreach($file_extensions as $file_ext) {
 				$file_ext_len=strlen($file_ext);
 				if (substr($filename,-$file_ext_len)==$file_ext) {
 					$filename.='.txt';
+				}
+			}
-            ryan
+			// Move to relative path (in media folder)
 			if(file_exists($relative.$filename) AND $overwrite == true) {
 				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
 					$good_uploads++;
 					// Chmod the uploaded file
 					change_mode($relative.$filename, 'file');
+				}
 			} elseif(!file_exists($relative.$filename)) {
 				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
 					$good_uploads++;
 					// Chmod the uploaded file
 					change_mode($relative.$filename);
+				}
+			}
             Ruebenwurz
 			if(file_exists($relative.$filename)) {
 				if ($pathsettings[$resizepath]['width'] || $pathsettings[$resizepath]['height'] ) {
 					$rimg=new RESIZEIMAGE($relative.$filename);
 					$rimg->resize_limitwh($pathsettings[$resizepath]['width'],$pathsettings[$resizepath]['height'],$relative.$filename);
 					$rimg->close();
+				}
+			}
-            Ruebenwurz
+			// store file name of first file for possible unzip action
 			if ($count == 1) {
 				$filename1 = $relative . $filename;
+			}
             ryan
+	}
+}
-            Ruebenwurz
+// If the user chose to unzip the first file, unzip into the current folder
 if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
 	$archive = new PclZip($filename1);
 	$list = $archive->extract(PCLZIP_OPT_PATH, $relative);
 	if($list == 0) {
 		// error while trying to extract the archive (most likely wrong format)
 		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
+	}
             FrankH
 	// rename executable files!
 	foreach ($list as $val) {
 		$fn = $val['filename'];
 		$fnp = pathinfo($fn);
 		if (isset($fnp['extension'])) {
 			$fext = $fnp['extension'];
 			if (in_array($fext, $file_extensions)) {
 				rename($fn, $fn.".txt");
+			}
+		}
+	}
             Ruebenwurz
-            ryan
+if($good_uploads == 1) {
-            Luisehahne
+	$admin->print_success($good_uploads.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
-            Ruebenwurz
+	if (isset($_POST['delzip'])) {
 		unlink($filename1);
+	}
-            ryan
+} else {
-            Luisehahne
+	$admin->print_success($good_uploads.' '.$MESSAGE['MEDIA']['UPLOADED'] );
             ryan
 // Print admin
 $admin->print_footer();

Project

General

Profile

WB 2.08.x