Project

General

Profile

1
<?php
2

    
3
// $Id: upload.php 310 2006-02-19 05:31:10Z ryan $
4

    
5
/*
6

    
7
 Website Baker Project <http://www.websitebaker.org/>
8
 Copyright (C) 2004-2006, Ryan Djurovich
9

    
10
 Website Baker is free software; you can redistribute it and/or modify
11
 it under the terms of the GNU General Public License as published by
12
 the Free Software Foundation; either version 2 of the License, or
13
 (at your option) any later version.
14

    
15
 Website Baker is distributed in the hope that it will be useful,
16
 but WITHOUT ANY WARRANTY; without even the implied warranty of
17
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
 GNU General Public License for more details.
19

    
20
 You should have received a copy of the GNU General Public License
21
 along with Website Baker; if not, write to the Free Software
22
 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23

    
24
*/
25

    
26
// Target location
27
if(!isset($_POST['target']) OR $_POST['target'] == '') {
28
	header("Location: index.php");
29
	exit(0);
30
} else {
31
	$target = $_POST['target'];
32
}
33

    
34
// Print admin header
35
require('../../config.php');
36
require_once(WB_PATH.'/framework/class.admin.php');
37
$admin = new admin('Media', 'media_upload');
38

    
39
// Include the WB functions file
40
require_once(WB_PATH.'/framework/functions.php');
41

    
42
// Check to see if target contains ../
43
if(strstr($target, '../')) {
44
	$admin->print_error($MESSAGE['MEDIA']['TARGET_DOT_DOT_SLASH']);
45
}
46

    
47
// Create relative path of the target location for the file
48
$relative = WB_PATH.$target.'/';
49

    
50
// Find out whether we should replace files or give an error
51
if($admin->get_post('overwrite') != '') {
52
	$overwrite = true;
53
} else {
54
	$overwrite = false;
55
}
56

    
57
// Get list of file types to which we're supposed to append 'txt'
58
$get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
59
$file_extension_string='';
60
if ($get_result->numRows()>0) {
61
	$fetch_result=$get_result->fetchRow();
62
	$file_extension_string=$fetch_result['value'];
63
}
64
$file_extensions=explode(",",$file_extension_string);
65

    
66

    
67
// Loop through the files
68
$good_uploads = 0;
69
for($count = 1; $count <= 10; $count++) {
70
	// If file was upload to tmp
71
	if(isset($_FILES["file$count"]['name'])) {
72
		// Remove bad characters
73
		$filename = media_filename($_FILES["file$count"]['name']);
74
		// Check if there is still a filename left
75
		if($filename != '') {
76
			// Check for potentially malicious files and append 'txt' to their name
77
			foreach($file_extensions as $file_ext) {
78
				$file_ext_len=strlen($file_ext);
79
				if (substr($filename,-$file_ext_len)==$file_ext) {
80
					$filename.='.txt';
81
				}
82
			}		
83
			// Move to relative path (in media folder)
84
			if(file_exists($relative.$filename) AND $overwrite == true) {			
85
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
86
					$good_uploads++;
87
					// Chmod the uploaded file
88
					change_mode($relative.$filename, 'file');
89
				}
90
			} elseif(!file_exists($relative.$filename)) {
91
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
92
					$good_uploads++;
93
					// Chmod the uploaded file
94
					change_mode($relative.$filename);
95
				}
96
			}
97
		}
98
	}
99
}
100

    
101
if($good_uploads == 1) {
102
	$admin->print_success($good_uploads.$MESSAGE['MEDIA']['SINGLE_UPLOADED']);
103
} else {
104
	$admin->print_success($good_uploads.$MESSAGE['MEDIA']['UPLOADED']);
105
}
106

    
107
// Print admin 
108
$admin->print_footer();
109

    
110
?>
(11-11/11)