Project

General

Profile

1 4 ryan
<?php
2 1400 FrankH
/**
3
 *
4
 * @category        admin
5
 * @package         admintools
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.x
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL:  $
15
 * @lastmodified    $Date:  $
16
 *
17
 */
18 4 ryan
19
// Print admin header
20
require('../../config.php');
21 1041 Ruebenwurz
include_once('resize_img.php');
22
include_once('parameters.php');
23
24 4 ryan
require_once(WB_PATH.'/framework/class.admin.php');
25 1023 Ruebenwurz
require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');	// Required to unzip file.
26 1457 Luisehahne
// suppress to print the header, so no new FTAN will be set
27
$admin = new admin('Media', 'media_upload', false);
28 4 ryan
29 1457 Luisehahne
if( !$admin->checkFTAN() )
30 1400 FrankH
{
31 1457 Luisehahne
	$admin->print_header();
32
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] );
33 1400 FrankH
}
34 1457 Luisehahne
// After check print the header
35
$admin->print_header();
36 1400 FrankH
37 1457 Luisehahne
// Target location
38
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
39
$target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
40
41 4 ryan
// Include the WB functions file
42
require_once(WB_PATH.'/framework/functions.php');
43
44
// Check to see if target contains ../
45 1425 Luisehahne
if (!check_media_path($target, false))
46
{
47 1457 Luisehahne
	$admin->print_error($MESSAGE['MEDIA']['TARGET_DOT_DOT_SLASH'] );
48 4 ryan
}
49
50
// Create relative path of the target location for the file
51
$relative = WB_PATH.$target.'/';
52 1102 ruud
$resizepath = str_replace(array('/',' '),'_',$target);
53 4 ryan
54
// Find out whether we should replace files or give an error
55
if($admin->get_post('overwrite') != '') {
56
	$overwrite = true;
57
} else {
58
	$overwrite = false;
59
}
60
61 61 stefan
// Get list of file types to which we're supposed to append 'txt'
62
$get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
63
$file_extension_string='';
64
if ($get_result->numRows()>0) {
65
	$fetch_result=$get_result->fetchRow();
66
	$file_extension_string=$fetch_result['value'];
67
}
68
$file_extensions=explode(",",$file_extension_string);
69 1460 Luisehahne
// get from settings and add to forbidden list
70
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
71
// hardcodet forbidden filetypes
72
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
73 4 ryan
// Loop through the files
74
$good_uploads = 0;
75
for($count = 1; $count <= 10; $count++) {
76
	// If file was upload to tmp
77
	if(isset($_FILES["file$count"]['name'])) {
78
		// Remove bad characters
79 1460 Luisehahne
		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
80 4 ryan
		// Check if there is still a filename left
81 1460 Luisehahne
		// if($filename != '') {
82
		$info = pathinfo($filename);
83
		$ext = isset($info['extension']) ? $info['extension'] : '';
84
85
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) {
86
/*
87
		// Check for potentially malicious files and append 'txt' to their name
88 61 stefan
			foreach($file_extensions as $file_ext) {
89
				$file_ext_len=strlen($file_ext);
90
				if (substr($filename,-$file_ext_len)==$file_ext) {
91
					$filename.='.txt';
92
				}
93 1460 Luisehahne
			}
94
*/
95 4 ryan
			// Move to relative path (in media folder)
96 1460 Luisehahne
			if(file_exists($relative.$filename) AND $overwrite == true) {
97 4 ryan
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
98
					$good_uploads++;
99
					// Chmod the uploaded file
100 1460 Luisehahne
					change_mode($relative.$filename);
101 4 ryan
				}
102
			} elseif(!file_exists($relative.$filename)) {
103
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
104
					$good_uploads++;
105
					// Chmod the uploaded file
106
					change_mode($relative.$filename);
107
				}
108
			}
109 1460 Luisehahne
110 1041 Ruebenwurz
			if(file_exists($relative.$filename)) {
111
				if ($pathsettings[$resizepath]['width'] || $pathsettings[$resizepath]['height'] ) {
112
					$rimg=new RESIZEIMAGE($relative.$filename);
113
					$rimg->resize_limitwh($pathsettings[$resizepath]['width'],$pathsettings[$resizepath]['height'],$relative.$filename);
114
					$rimg->close();
115
				}
116
			}
117 1460 Luisehahne
118 1023 Ruebenwurz
			// store file name of first file for possible unzip action
119
			if ($count == 1) {
120
				$filename1 = $relative . $filename;
121
			}
122 4 ryan
		}
123
	}
124
}
125 1460 Luisehahne
/*
126
 * Callback function to skip files in black-list
127
 */
128
function pclzipCheckValidFile($p_event, &$p_header)
129
{
130
                         //  return 1;
131
	$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
132
	// hardcodet forbidden filetypes
133
	$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
134
	$info = pathinfo($p_header['filename']);
135
                         $ext = isset($info['extension']) ? $info['extension'] : '';
136
                         $dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
137
	if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) && $dots != '.' )
138
	{	// ----- allowed file types are extracted
139
	  return 1;
140
	}else
141
	{	// ----- all other files are skiped
142
	  return 0;
143
	}
144
}
145
/* ********************************* */
146 4 ryan
147 1023 Ruebenwurz
// If the user chose to unzip the first file, unzip into the current folder
148
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
149
	$archive = new PclZip($filename1);
150 1460 Luisehahne
151
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
152
153 1023 Ruebenwurz
	if($list == 0) {
154
		// error while trying to extract the archive (most likely wrong format)
155
		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
156
	}
157 1460 Luisehahne
158
	$sum_dirs = 0;
159
	$sum_files = 0;
160
161 1407 FrankH
	// rename executable files!
162 1460 Luisehahne
	foreach ($list as $key => $val) {
163
	    if( ($val['folder'] ) && change_mode($val['filename']) ) {
164
		   $sum_dirs++;
165
		} elseif( is_writable($val['filename']) && ($val['status'] == 'ok') && change_mode($val['filename']) )  {
166
			$sum_files++;
167 1407 FrankH
		}
168
	}
169 1460 Luisehahne
	if (isset($_POST['delzip'])) { unlink($filename1); }
170 1023 Ruebenwurz
}
171 1460 Luisehahne
unset($list);
172 4 ryan
if($good_uploads == 1) {
173 1460 Luisehahne
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
174 4 ryan
} else {
175 1457 Luisehahne
	$admin->print_success($good_uploads.' '.$MESSAGE['MEDIA']['UPLOADED'] );
176 4 ryan
}
177
178
// Print admin
179
$admin->print_footer();