/branches/2.8.x/wb/admin/media/upload.php - Annotate - WB 2.08.x - Tracking

wb-archiv283/branches/2.8.x/wb/admin/media/upload.php @ 2125

-            ryan
+<?php
-            FrankH
+/**
+ *
  * @category        admin
-            Luisehahne
+ * @package         media
-            Luisehahne
+ * @author          Ryan Djurovich,WebsiteBaker Project
-            Luisehahne
+ * @copyright       2009-2013, WebsiteBaker Org. e.V.
  * @link            http://www.websitebaker.org/
-            FrankH
+ * @license         http://www.gnu.org/licenses/gpl.html
  * @platform        WebsiteBaker 2.8.x
  * @requirements    PHP 5.2.2 and higher
  * @version         $Id$
-            Luisehahne
+ * @filesource      $HeadURL$
-            Luisehahne
+ * @lastmodified    $Date$
             FrankH
  */
             ryan
-            Luisehahne
+if(!defined('WB_URL'))
+{
     $config_file = realpath('../../config.php');
     if(file_exists($config_file) && !defined('WB_URL'))
+    {
     	require($config_file);
+    }
+}
-            darkviper
+//if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
 $oTrans = Translate::getInstance();
 $oTrans->enableAddon('admin\\media');
             Ruebenwurz
-            Luisehahne
+$modulePath = dirname(__FILE__);
 //include_once('resize_img.php');
 include_once($modulePath.'/parameters.php');
-            Luisehahne
+// suppress to print the header, so no new FTAN will be set
 $admin = new admin('Media', 'media_upload', false);
             ryan
-            Luisehahne
+if( !$admin->checkFTAN() )
             FrankH
-            Luisehahne
+	$admin->print_header();
-            darkviper
+	$admin->print_error($oTrans->MESSAGE_GENERIC_SECURITY_ACCESS );
             FrankH
-            Luisehahne
+// After check print the header
 $admin->print_header();
             FrankH
-            Luisehahne
+// Target location
 $requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']);
 $target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
-            ryan
+// Include the WB functions file
-            Luisehahne
+if(!function_exists('directory_list')) { require(WB_PATH.'/framework/functions.php'); }
             ryan
-            Luisehahne
+$directory = ($target == '/') ?  '' : $target;
 $dirlink = 'index.php?dir='.$directory;
 $rootlink = 'index.php?dir=';
-            ryan
+// Check to see if target contains ../
-            Luisehahne
+if (!check_media_path($target, false))
+{
-            darkviper
+	$admin->print_error($oTrans->MESSAGE_MEDIA_TARGET_DOT_DOT_SLASH );
             ryan
 // Create relative path of the target location for the file
 $relative = WB_PATH.$target.'/';
-            ruud
+$resizepath = str_replace(array('/',' '),'_',$target);
             ryan
 // Find out whether we should replace files or give an error
-            Luisehahne
+$overwrite = ($admin->get_post('overwrite') != '') ? true : false;
             ryan
-            Luisehahne
+$file_extension_string = '';
-            stefan
+// Get list of file types to which we're supposed to append 'txt'
-            Luisehahne
+$sql = 'SELECT `value` FROM  `'.TABLE_PREFIX. 'settings` '.
        'WHERE `name`=\'rename_files_on_upload\'';
-            Luisehahne
+if( ($file_extension_string = $database->get_one($sql))=='' ) {
 //    $aResult = $oRes->fetchRow(MYSQL_ASSOC);
 //    $file_extension_string = $aResult['value'];
             Luisehahne
             stefan
             Luisehahne
-            stefan
+$file_extensions=explode(",",$file_extension_string);
-            Luisehahne
+// get from settings and add to forbidden list
-            Luisehahne
+$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
-            ryan
+// Loop through the files
 $good_uploads = 0;
-            Luisehahne
+$sum_dirs = 0;
 $sum_files = 0;
-            Luisehahne
+for($count = 1; $count <= 10; $count++)
+{
-            ryan
+	// If file was upload to tmp
-            Luisehahne
+	if(isset($_FILES["file$count"]['name']))
+	{
-            ryan
+		// Remove bad characters
-            Luisehahne
+		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
-            ryan
+		// Check if there is still a filename left
-            Luisehahne
+		// if($filename != '') {
 		$info = pathinfo($filename);
 		$ext = isset($info['extension']) ? $info['extension'] : '';
-            Luisehahne
+		if ( ($filename != '') && !preg_match("/" . $forbidden_file_types . "$/i", $ext) )
             Luisehahne
-            ryan
+			// Move to relative path (in media folder)
-            Luisehahne
+			if(file_exists($relative.$filename) AND $overwrite == true) {
-            ryan
+				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
 					$good_uploads++;
-            Luisehahne
+					$sum_files++;
-            ryan
+					// Chmod the uploaded file
-            Luisehahne
+					change_mode($relative.$filename);
             ryan
 			} elseif(!file_exists($relative.$filename)) {
 				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
 					$good_uploads++;
-            Luisehahne
+					$sum_files++;
-            ryan
+					// Chmod the uploaded file
 					change_mode($relative.$filename);
+				}
+			}
             Luisehahne
             Luisehahne
-            Ruebenwurz
+			if(file_exists($relative.$filename)) {
             Luisehahne
                 $ImgWidth  = isset($pathsettings[$resizepath]['width'])  ? intval($pathsettings[$resizepath]['width'])  : null;
                 $ImgHeigth = isset($pathsettings[$resizepath]['height']) ? intval($pathsettings[$resizepath]['height']) : null;
 				if ($ImgWidth!=null || $ImgHeigth!=null ) {
                     if(!class_exists('PhpThumbFactory', false)){ include($modulePath.'/inc/ThumbLib.inc.php'); }
                 	$oImage = PhpThumbFactory::create($relative.$filename);
                     $aOldSize = $oImage->getCurrentDimensions();
                     $ImgPercent = 50;
     				if ($ImgWidth!=null && $ImgHeigth==null ) {
                         $ImgPercent =  $ImgWidth*100/$aOldSize['width'];
                         $ImgHeigth = $ImgWidth;
                     } elseif( $ImgWidth==null && $ImgHeigth!=null ) {
                         $ImgPercent =  $ImgHeigth*100/$aOldSize['height'];
                         $ImgWidth = $ImgHeigth;
                     } else {
                         $ImgPercent = $ImgWidth*100/$aOldSize['width'];
+                    }
                     $oImage->resize($ImgWidth,$ImgHeigth)->save($relative.$filename);
 //                    $oImage->resizePercent($ImgPercent)->save($relative.$filename);
 //                    $oImage->adaptiveResize($ImgWidth,$ImgHeigth)->save($relative.$filename);
 //                    $oImage->save($relative.$filename);
             Ruebenwurz
             Luisehahne
             Ruebenwurz
             Luisehahne
-            Ruebenwurz
+			// store file name of first file for possible unzip action
 			if ($count == 1) {
 				$filename1 = $relative . $filename;
+			}
             ryan
+	}
+}
-            Luisehahne
+/*
  * Callback function to skip files in black-list
  */
 function pclzipCheckValidFile($p_event, &$p_header)
+{
-            Luisehahne
+    //  return 1;
 // Check for potentially malicious files
 	$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
-            Luisehahne
+	$info = pathinfo($p_header['filename']);
-            Luisehahne
+	$ext = isset($info['extension']) ? $info['extension'] : '';
 	$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
-            Luisehahne
+	if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) && $dots != '.' )
 	{	// ----- allowed file types are extracted
 	  return 1;
 	}else
 	{	// ----- all other files are skiped
 	  return 0;
+	}
+}
 /* ********************************* */
             ryan
-            Ruebenwurz
+// If the user chose to unzip the first file, unzip into the current folder
 if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
-            Luisehahne
+	// Required to unzip file.
 	require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
-            Ruebenwurz
+	$archive = new PclZip($filename1);
-            Luisehahne
+	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
-            Ruebenwurz
+	if($list == 0) {
 		// error while trying to extract the archive (most likely wrong format)
 		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
+	}
-            Luisehahne
+	$sum_files = 0;
-            FrankH
+	// rename executable files!
-            Luisehahne
+	foreach ($list as $key => $val) {
 	    if( ($val['folder'] ) && change_mode($val['filename']) ) {
 		   $sum_dirs++;
 		} elseif( is_writable($val['filename']) && ($val['status'] == 'ok') && change_mode($val['filename']) )  {
 			$sum_files++;
             FrankH
+	}
-            Luisehahne
+	if (isset($_POST['delzip'])) { unlink($filename1); }
-            Luisehahne
+	$dir = dirname($filename1);
     if(file_exists($dir)) {
 		$array = createFolderProtectFile($dir);
+    }
             Ruebenwurz
-            Luisehahne
+unset($list);
             Luisehahne
-            Luisehahne
+if($sum_files == 1) {
-            darkviper
+	$admin->print_success($sum_files.' '.$oTrans->MESSAGE_MEDIA_SINGLE_UPLOADED );
-            Luisehahne
+} elseif($sum_files > 1) {
-            darkviper
+	$admin->print_success($sum_files.' '.$oTrans->MESSAGE_MEDIA_UPLOADED );
-            ryan
+} else {
             Luisehahne
 	if(file_exists($relative.$filename)) {
-            darkviper
+    	$admin->print_error($oTrans->MESSAGE_MEDIA_FILE_EXISTS );
-            Luisehahne
+    } else {
-            darkviper
+    	$admin->print_error($oTrans->MESSAGE_MEDIA_NO_FILE_UPLOADED );
             Luisehahne
             ryan
-            Luisehahne
+// Print admin
-            ryan
+$admin->print_footer();

Project

General

Profile

WB 2.08.x