File lass/uploader.php

  1: <?php
  2: /**
  3:  * XOOPS file uploader
  4:  *
  5:  * You may not change or alter any portion of this comment or credits
  6:  * of supporting developers from this source code or any supporting source code
  7:  * which is considered copyrighted (c) material of the original comment or credit authors.
  8:  * This program is distributed in the hope that it will be useful,
  9:  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 10:  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 11:  *
 12:  * @copyright       (c) 2000-2016 XOOPS Project (www.xoops.org)
 13:  * @license             GNU GPL 2 (http://www.gnu.org/licenses/gpl-2.0.html)
 14:  * @package             kernel
 15:  * @since               2.0.0
 16:  * @author              Kazumi Ono (http://www.myweb.ne.jp/, http://jp.xoops.org/)
 17:  * @author              Taiwen Jiang <phppp@users.sourceforge.net>
 18:  */
 19: 
 20: defined('XOOPS_ROOT_PATH') || exit('Restricted access');
 21: 
 22: /**
 23:  * Upload Media files
 24:  *
 25:  * Example of usage:
 26:  * <code>
 27:  * include_once 'uploader.php';
 28:  * $allowed_mimetypes = array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png');
 29:  * $maxfilesize = 50000;
 30:  * $maxfilewidth = 120;
 31:  * $maxfileheight = 120;
 32:  * $uploader = new XoopsMediaUploader('/home/xoops/uploads', $allowed_mimetypes, $maxfilesize, $maxfilewidth, $maxfileheight);
 33:  * if ($uploader->fetchMedia($_POST['uploade_file_name'])) {
 34:  *        if (!$uploader->upload()) {
 35:  *           echo $uploader->getErrors();
 36:  *        } else {
 37:  *           echo '<h4>File uploaded successfully!</h4>'
 38:  *           echo 'Saved as: ' . $uploader->getSavedFileName() . '<br>';
 39:  *           echo 'Full path: ' . $uploader->getSavedDestination();
 40:  *        }
 41:  * } else {
 42:  *        echo $uploader->getErrors();
 43:  * }
 44:  * </code>
 45:  *
 46:  */
 47: class XoopsMediaUploader
 48: {
 49:     /**
 50:      * Flag indicating if unrecognized mimetypes should be allowed (use with precaution ! may lead to security issues )
 51:      */
 52: 
 53:     public $allowUnknownTypes       = false;
 54:     public $mediaName;
 55:     public $mediaType;
 56:     public $mediaSize;
 57:     public $mediaTmpName;
 58:     public $mediaError;
 59:     public $mediaRealType           = '';
 60:     public $uploadDir               = '';
 61:     public $allowedMimeTypes        = array();
 62:     public $deniedMimeTypes         = array(
 63:         'application/x-httpd-php');
 64:     public $maxFileSize             = 0;
 65:     public $maxWidth;
 66:     public $maxHeight;
 67:     public $targetFileName;
 68:     public $prefix;
 69:     public $errors                  = array();
 70:     public $savedDestination;
 71:     public $savedFileName;
 72:     public $extensionToMime         = array();
 73:     public $checkImageType          = true;
 74:     public $extensionsToBeSanitized = array(
 75:         'php',
 76:         'phtml',
 77:         'phtm',
 78:         'php3',
 79:         'php4',
 80:         'cgi',
 81:         'pl',
 82:         'asp',
 83:         'php5',
 84:         'php7',
 85:     );
 86:     // extensions needed image check (anti-IE Content-Type XSS)
 87:     public $imageExtensions = array(
 88:         1  => 'gif',
 89:         2  => 'jpg',
 90:         3  => 'png',
 91:         4  => 'swf',
 92:         5  => 'psd',
 93:         6  => 'bmp',
 94:         7  => 'tif',
 95:         8  => 'tif',
 96:         9  => 'jpc',
 97:         10 => 'jp2',
 98:         11 => 'jpx',
 99:         12 => 'jb2',
100:         13 => 'swc',
101:         14 => 'iff',
102:         15 => 'wbmp',
103:         16 => 'xbm');
104:     public $randomFilename  = false;
105: 
106:     /**
107:      * Constructor
108:      *
109:      * @param string $uploadDir
110:      * @param array  $allowedMimeTypes
111:      * @param int    $maxFileSize
112:      * @param int    $maxWidth
113:      * @param int    $maxHeight
114:      * @param bool   $randomFilename
115:      */
116: 
117:     public function __construct($uploadDir, $allowedMimeTypes, $maxFileSize = 0, $maxWidth = null, $maxHeight = null, $randomFilename = false)
118:     {
119:         $this->extensionToMime = include $GLOBALS['xoops']->path('include/mimetypes.inc.php');
120:         if (!is_array($this->extensionToMime)) {
121:             $this->extensionToMime = array();
122: 
123:             return false;
124:         }
125:         if (is_array($allowedMimeTypes)) {
126:             $this->allowedMimeTypes =& $allowedMimeTypes;
127:         }
128:         $this->uploadDir = $uploadDir;
129: 
130:         $maxUploadInBytes   = $this->return_bytes(ini_get('upload_max_filesize'));
131:         $maxPostInBytes     = $this->return_bytes(ini_get('post_max_size'));
132:         $memoryLimitInBytes = $this->return_bytes(ini_get('memory_limit'));
133:         if ((int)$maxFileSize > 0) {
134:             $maxFileSizeInBytes = $this->return_bytes($maxFileSize);
135:             $newMaxFileSize     = min($maxFileSizeInBytes, $maxUploadInBytes, $maxPostInBytes, $memoryLimitInBytes);
136:         } else {
137:             $newMaxFileSize = min($maxUploadInBytes, $maxPostInBytes, $memoryLimitInBytes);
138:         }
139:         $this->maxFileSize = $newMaxFileSize;
140: 
141:         if (isset($maxWidth)) {
142:             $this->maxWidth = (int)$maxWidth;
143:         }
144:         if (isset($maxHeight)) {
145:             $this->maxHeight = (int)$maxHeight;
146:         }
147:         if (isset($randomFilename)) {
148:             $this->randomFilename = $randomFilename;
149:         }
150:         if (!include_once $GLOBALS['xoops']->path('language/' . $GLOBALS['xoopsConfig']['language'] . '/uploader.php')) {
151:             include_once $GLOBALS['xoops']->path('language/english/uploader.php');
152:         }
153:     }
154: 
155:     /**
156:      * converts memory/file sizes as defined in php.ini to bytes
157:      *
158:      * @param $size_str
159:      *
160:      * @return int
161:      */
162:     public function return_bytes($size_str)
163:     {
164:         switch (substr($size_str, -1)) {
165:             case 'K':
166:             case 'k':
167:                 return (int)$size_str * 1024;
168:             case 'M':
169:             case 'm':
170:                 return (int)$size_str * 1048576;
171:             case 'G':
172:             case 'g':
173:                 return (int)$size_str * 1073741824;
174:             default:
175:                 return $size_str;
176:         }
177:     }
178: 
179:     /**
180:      * Fetch the uploaded file
181:      *
182:      * @param  string $media_name Name of the file field
183:      * @param  int    $index      Index of the file (if more than one uploaded under that name)
184:      * @return bool
185:      */
186:     public function fetchMedia($media_name, $index = null)
187:     {
188:         if (empty($this->extensionToMime)) {
189:             $this->setErrors(_ER_UP_MIMETYPELOAD);
190: 
191:             return false;
192:         }
193:         if (!isset($_FILES[$media_name])) {
194:             $this->setErrors(_ER_UP_FILENOTFOUND);
195: 
196:             return false;
197:         } elseif (is_array($_FILES[$media_name]['name']) && isset($index)) {
198:             $index           = (int)$index;
199:             $this->mediaName = get_magic_quotes_gpc() ? stripslashes($_FILES[$media_name]['name'][$index]) : $_FILES[$media_name]['name'][$index];
200:             if ($this->randomFilename) {
201:                 $unique          = uniqid();
202:                 $this->mediaName = '' . $unique . '--' . $this->mediaName;
203:             }
204:             $this->mediaType    = $_FILES[$media_name]['type'][$index];
205:             $this->mediaSize    = $_FILES[$media_name]['size'][$index];
206:             $this->mediaTmpName = $_FILES[$media_name]['tmp_name'][$index];
207:             $this->mediaError   = !empty($_FILES[$media_name]['error'][$index]) ? $_FILES[$media_name]['error'][$index] : 0;
208:         } else {
209:             $media_name      =& $_FILES[$media_name];
210:             $this->mediaName = get_magic_quotes_gpc() ? stripslashes($media_name['name']) : $media_name['name'];
211:             if ($this->randomFilename) {
212:                 $unique          = uniqid();
213:                 $this->mediaName = '' . $unique . '--' . $this->mediaName;
214:             }
215:             $this->mediaType    = $media_name['type'];
216:             $this->mediaSize    = $media_name['size'];
217:             $this->mediaTmpName = $media_name['tmp_name'];
218:             $this->mediaError   = !empty($media_name['error']) ? $media_name['error'] : 0;
219:         }
220: 
221:         if (($ext = strrpos($this->mediaName, '.')) !== false) {
222:             $ext = strtolower(substr($this->mediaName, $ext + 1));
223:             if (isset($this->extensionToMime[$ext])) {
224:                 $this->mediaRealType = $this->extensionToMime[$ext];
225:             }
226:         }
227:         $this->errors = array();
228:         if ($this->mediaError > 0) {
229:             switch($this->mediaError){
230:                 case UPLOAD_ERR_INI_SIZE:
231:                     $this->setErrors(_ER_UP_INISIZE);
232:                     return false;
233:                     break;
234:                 case UPLOAD_ERR_FORM_SIZE:
235:                     $this->setErrors(_ER_UP_FORMSIZE);
236:                     return false;
237:                     break;
238:                 case UPLOAD_ERR_PARTIAL:
239:                     $this->setErrors(_ER_UP_PARTIAL);
240:                     return false;
241:                     break;
242:                 case UPLOAD_ERR_NO_FILE:
243:                     $this->setErrors(_ER_UP_NOFILE);
244:                     return false;
245:                     break;
246:                 case UPLOAD_ERR_NO_TMP_DIR:
247:                     $this->setErrors(_ER_UP_NOTMPDIR);
248:                     return false;
249:                     break;
250:                 case UPLOAD_ERR_CANT_WRITE:
251:                     $this->setErrors(_ER_UP_CANTWRITE);
252:                     return false;
253:                     break;
254:                 case UPLOAD_ERR_EXTENSION:
255:                     $this->setErrors(_ER_UP_EXTENSION);
256:                     return false;
257:                     break;
258:                 default:
259:                     $this->setErrors(_ER_UP_UNKNOWN);
260:                     return false;
261:                     break;
262:             }
263:         }
264: 
265:         if ((int)$this->mediaSize < 0) {
266:             $this->setErrors(_ER_UP_INVALIDFILESIZE);
267: 
268:             return false;
269:         }
270:         if ($this->mediaName == '') {
271:             $this->setErrors(_ER_UP_FILENAMEEMPTY);
272: 
273:             return false;
274:         }
275:         if ($this->mediaTmpName === 'none' || !is_uploaded_file($this->mediaTmpName)) {
276:             $this->setErrors(_ER_UP_NOFILEUPLOADED);
277: 
278:             return false;
279:         }
280: 
281:         return true;
282:     }
283: 
284:     /**
285:      * Set the target filename
286:      *
287:      * @param string $value
288:      */
289:     public function setTargetFileName($value)
290:     {
291:         $this->targetFileName = (string)trim($value);
292:     }
293: 
294:     /**
295:      * Set the prefix
296:      *
297:      * @param string $value
298:      */
299:     public function setPrefix($value)
300:     {
301:         $this->prefix = (string)trim($value);
302:     }
303: 
304:     /**
305:      * Get the uploaded filename
306:      *
307:      * @return string
308:      */
309:     public function getMediaName()
310:     {
311:         return $this->mediaName;
312:     }
313: 
314:     /**
315:      * Get the type of the uploaded file
316:      *
317:      * @return string
318:      */
319:     public function getMediaType()
320:     {
321:         return $this->mediaType;
322:     }
323: 
324:     /**
325:      * Get the size of the uploaded file
326:      *
327:      * @return int
328:      */
329:     public function getMediaSize()
330:     {
331:         return $this->mediaSize;
332:     }
333: 
334:     /**
335:      * Get the temporary name that the uploaded file was stored under
336:      *
337:      * @return string
338:      */
339:     public function getMediaTmpName()
340:     {
341:         return $this->mediaTmpName;
342:     }
343: 
344:     /**
345:      * Get the saved filename
346:      *
347:      * @return string
348:      */
349:     public function getSavedFileName()
350:     {
351:         return $this->savedFileName;
352:     }
353: 
354:     /**
355:      * Get the destination the file is saved to
356:      *
357:      * @return string
358:      */
359:     public function getSavedDestination()
360:     {
361:         return $this->savedDestination;
362:     }
363: 
364:     /**
365:      * Check the file and copy it to the destination
366:      *
367:      * @param  int $chmod
368:      * @return bool
369:      */
370:     public function upload($chmod = 0644)
371:     {
372:         if ($this->uploadDir == '') {
373:             $this->setErrors(_ER_UP_UPLOADDIRNOTSET);
374: 
375:             return false;
376:         }
377:         if (!is_dir($this->uploadDir)) {
378:             $this->setErrors(sprintf(_ER_UP_FAILEDOPENDIR, $this->uploadDir));
379: 
380:             return false;
381:         }
382:         if (!is_writable($this->uploadDir)) {
383:             $this->setErrors(sprintf(_ER_UP_FAILEDOPENDIRWRITE, $this->uploadDir));
384: 
385:             return false;
386:         }
387:         $this->sanitizeMultipleExtensions();
388: 
389:         if (!$this->checkMaxFileSize()) {
390:             return false;
391:         }
392:         if (!$this->checkMaxWidth()) {
393:             return false;
394:         }
395:         if (!$this->checkMaxHeight()) {
396:             return false;
397:         }
398:         if (!$this->checkMimeType()) {
399:             return false;
400:         }
401:         if (!$this->checkImageType()) {
402:             return false;
403:         }
404:         if (count($this->errors) > 0) {
405:             return false;
406:         }
407: 
408:         return $this->_copyFile($chmod);
409:     }
410: 
411:     /**
412:      * Copy the file to its destination
413:      *
414:      * @param $chmod
415:      * @return bool
416:      */
417:     public function _copyFile($chmod)
418:     {
419:         $matched = array();
420:         if (!preg_match("/\.([a-zA-Z0-9]+)$/", $this->mediaName, $matched)) {
421:             $this->setErrors(_ER_UP_INVALIDFILENAME);
422: 
423:             return false;
424:         }
425:         if (isset($this->targetFileName)) {
426:             $this->savedFileName = $this->targetFileName;
427:         } elseif (isset($this->prefix)) {
428:             $this->savedFileName = uniqid($this->prefix) . '.' . strtolower($matched[1]);
429:         } else {
430:             $this->savedFileName = strtolower($this->mediaName);
431:         }
432: 
433:         $this->savedFileName = iconv('UTF-8', 'ASCII//TRANSLIT', $this->savedFileName);
434:         $this->savedFileName = preg_replace('!\s+!', '_', $this->savedFileName);
435:         $this->savedFileName = preg_replace("/[^a-zA-Z0-9\._-]/", '', $this->savedFileName);
436: 
437:         $this->savedDestination = $this->uploadDir . '/' . $this->savedFileName;
438:         if (!move_uploaded_file($this->mediaTmpName, $this->savedDestination)) {
439:             $this->setErrors(sprintf(_ER_UP_FAILEDSAVEFILE, $this->savedDestination));
440: 
441:             return false;
442:         }
443:         // Check IE XSS before returning success
444:         $ext = strtolower(substr(strrchr($this->savedDestination, '.'), 1));
445:         if (in_array($ext, $this->imageExtensions)) {
446:             $info = @getimagesize($this->savedDestination);
447:             if ($info === false || $this->imageExtensions[(int)$info[2]] != $ext) {
448:                 $this->setErrors(_ER_UP_SUSPICIOUSREFUSED);
449:                 @unlink($this->savedDestination);
450: 
451:                 return false;
452:             }
453:         }
454:         @chmod($this->savedDestination, $chmod);
455: 
456:         return true;
457:     }
458: 
459:     /**
460:      * Is the file the right size?
461:      *
462:      * @return bool
463:      */
464:     public function checkMaxFileSize()
465:     {
466:         if (!isset($this->maxFileSize)) {
467:             return true;
468:         }
469:         if ($this->mediaSize > $this->maxFileSize) {
470:             $this->setErrors(sprintf(_ER_UP_FILESIZETOOLARGE, $this->maxFileSize, $this->mediaSize));
471: 
472:             return false;
473:         }
474: 
475:         return true;
476:     }
477: 
478:     /**
479:      * Is the picture the right width?
480:      *
481:      * @return bool
482:      */
483:     public function checkMaxWidth()
484:     {
485:         if (!isset($this->maxWidth)) {
486:             return true;
487:         }
488:         if (false !== $dimension = getimagesize($this->mediaTmpName)) {
489:             if ($dimension[0] > $this->maxWidth) {
490:                 $this->setErrors(sprintf(_ER_UP_FILEWIDTHTOOLARGE, $this->maxWidth, $dimension[0]));
491: 
492:                 return false;
493:             }
494:         } else {
495:             trigger_error(sprintf(_ER_UP_FAILEDFETCHIMAGESIZE, $this->mediaTmpName), E_USER_WARNING);
496:         }
497: 
498:         return true;
499:     }
500: 
501:     /**
502:      * Is the picture the right height?
503:      *
504:      * @return bool
505:      */
506:     public function checkMaxHeight()
507:     {
508:         if (!isset($this->maxHeight)) {
509:             return true;
510:         }
511:         if (false !== $dimension = getimagesize($this->mediaTmpName)) {
512:             if ($dimension[1] > $this->maxHeight) {
513:                 $this->setErrors(sprintf(_ER_UP_FILEHEIGHTTOOLARGE, $this->maxHeight, $dimension[1]));
514: 
515:                 return false;
516:             }
517:         } else {
518:             trigger_error(sprintf(_ER_UP_FAILEDFETCHIMAGESIZE, $this->mediaTmpName), E_USER_WARNING);
519:         }
520: 
521:         return true;
522:     }
523: 
524:     /**
525:      * Check whether or not the uploaded file type is allowed
526:      *
527:      * @return bool
528:      */
529:     public function checkMimeType()
530:     {
531:         // if the browser supplied mime type looks suspicious, refuse it
532:         $structureCheck = (bool) preg_match('/^\w+\/[-+.\w]+$/', $this->mediaType);
533:         if (false === $structureCheck) {
534:             $this->mediaType = 'invalid';
535:             $this->setErrors(_ER_UP_UNKNOWNFILETYPEREJECTED);
536:             return false;
537:         }
538: 
539:         if (empty($this->mediaRealType) && empty($this->allowUnknownTypes)) {
540:             $this->setErrors(_ER_UP_UNKNOWNFILETYPEREJECTED);
541: 
542:             return false;
543:         }
544: 
545:         if ((!empty($this->allowedMimeTypes) && !in_array($this->mediaRealType, $this->allowedMimeTypes)) || (!empty($this->deniedMimeTypes) && in_array($this->mediaRealType, $this->deniedMimeTypes))) {
546:             $this->setErrors(sprintf(_ER_UP_MIMETYPENOTALLOWED, htmlspecialchars($this->mediaRealType, ENT_QUOTES)));
547: 
548:             return false;
549:         }
550: 
551:         return true;
552:     }
553: 
554:     /**
555:      * Check whether or not the uploaded image type is valid
556:      *
557:      * @return bool
558:      */
559:     public function checkImageType()
560:     {
561:         if (empty($this->checkImageType)) {
562:             return true;
563:         }
564: 
565:         if (('image' === substr($this->mediaType, 0, strpos($this->mediaType, '/'))) || (!empty($this->mediaRealType) && 'image' === substr($this->mediaRealType, 0, strpos($this->mediaRealType, '/')))) {
566:             if (!($info = @getimagesize($this->mediaTmpName))) {
567:                 $this->setErrors(_ER_UP_INVALIDIMAGEFILE);
568: 
569:                 return false;
570:             }
571:         }
572: 
573:         return true;
574:     }
575: 
576:     /**
577:      * Sanitize executable filename with multiple extensions
578:      */
579:     public function sanitizeMultipleExtensions()
580:     {
581:         if (empty($this->extensionsToBeSanitized)) {
582:             return null;
583:         }
584: 
585:         $patterns = array();
586:         $replaces = array();
587:         foreach ($this->extensionsToBeSanitized as $ext) {
588:             $patterns[] = "/\." . preg_quote($ext) . "\./i";
589:             $replaces[] = '_' . $ext . '.';
590:         }
591:         $this->mediaName = preg_replace($patterns, $replaces, $this->mediaName);
592:     }
593: 
594:     /**
595:      * Add an error
596:      *
597:      * @param string $error
598:      */
599:     public function setErrors($error)
600:     {
601:         $this->errors[] = trim($error);
602:     }
603: 
604:     /**
605:      * Get generated errors
606:      *
607:      * @param  bool $ashtml Format using HTML?
608:      * @return array |string    Array of array messages OR HTML string
609:      */
610:     public function &getErrors($ashtml = true)
611:     {
612:         if (!$ashtml) {
613:             return $this->errors;
614:         } else {
615:             $ret = '';
616:             if (count($this->errors) > 0) {
617:                 $ret = '<h4>' . sprintf(_ER_UP_ERRORSRETURNED, htmlspecialchars($this->mediaName, ENT_QUOTES)) . '</h4>';
618:                 foreach ($this->errors as $error) {
619:                     $ret .= $error . '<br>';
620:                 }
621:             }
622: 
623:             return $ret;
624:         }
625:     }
626: }
627:
Namespaces

Classes

Interfaces

Exceptions

Functions
