XOOPS 2.5.6  Final
 All Classes Namespaces Files Functions Variables Pages
uploader.php
Go to the documentation of this file.
1 <?php
21 defined('XOOPS_ROOT_PATH') or die('Restricted access');
22 
72 {
77  var $allowUnknownTypes = false;
83  var $mediaRealType = '';
84  var $uploadDir = '';
85  var $allowedMimeTypes = array();
86  var $deniedMimeTypes = array(
87  'application/x-httpd-php');
88  var $maxFileSize = 0;
89  var $maxWidth;
92  var $prefix;
93  var $errors = array();
96  var $extensionToMime = array();
97  var $checkImageType = true;
98  var $extensionsToBeSanitized = array(
99  'php' ,
100  'phtml' ,
101  'phtm' ,
102  'php3' ,
103  'php4' ,
104  'cgi' ,
105  'pl' ,
106  'asp' ,
107  'php5');
108  // extensions needed image check (anti-IE Content-Type XSS)
109  var $imageExtensions = array(
110  1 => 'gif' ,
111  2 => 'jpg' ,
112  3 => 'png' ,
113  4 => 'swf' ,
114  5 => 'psd' ,
115  6 => 'bmp' ,
116  7 => 'tif' ,
117  8 => 'tif' ,
118  9 => 'jpc' ,
119  10 => 'jp2' ,
120  11 => 'jpx' ,
121  12 => 'jb2' ,
122  13 => 'swc' ,
123  14 => 'iff' ,
124  15 => 'wbmp' ,
125  16 => 'xbm');
126 
137  function XoopsMediaUploader($uploadDir, $allowedMimeTypes, $maxFileSize = 0, $maxWidth = null, $maxHeight = null)
138  {
139  $this->extensionToMime = include $GLOBALS['xoops']->path('include/mimetypes.inc.php');
140  if (!is_array($this->extensionToMime)) {
141  $this->extensionToMime = array();
142  return false;
143  }
144  if (is_array($allowedMimeTypes)) {
145  $this->allowedMimeTypes =& $allowedMimeTypes;
146  }
147  $this->uploadDir = $uploadDir;
148  $this->maxFileSize = intval($maxFileSize);
149  if (isset($maxWidth)) {
150  $this->maxWidth = intval($maxWidth);
151  }
152  if (isset($maxHeight)) {
153  $this->maxHeight = intval($maxHeight);
154  }
155 
156  if (!include_once $GLOBALS['xoops']->path('language/' . $GLOBALS['xoopsConfig']['language'] . '/uploader.php')) {
157  include_once $GLOBALS['xoops']->path('language/english/uploader.php');
158  }
159  }
160 
168  function fetchMedia($media_name, $index = null)
169  {
170  if (empty($this->extensionToMime)) {
171  $this->setErrors(_ER_UP_MIMETYPELOAD);
172  return false;
173  }
174  if (!isset($_FILES[$media_name])) {
175  $this->setErrors(_ER_UP_FILENOTFOUND);
176  return false;
177  } else if (is_array($_FILES[$media_name]['name']) && isset($index)) {
178  $index = intval($index);
179  $this->mediaName = (get_magic_quotes_gpc()) ? stripslashes($_FILES[$media_name]['name'][$index]) : $_FILES[$media_name]['name'][$index];
180  $this->mediaType = $_FILES[$media_name]['type'][$index];
181  $this->mediaSize = $_FILES[$media_name]['size'][$index];
182  $this->mediaTmpName = $_FILES[$media_name]['tmp_name'][$index];
183  $this->mediaError = !empty($_FILES[$media_name]['error'][$index]) ? $_FILES[$media_name]['error'][$index] : 0;
184  } else {
185  $media_name =& $_FILES[$media_name];
186  $this->mediaName = (get_magic_quotes_gpc()) ? stripslashes($media_name['name']) : $media_name['name'];
187  $this->mediaType = $media_name['type'];
188  $this->mediaSize = $media_name['size'];
189  $this->mediaTmpName = $media_name['tmp_name'];
190  $this->mediaError = !empty($media_name['error']) ? $media_name['error'] : 0;
191  }
192 
193  if (($ext = strrpos($this->mediaName, '.')) !== false) {
194  $ext = strtolower(substr($this->mediaName, $ext + 1));
195  if (isset($this->extensionToMime[$ext])) {
196  $this->mediaRealType = $this->extensionToMime[$ext];
197  }
198  }
199  $this->errors = array();
200  if (intval($this->mediaSize) < 0) {
201  $this->setErrors(_ER_UP_INVALIDFILESIZE);
202  return false;
203  }
204  if ($this->mediaName == '') {
205  $this->setErrors(_ER_UP_FILENAMEEMPTY);
206  return false;
207  }
208  if ($this->mediaTmpName == 'none' || ! is_uploaded_file($this->mediaTmpName)) {
209  $this->setErrors(_ER_UP_NOFILEUPLOADED);
210  return false;
211  }
212  if ($this->mediaError > 0) {
213  $this->setErrors(sprintf(_ER_UP_ERROROCCURRED, $this->mediaError));
214  return false;
215  }
216  return true;
217  }
218 
224  function setTargetFileName($value)
225  {
226  $this->targetFileName = strval(trim($value));
227  }
228 
234  function setPrefix($value)
235  {
236  $this->prefix = strval(trim($value));
237  }
238 
244  function getMediaName()
245  {
246  return $this->mediaName;
247  }
248 
254  function getMediaType()
255  {
256  return $this->mediaType;
257  }
258 
264  function getMediaSize()
265  {
266  return $this->mediaSize;
267  }
268 
274  function getMediaTmpName()
275  {
276  return $this->mediaTmpName;
277  }
278 
284  function getSavedFileName()
285  {
286  return $this->savedFileName;
287  }
288 
294  function getSavedDestination()
295  {
296  return $this->savedDestination;
297  }
298 
304  function upload($chmod = 0644)
305  {
306  if ($this->uploadDir == '') {
307  $this->setErrors(_ER_UP_UPLOADDIRNOTSET);
308  return false;
309  }
310  if (!is_dir($this->uploadDir)) {
311  $this->setErrors(sprintf(_ER_UP_FAILEDOPENDIR, $this->uploadDir));
312  return false;
313  }
314  if (!is_writeable($this->uploadDir)) {
315  $this->setErrors(sprintf(_ER_UP_FAILEDOPENDIRWRITE, $this->uploadDir));
316  return false;
317  }
318  $this->sanitizeMultipleExtensions();
319 
320  if (!$this->checkMaxFileSize()) {
321  return false;
322  }
323  if (!$this->checkMaxWidth()) {
324  return false;
325  }
326  if (!$this->checkMaxHeight()) {
327  return false;
328  }
329  if (!$this->checkMimeType()) {
330  return false;
331  }
332  if (!$this->checkImageType()) {
333  return false;
334  }
335  if (count($this->errors) > 0) {
336  return false;
337  }
338  return $this->_copyFile($chmod);
339  }
340 
346  function _copyFile($chmod)
347  {
348  $matched = array();
349  if (!preg_match("/\.([a-zA-Z0-9]+)$/", $this->mediaName, $matched)) {
350  $this->setErrors(_ER_UP_INVALIDFILENAME);
351  return false;
352  }
353  if (isset($this->targetFileName)) {
354  $this->savedFileName = $this->targetFileName;
355  } else if (isset($this->prefix)) {
356  $this->savedFileName = uniqid($this->prefix) . '.' . strtolower($matched[1]);
357  } else {
358  $this->savedFileName = strtolower($this->mediaName);
359  }
360 
361  $this->savedDestination = $this->uploadDir . '/' . $this->savedFileName;
362  if (!move_uploaded_file($this->mediaTmpName, $this->savedDestination)) {
363  $this->setErrors(sprintf(_ER_UP_FAILEDSAVEFILE, $this->savedDestination));
364  return false;
365  }
366  // Check IE XSS before returning success
367  $ext = strtolower(substr(strrchr($this->savedDestination, '.'), 1));
368  if (in_array($ext, $this->imageExtensions)) {
369  $info = @getimagesize($this->savedDestination);
370  if ($info === false || $this->imageExtensions[(int) $info[2]] != $ext) {
371  $this->setErrors(_ER_UP_SUSPICIOUSREFUSED);
372  @unlink($this->savedDestination);
373  return false;
374  }
375  }
376  @chmod($this->savedDestination, $chmod);
377  return true;
378  }
379 
385  function checkMaxFileSize()
386  {
387  if (!isset($this->maxFileSize)) {
388  return true;
389  }
390  if ($this->mediaSize > $this->maxFileSize) {
391  $this->setErrors(sprintf(_ER_UP_FILESIZETOOLARGE, $this->maxFileSize, $this->mediaSize));
392  return false;
393  }
394  return true;
395  }
396 
402  function checkMaxWidth()
403  {
404  if (!isset($this->maxWidth)) {
405  return true;
406  }
407  if (false !== $dimension = getimagesize($this->mediaTmpName)) {
408  if ($dimension[0] > $this->maxWidth) {
409  $this->setErrors(sprintf(_ER_UP_FILEWIDTHTOOLARGE, $this->maxWidth, $dimension[0]));
410  return false;
411  }
412  } else {
413  trigger_error(sprintf(_ER_UP_FAILEDFETCHIMAGESIZE, $this->mediaTmpName), E_USER_WARNING);
414  }
415  return true;
416  }
417 
423  function checkMaxHeight()
424  {
425  if (!isset($this->maxHeight)) {
426  return true;
427  }
428  if (false !== $dimension = getimagesize($this->mediaTmpName)) {
429  if ($dimension[1] > $this->maxHeight) {
430  $this->setErrors(sprintf(_ER_UP_FILEHEIGHTTOOLARGE, $this->maxHeight, $dimension[1]));
431  return false;
432  }
433  } else {
434  trigger_error(sprintf(_ER_UP_FAILEDFETCHIMAGESIZE, $this->mediaTmpName), E_USER_WARNING);
435  }
436  return true;
437  }
438 
444  function checkMimeType()
445  {
446  if (empty($this->mediaRealType) && empty($this->allowUnknownTypes)) {
447  $this->setErrors(_ER_UP_UNKNOWNFILETYPEREJECTED);
448  return false;
449  }
450 
451  if ((!empty($this->allowedMimeTypes) && !in_array($this->mediaRealType, $this->allowedMimeTypes)) || (!empty($this->deniedMimeTypes) && in_array($this->mediaRealType, $this->deniedMimeTypes))) {
452  $this->setErrors(sprintf(_ER_UP_MIMETYPENOTALLOWED, $this->mediaType));
453  return false;
454  }
455  return true;
456  }
457 
463  function checkImageType()
464  {
465  if (empty($this->checkImageType)) {
466  return true;
467  }
468 
469  if (('image' == substr($this->mediaType, 0, strpos($this->mediaType, '/'))) || (!empty($this->mediaRealType) && 'image' == substr($this->mediaRealType, 0, strpos($this->mediaRealType, '/')))) {
470  if (!($info = @getimagesize($this->mediaTmpName))) {
471  $this->setErrors(_ER_UP_INVALIDIMAGEFILE);
472  return false;
473  }
474  }
475  return true;
476  }
477 
481  function sanitizeMultipleExtensions()
482  {
483  if (empty($this->extensionsToBeSanitized)) {
484  return;
485  }
486 
487  $patterns = array();
488  $replaces = array();
489  foreach ($this->extensionsToBeSanitized as $ext) {
490  $patterns[] = "/\." . preg_quote($ext) . "\./i";
491  $replaces[] = "_" . $ext . ".";
492  }
493  $this->mediaName = preg_replace($patterns, $replaces, $this->mediaName);
494  }
495 
501  function setErrors($error)
502  {
503  $this->errors[] = trim($error);
504  }
505 
512  function &getErrors($ashtml = true)
513  {
514  if (!$ashtml) {
515  return $this->errors;
516  } else {
517  $ret = '';
518  if (count($this->errors) > 0) {
519  $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, $this->mediaName) . '</h4>';
520  foreach ($this->errors as $error) {
521  $ret .= $error . '<br />';
522  }
523  }
524  return $ret;
525  }
526  }
527 }
528 
529 ?>