author | Dan |
Mon, 06 Aug 2007 10:37:42 -0400 | |
changeset 84 | f99fb84bd959 |
parent 81 | d7fc25acd3f3 |
child 85 | 7c68a18a27be |
permissions | -rwxr-xr-x |
0 | 1 |
<?php |
2 |
/* |
|
3 |
Plugin Name: Upload/download frontend |
|
23
320acf077276
At last, I fixed all those phased-out enano.homelinux.org links!
Dan
parents:
0
diff
changeset
|
4 |
Plugin URI: http://enanocms.org/ |
0 | 5 |
Description: Provides the pages Special:UploadFile and Special:DownloadFile. UploadFile is used to upload files to the site, and DownloadFile fetches the file from the database, creates thumbnails if necessary, and sends the file to the user. |
6 |
Author: Dan Fuhry |
|
7 |
Version: 1.0 |
|
23
320acf077276
At last, I fixed all those phased-out enano.homelinux.org links!
Dan
parents:
0
diff
changeset
|
8 |
Author URI: http://enanocms.org/ |
0 | 9 |
*/ |
10 |
||
11 |
/* |
|
12 |
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between |
|
13 |
* Version 1.0 release candidate 2 |
|
14 |
* Copyright (C) 2006-2007 Dan Fuhry |
|
15 |
* SpecialUpdownload.php - handles uploading and downloading of user-uploaded files - possibly the most rigorously security-enforcing script in all of Enano, although sessions.php comes in a close second |
|
16 |
* |
|
17 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
|
18 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
|
19 |
* |
|
20 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
|
21 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
|
22 |
*/ |
|
23 |
||
24 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
25 |
||
26 |
$plugins->attachHook('base_classes_initted', ' |
|
27 |
global $paths; |
|
28 |
$paths->add_page(Array( |
|
29 |
\'name\'=>\'Upload file\', |
|
30 |
\'urlname\'=>\'UploadFile\', |
|
31 |
\'namespace\'=>\'Special\', |
|
32 |
\'special\'=>0,\'visible\'=>1,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\', |
|
33 |
)); |
|
34 |
||
35 |
$paths->add_page(Array( |
|
36 |
\'name\'=>\'Download file\', |
|
37 |
\'urlname\'=>\'DownloadFile\', |
|
38 |
\'namespace\'=>\'Special\', |
|
39 |
\'special\'=>0,\'visible\'=>0,\'comments_on\'=>0,\'protected\'=>1,\'delvotes\'=>0,\'delvote_ips\'=>\'\', |
|
40 |
)); |
|
41 |
'); |
|
42 |
||
43 |
function page_Special_UploadFile() |
|
44 |
{ |
|
45 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
46 |
global $mime_types; |
|
47 |
if(getConfig('enable_uploads')!='1') { die_friendly('Access denied', '<p>File uploads are disabled this website.</p>'); } |
|
48 |
if ( !$session->get_permissions('upload_files') ) |
|
49 |
{ |
|
50 |
die_friendly('Access denied', '<p>File uploads are disabled for your user account or group.<p>'); |
|
51 |
} |
|
52 |
if(isset($_POST['doit'])) |
|
53 |
{ |
|
54 |
if(isset($_FILES['data'])) |
|
55 |
{ |
|
56 |
$file =& $_FILES['data']; |
|
57 |
} |
|
58 |
else |
|
59 |
{ |
|
60 |
$file = false; |
|
61 |
} |
|
62 |
if(!is_array($file)) die_friendly('Upload failed', '<p>The server could not retrieve the array $_FILES[\'data\'].</p>'); |
|
63 |
if($file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size')) die_friendly('Upload failed', '<p>The file you uploaded is either too large or 0 bytes in length.</p>'); |
|
64 |
/* |
|
65 |
$allowed_mime_types = Array( |
|
66 |
'text/plain', |
|
67 |
'image/png', |
|
68 |
'image/jpeg', |
|
69 |
'image/tiff', |
|
70 |
'image/gif', |
|
71 |
'text/html', // Safe because the file is stashed in the database |
|
72 |
'application/x-bzip2', |
|
73 |
'application/x-gzip', |
|
74 |
'text/x-c++' |
|
75 |
); |
|
76 |
if(function_exists('finfo_open') && $fi = finfo_open(FILEINFO_MIME, ENANO_ROOT.'/includes/magic')) // First try to use the fileinfo extension, this is the best way to determine the mimetype |
|
77 |
{ |
|
78 |
if(!$fi) die_friendly('Upload failed', '<p>Enano was unable to determine the format of the uploaded file.</p><p>'.@finfo_file($fi, $file['tmp_name']).'</p>'); |
|
79 |
$type = @finfo_file($fi, $file['tmp_name']); |
|
80 |
@finfo_close($fi); |
|
81 |
} |
|
82 |
elseif(function_exists('mime_content_type')) |
|
83 |
$type = mime_content_type($file['tmp_name']); // OK, no fileinfo function. Use a (usually) built-in PHP function |
|
84 |
elseif(isset($file['type'])) |
|
85 |
$type = $file['type']; // LAST RESORT: use the mimetype the browser sent us, though this is likely to be spoofed |
|
86 |
else // DANG! Not even the browser told us. Bail out. |
|
87 |
die_friendly('Upload failed', '<p>Enano was unable to determine the format of the uploaded file.</p>'); |
|
88 |
*/ |
|
89 |
$types = fetch_allowed_extensions(); |
|
90 |
$ext = substr($file['name'], strrpos($file['name'], '.')+1, strlen($file['name'])); |
|
91 |
if(!isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) ) |
|
92 |
{ |
|
93 |
die_friendly('Upload failed', '<p>The file type ".'.$ext.'" is not allowed.</p>'); |
|
94 |
} |
|
95 |
$type = $mime_types[$ext]; |
|
96 |
//$type = explode(';', $type); $type = $type[0]; |
|
97 |
//if(!in_array($type, $allowed_mime_types)) die_friendly('Upload failed', '<p>The file type "'.$type.'" is not allowed.</p>'); |
|
98 |
if($_POST['rename'] != '') |
|
99 |
{ |
|
100 |
$filename = $_POST['rename']; |
|
101 |
} |
|
102 |
else |
|
103 |
{ |
|
104 |
$filename = $file['name']; |
|
105 |
} |
|
106 |
$bad_chars = Array(':', '\\', '/', '<', '>', '|', '*', '?', '"', '#', '+'); |
|
107 |
foreach($bad_chars as $ch) |
|
108 |
{ |
|
109 |
if(strstr($filename, $ch) || preg_match('/^([ ]+)$/is', $filename)) die_friendly('Upload failed', '<p>The filename contains invalid characters.</p>'); |
|
110 |
} |
|
111 |
||
112 |
if ( isset ( $paths->pages[ $paths->nslist['File'] . $filename ] ) && !isset ( $_POST['update'] ) ) |
|
113 |
{ |
|
114 |
die_friendly('Upload failed', '<p>The file already exists. You can <a href="'.makeUrlNS('Special', 'UploadFile/'.$filename).'">upload a new version of this file</a>.</p>'); |
|
115 |
} |
|
116 |
else if ( isset($_POST['update']) && |
|
117 |
( !isset($paths->pages[$paths->nslist['File'].$filename]) || |
|
118 |
(isset($paths->pages[$paths->nslist['File'].$filename]) && |
|
119 |
$paths->pages[$paths->nslist['File'].$filename]['protected'] == 1 ) |
|
120 |
) |
|
121 |
) |
|
122 |
{ |
|
123 |
die_friendly('Upload failed', '<p>Either the file does not exist (and therefore cannot be updated) or the file is protected.</p>'); |
|
124 |
} |
|
125 |
||
126 |
$utime = time(); |
|
127 |
||
128 |
$filename = $db->escape($filename); |
|
129 |
$ext = substr($filename, strrpos($filename, '.'), strlen($filename)); |
|
130 |
$flen = filesize($file['tmp_name']); |
|
131 |
||
81
d7fc25acd3f3
Replaced the menu in the admin theme with something much more visually pleasureable; minor fix in Special:UploadFile; finished patching a couple of XSS problems from Banshee; finished Admin:PageGroups; removed unneeded code in flyin.js; finished tag system (except tag cloud); 1.0.1 release candidate
Dan
parents:
80
diff
changeset
|
132 |
$comments = ( isset($_POST['update']) ) ? $db->escape($_POST['comments']) : $db->escape(RenderMan::preprocess_text($_POST['comments'], false, false)); |
0 | 133 |
$chartag = sha1(microtime()); |
134 |
$urln = str_replace(' ', '_', $filename); |
|
135 |
||
136 |
$key = md5($filename . '_' . file_get_contents($file['tmp_name'])); |
|
137 |
$targetname = ENANO_ROOT . '/files/' . $key . '_' . $utime . $ext; |
|
138 |
||
139 |
if(!@move_uploaded_file($file['tmp_name'], $targetname)) |
|
140 |
{ |
|
141 |
die_friendly('Upload failed', '<p>Could not move uploaded file to the new location.</p>'); |
|
142 |
} |
|
143 |
||
144 |
if(getConfig('file_history') != '1') |
|
145 |
{ |
|
146 |
if(!$db->sql_query('DELETE FROM '.table_prefix.'files WHERE filename=\''.$filename.'\' LIMIT 1;')) $db->_die('The old file data could not be deleted.'); |
|
147 |
} |
|
148 |
if(!$db->sql_query('INSERT INTO '.table_prefix.'files(time_id,page_id,filename,size,mimetype,file_extension,file_key) VALUES('.$utime.', \''.$urln.'\', \''.$filename.'\', '.$flen.', \''.$type.'\', \''.$ext.'\', \''.$key.'\')')) $db->_die('The file data entry could not be inserted.'); |
|
149 |
if(!isset($_POST['update'])) |
|
150 |
{ |
|
151 |
if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace) VALUES('.$utime.', \''.date('d M Y h:i a').'\', \'page\', \'create\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\');')) $db->_die('The page log could not be updated.'); |
|
152 |
if(!$db->sql_query('INSERT INTO '.table_prefix.'pages(name,urlname,namespace,protected,delvotes,delvote_ips) VALUES(\''.$filename.'\', \''.$urln.'\', \'File\', 0, 0, \'\')')) $db->_die('The page listing entry could not be inserted.'); |
|
153 |
if(!$db->sql_query('INSERT INTO '.table_prefix.'page_text(page_id,namespace,page_text,char_tag) VALUES(\''.$urln.'\', \'File\', \''.$comments.'\', \''.$chartag.'\')')) $db->_die('The page text entry could not be inserted.'); |
|
154 |
} |
|
155 |
else |
|
156 |
{ |
|
157 |
if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.$utime.', \''.date('d M Y h:i a').'\', \'page\', \'reupload\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\', \''.$comments.'\');')) $db->_die('The page log could not be updated.'); |
|
158 |
} |
|
159 |
die_friendly('Upload complete', '<p>Your file has been uploaded successfully. View the <a href="'.makeUrlNS('File', $filename).'">file\'s page</a>.</p>'); |
|
160 |
} |
|
161 |
else |
|
162 |
{ |
|
163 |
$template->header(); |
|
164 |
$fn = $paths->getParam(0); |
|
165 |
if ( $fn && !$session->get_permissions('upload_new_version') ) |
|
166 |
{ |
|
167 |
die_friendly('Access denied', '<p>Uploading new versions of files has been disabled for your user account or group.<p>'); |
|
168 |
} |
|
169 |
?> |
|
170 |
<p>Using this form you can upload a file to the <?php echo getConfig('site_name'); ?> site.</p> |
|
171 |
<p>The maximum file size is <?php |
|
172 |
// Get the max file size, and format it in a way that is user-friendly |
|
173 |
$fs = getConfig('max_file_size'); |
|
174 |
echo commatize($fs).' bytes'; |
|
175 |
$fs = (int)$fs; |
|
176 |
if($fs >= 1048576) |
|
177 |
{ |
|
178 |
$fs = round($fs / 1048576, 1); |
|
179 |
echo ' ('.$fs.' MB)'; |
|
180 |
} |
|
181 |
elseif($fs >= 1024) |
|
182 |
{ |
|
183 |
$fs = round($fs / 1024, 1); |
|
184 |
echo ' ('.$fs.' KB)'; |
|
185 |
} |
|
186 |
?>.</p> |
|
187 |
<form action="<?php echo makeUrl($paths->page); ?>" method="post" enctype="multipart/form-data"> |
|
188 |
<table border="0" cellspacing="1" cellpadding="4"> |
|
189 |
<tr><td>File:</td><td><input name="data" type="file" size="40" /></td></tr> |
|
190 |
<tr><td>Rename to:</td><td><input name="rename" type="text" size="40"<?php if($fn) echo ' value="'.$fn.'" readonly="readonly"'; ?> /></td></tr> |
|
191 |
<?php |
|
192 |
if(!$fn) echo '<tr><td>Comments:<br />(can be wiki-formatted)</td><td><textarea name="comments" rows="20" cols="60"></textarea></td></tr>'; |
|
193 |
else echo '<tr><td>Reason for uploading the new version: </td><td><input name="comments" size="50" /></td></tr>'; |
|
194 |
?> |
|
195 |
<tr><td colspan="2" style="text-align: center"> |
|
196 |
<?php |
|
197 |
if($fn) |
|
198 |
echo '<input type="hidden" name="update" value="true" />'; |
|
199 |
?> |
|
200 |
<input type="submit" name="doit" value="Upload file" /> |
|
201 |
</td></tr> |
|
202 |
</table> |
|
203 |
</form> |
|
204 |
<?php |
|
205 |
$template->footer(); |
|
206 |
} |
|
207 |
} |
|
208 |
||
209 |
function page_Special_DownloadFile() |
|
210 |
{ |
|
211 |
global $db, $session, $paths, $template, $plugins; // Common objects |
|
212 |
global $do_gzip; |
|
213 |
$filename = rawurldecode($paths->getParam(0)); |
|
214 |
$timeid = $paths->getParam(1); |
|
215 |
if($timeid && preg_match('#^([0-9]+)$#', (string)$timeid)) $tid = ' AND time_id='.$timeid; |
|
216 |
else $tid = ''; |
|
217 |
$filename = $db->escape($filename); |
|
218 |
$q = $db->sql_query('SELECT page_id,size,mimetype,time_id,file_extension,file_key FROM '.table_prefix.'files WHERE filename=\''.$filename.'\''.$tid.' ORDER BY time_id DESC;'); |
|
219 |
if(!$q) $db->_die('The file data could not be selected.'); |
|
220 |
if($db->numrows() < 1) { header('HTTP/1.1 404 Not Found'); die_friendly('File not found', '<p>The file "'.$filename.'" cannot be found.</p>'); } |
|
221 |
$row = $db->fetchrow(); |
|
222 |
$db->free_result(); |
|
223 |
||
224 |
// Check permissions |
|
225 |
$perms = $session->fetch_page_acl($row['page_id'], 'File'); |
|
226 |
if ( !$perms->get_permissions('read') ) |
|
227 |
{ |
|
228 |
die_friendly('Access denied', '<p>Access to the specified file is denied.</p>'); |
|
229 |
} |
|
230 |
||
231 |
$fname = ENANO_ROOT . '/files/' . $row['file_key'] . '_' . $row['time_id'] . $row['file_extension']; |
|
232 |
$data = file_get_contents($fname); |
|
233 |
if(isset($_GET['preview']) && getConfig('enable_imagemagick')=='1' && file_exists(getConfig('imagemagick_path')) && substr($row['mimetype'], 0, 6) == 'image/') |
|
234 |
{ |
|
235 |
$nam = tempnam('/tmp', $filename); |
|
236 |
$h = @fopen($nam, 'w'); |
|
237 |
if(!$h) die('Error opening '.$nam.' for writing'); |
|
238 |
fwrite($h, $data); |
|
239 |
fclose($h); |
|
240 |
/* Make sure the request doesn't contain commandline injection - yow! */ |
|
241 |
if(!isset($_GET['width' ]) || (isset($_GET['width'] ) && !preg_match('#^([0-9]+)$#', $_GET['width'] ))) $width = '320'; else $width = $_GET['width' ]; |
|
242 |
if(!isset($_GET['height']) || (isset($_GET['height']) && !preg_match('#^([0-9]+)$#', $_GET['height'] ))) $height = '240'; else $height = $_GET['height']; |
|
243 |
$cache_filename=ENANO_ROOT.'/cache/'.$filename.'-'.$row['time_id'].'-'.$width.'x'.$height.$row['file_extension']; |
|
244 |
if(getConfig('cache_thumbs')=='1' && file_exists($cache_filename) && is_writable(ENANO_ROOT.'/cache')) { |
|
245 |
$data = file_get_contents($cache_filename); |
|
246 |
} elseif(getConfig('enable_imagemagick')=='1' && file_exists(getConfig('imagemagick_path'))) { |
|
247 |
// Use ImageMagick to convert the image |
|
248 |
//unlink($nam); |
|
249 |
error_reporting(E_ALL); |
|
250 |
$cmd = ''.getConfig('imagemagick_path').' "'.$nam.'" -resize "'.$width.'x'.$height.'>" "'.$nam.'.scaled'.$row['file_extension'].'"'; |
|
251 |
system($cmd, $stat); |
|
252 |
if(!file_exists($nam.'.scaled'.$row['file_extension'])) die('Failed to call ImageMagick (return value '.$stat.'), command line was:<br />'.$cmd); |
|
253 |
$data = file_get_contents($nam.'.scaled'.$row['file_extension']); |
|
254 |
// Be stingy about it - better to re-generate the image hundreds of times than to fail completely |
|
255 |
if(getConfig('cache_thumbs')=='1' && !file_exists($cache_filename)) { |
|
256 |
// Write the generated thumbnail to the cache directory |
|
257 |
$h = @fopen($cache_filename, 'w'); |
|
258 |
if(!$h) die('Error opening cache file "'.$cache_filename.'" for writing.'); |
|
259 |
fwrite($h, $data); |
|
260 |
fclose($h); |
|
261 |
} |
|
262 |
} |
|
263 |
unlink($nam); |
|
264 |
} |
|
265 |
$len = strlen($data); |
|
266 |
header('Content-type: '.$row['mimetype']); |
|
267 |
if(isset($_GET['download'])) header('Content-disposition: attachment, filename="'.$filename.'";'); |
|
268 |
header('Content-length: '.$len); |
|
269 |
header('Last-Modified: '.date('r', $row['time_id'])); |
|
270 |
echo($data); |
|
271 |
||
80
cb7dde69c301
Improved and enabled HTML optimization algorithm; enabled gzip compression; added but did not test at all the tag cloud class in includes/tagcloud.php, this is still very preliminary and not ready for any type of production use
Dan
parents:
23
diff
changeset
|
272 |
gzip_output(); |
0 | 273 |
|
274 |
exit; |
|
275 |
||
276 |
} |
|
277 |
||
278 |
?> |