[Linpha-cvs] SF.net SVN: linpha: [4553] trunk/linpha2
Status: Inactive
Brought to you by:
bzrudi
Menu
▾
▴
[Linpha-cvs] SF.net SVN: linpha: [4553] trunk/linpha2
|
From: <fan...@us...> - 2006-04-29 22:13:30
|
Revision: 4553 Author: fangehrn Date: 2006-04-29 15:13:09 -0700 (Sat, 29 Apr 2006) ViewCVS: http://svn.sourceforge.net/linpha/?rev=4553&view=rev Log Message: ----------- * filemanager: implementing upload only images and videos, escape filenames correct (-> create a folder and file called "<script>" and you will find things which needs to be escaped) Modified Paths: -------------- trunk/linpha2/ChangeLog trunk/linpha2/lib/classes/linpha.functions.php trunk/linpha2/lib/classes/linpha.imgview.class.php trunk/linpha2/lib/classes/linpha.import.class.php trunk/linpha2/lib/classes/linpha.metadata.class.php trunk/linpha2/lib/modules/module.albums.php trunk/linpha2/lib/modules/module.filemanager.php trunk/linpha2/templates/default/basket.html.php trunk/linpha2/templates/default/view_img.html.php trunk/linpha2/templates/default/view_meta.html.php Modified: trunk/linpha2/ChangeLog =================================================================== --- trunk/linpha2/ChangeLog 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/ChangeLog 2006-04-29 22:13:09 UTC (rev 4553) @@ -1,6 +1,9 @@ +2006-04-29 flo + * filemanager: implementing upload only images and videos, escape filenames correct + (-> create a folder and file called "<script>" and you will find things which needs to be escaped) + 2006-04-28 flo * filemanager: implemeting move, copy, change permissions, upload - @todo make upload more secure 2006-04-26 flo * filemanager: implementing rename, delete, create folder Modified: trunk/linpha2/lib/classes/linpha.functions.php =================================================================== --- trunk/linpha2/lib/classes/linpha.functions.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/classes/linpha.functions.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -200,17 +200,19 @@ } // end tr() - -function set_navigation_line( $id ) +/** + * print a nice navigation line with links on each entry + */ +function setNavigationLine( $id, $link ) { - $str = '<a href="'.LINPHA_DIR.'/?cat=alb&id=0">></a> '; + $str = '<a href="'.$link.'=0">></a> '; $array_files = $GLOBALS['linpha']->sql->getFullFilenameFromId( $id ); foreach($array_files AS $key=>$value) { if($value != "") { - $array_values[] = '<a href="'.LINPHA_DIR.'/?cat=alb&id='.$key.'">'.$value.'</a>'; + $array_values[] = '<a href="'.$link.$key.'">'.htmlspecialchars($value,ENT_QUOTES).'</a>'; } } Modified: trunk/linpha2/lib/classes/linpha.imgview.class.php =================================================================== --- trunk/linpha2/lib/classes/linpha.imgview.class.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/classes/linpha.imgview.class.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -222,6 +222,11 @@ { if( LinSql::photoIsAllowed( $value['id'] ) ) { + /** + * escape name here + * -> we do not have to do it in the templates + */ + $value['name'] = htmlspecialchars($value['name'],ENT_QUOTES); $this->photos_filtered[] = $value; } } @@ -329,6 +334,13 @@ ) ); + if($GLOBALS['linpha']->sql->photoIsAllowed( $this->id_parent, 'write')) + { + $GLOBALS['linpha']->template->output['menu_More']['edit']['name'] = i18n("Edit"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][2]['name'] = i18n("Open Filemanager"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][2]['value'] = LINPHA_DIR.'/?cat=filemanager&id='.$this->id_parent; + } + if($GLOBALS['linpha']->sql->checkPermission('metadata_edit')) { $GLOBALS['linpha']->template->output['menu_More']['metainfo'] = @@ -361,15 +373,21 @@ if($GLOBALS['linpha']->sql->checkPermission('metadata_edit')) { - $GLOBALS['linpha']->template->output['menu_More']['edit'] = - Array( - 'name' => i18n("Edit"), - 'value' => Array( - Array('name' => i18n("Rotate Left"), 'value' => '#'), - Array('name' => i18n("Rotate Right"), 'value' => '#') - ) - ); + $GLOBALS['linpha']->template->output['menu_More']['edit']['name'] = i18n("Edit"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][0]['name'] = i18n("Rotate Left"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][0]['value'] = '#'; + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][1]['name'] = i18n("Rotate Right"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][1]['value'] = '#'; } + + if($GLOBALS['linpha']->sql->photoIsAllowed( $this->id_parent, 'write')) + { + $GLOBALS['linpha']->template->output['menu_More']['edit']['name'] = i18n("Edit"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][2]['name'] = i18n("Open Filemanager"); + $GLOBALS['linpha']->template->output['menu_More']['edit']['value'][2]['value'] = LINPHA_DIR.'/?cat=filemanager&id='.$this->id_parent; + } + + if($GLOBALS['linpha']->sql->checkPermission('metadata_edit')) { $GLOBALS['linpha']->template->output['menu_More']['metainfo'] = @@ -563,16 +581,16 @@ { if($index == 'before') { - $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']][$index] .= $value['value'].'<br />'; + $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']][$index] .= $value['value'].'<br />'; // $value['value'] is already escaped } elseif($index == 'after') { - $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']][$index] .= '<br />'.$value['value']; + $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']][$index] .= '<br />'.$value['value']; // $value['value'] is already escaped } } } - $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']]['title'] = $photo_value['name']; + $GLOBALS['linpha']->template->output['thumb_infos'][$photo_value['id']]['title'] = $photo_value['name']; // $photo_value['name'] is already escaped } Modified: trunk/linpha2/lib/classes/linpha.import.class.php =================================================================== --- trunk/linpha2/lib/classes/linpha.import.class.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/classes/linpha.import.class.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -90,7 +90,7 @@ { if($dryrun) { - linSysLog("Delete Entry: ".$dirname.'/'.$value."<br />"); + linSysLog(i18n("Delete Entry").": ".htmlspecialchars($dirname.'/'.$value,ENT_QUOTES)."<br />"); $deleted_keys[] = $key; } else @@ -106,7 +106,7 @@ { if($dryrun) { - linSysLog("New Entry: ".$dirname.'/'.$value."<br />"); + linSysLog(i18n("New Entry").": ".htmlspecialchars($dirname.'/'.$value,ENT_QUOTES)."<br />"); } else { @@ -150,7 +150,7 @@ } catch(Exception $error) { - linSysLog("Error during import files/folders: ".$error -> getMessage()); + linSysLog(i18n("Error during import files/folders").": ".$error -> getMessage()); } } @@ -164,7 +164,7 @@ */ function addNewEntry( $parent_id , $dirname , $filename , $recursive ) { - linSysLog('new '.$dirname.'/'.$filename.'<br />'); + linSysLog(i18n("New").': '.htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES).'<br />'); list($md5sum,$file_type,$stats_number) = LinImport::getFileInformation($dirname,$filename); @@ -233,7 +233,7 @@ LinImport::deleteEntry( $data['id'], $full_filename.'/'.$data['name']); } - linSysLog('delete entry '.$full_filename.'<br />'); + linSysLog(i18n("Delete Entry").': '.htmlspecialchars($full_filename,ENT_QUOTES).'<br />'); /** * delete thumbnail and image in cache folder @@ -281,7 +281,7 @@ */ if($file_type != $data[0]) { - linSysLog("Detected a change of file_type in: ".$dirname.'/'.$filename.'<br />'); + linSysLog(i18n("Detected a change of file_type in:")." ".htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES).'<br />'); $GLOBALS['linpha']->db->Execute("UPDATE ".PREFIX."photos " . "SET img_type = '".$file_type."', stats_numbers = '".$stats_number."' " . "WHERE id = '".$id."'"); @@ -296,7 +296,7 @@ */ if($md5sum != $data[1]) { - linSysLog("File ".$dirname.'/'.$filename." changed, updating data...<br />"); + linSysLog(sprintf(i18n("File %s changed, updating data..."),htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES))."<br />"); $GLOBALS['linpha']->db->Execute("UPDATE ".PREFIX."photos " . "SET md5sum = '".$md5sum."' WHERE id = '".$id."'"); @@ -327,8 +327,6 @@ { if( $id != 0 ) { - linSysLog('updating photo number of id: '.$id.'<br />'); - $data = $GLOBALS['linpha']->db->GetRow("SELECT sum(stats_numbers) " . "FROM ".PREFIX."photos WHERE parent_id = '".$id."'"); $GLOBALS['linpha']->db->Execute("UPDATE ".PREFIX."photos " . @@ -352,22 +350,22 @@ $ext = LinFilesys::getFileExtFromPath($filename); if($filename{0} == '.') { - linSysLog("File ".$dirname.'/'.$filename." Is Hidden<br />"); + linSysLog(htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES)." ".i18n("Is Hidden")."<br />"); $file_type = 9999999; } elseif( in_array( $filename, LinImport::getIgnoreFilelist() ) ) { - linSysLog("File ".$dirname.'/'.$filename." Is In The Ignore List<br />"); + linSysLog(htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES)." ".i18n("Is In The Ignore List")."<br />"); $file_type = 9999999; } elseif( in_array($ext, LinImport::getIgnoreFileext() ) ) { - linSysLog("File ".$dirname.'/'.$filename." Is In The Ignore List<br />"); + linSysLog(htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES)." ".i18n("Is In The Ignore List")."<br />"); $file_type = 9999999; } elseif( !is_readable( $dirname.'/'.$filename) ) { - linSysLog("File ".$dirname.'/'.$filename." Is Not Readable<br />"); + linSysLog(htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES)." ".i18n("Is Not Readable")."<br />"); $file_type = 9999999; } /** @@ -409,7 +407,7 @@ } else { - linSysLog('Error: what am i? '.$dirname.'/'.$filename.'<br />'); + linSysLog('Error: what am i? '.htmlspecialchars($dirname.'/'.$filename,ENT_QUOTES).'<br />'); } return array($md5sum,$file_type,$stats_number); Modified: trunk/linpha2/lib/classes/linpha.metadata.class.php =================================================================== --- trunk/linpha2/lib/classes/linpha.metadata.class.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/classes/linpha.metadata.class.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -103,7 +103,7 @@ switch($last_part) { case 'filename': - $value = $filename; + $value = $filename; // is already escaped break; case 'imagesize': $value = filesize( $full_filename ); @@ -123,7 +123,7 @@ "AND md5sum = '".$md5sum."'"); if(isset($meta_data['meta_data'])) { - $value = $meta_data['meta_data']; + $value = htmlspecialchars($meta_data['meta_data'],ENT_QUOTES); } } case 'id': @@ -133,7 +133,7 @@ "AND md5sum = '".$md5sum."'"); if(isset($meta_data['meta_data'])) { - $value = $meta_data['meta_data']; + $value = htmlspecialchars($meta_data['meta_data'],ENT_QUOTES); } break; case 'exif': @@ -142,7 +142,7 @@ "FROM ".PREFIX."meta_exif WHERE md5sum = '".$md5sum."'"); if(isset($exif_data[$last_part])) { - $value = $exif_data[$last_part]; + $value = htmlspecialchars($exif_data[$last_part],ENT_QUOTES); } } break; @@ -152,7 +152,7 @@ "FROM ".PREFIX."meta_iptc WHERE md5sum = '".$md5sum."'"); if(isset($iptc_data[$last_part])) { - $value = $iptc_data[$last_part]; + $value = htmlspecialchars($iptc_data[$last_part],ENT_QUOTES); } } break; Modified: trunk/linpha2/lib/modules/module.albums.php =================================================================== --- trunk/linpha2/lib/modules/module.albums.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/modules/module.albums.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -68,7 +68,7 @@ /** * set navigation line */ - $GLOBALS['linpha']->template->output['title'] = set_navigation_line( $linpha->imgview->id_current ); + $GLOBALS['linpha']->template->output['title'] = setNavigationLine( $linpha->imgview->id_current, LINPHA_DIR.'/?cat=alb&id=' ); /** Modified: trunk/linpha2/lib/modules/module.filemanager.php =================================================================== --- trunk/linpha2/lib/modules/module.filemanager.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/lib/modules/module.filemanager.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -36,13 +36,14 @@ if(!defined('LINPHA_DIR')) { exit(1); } /** - * init stuff + * some double used i18n entries */ - /** - * some double used i18n entries - */ $str_checkpermissions = "Check the permissions in the linpha albums folder. (This means NOT the write permissions page in the admin section)"; + $str_autoimportdisabled = "Autoimport is disabled, you need now to start the manual import to make your changes appear, but you maybe don't have permissions to do that..."; +/** + * init stuff + */ if(!isset($_GET['id'])) { $parent_id = 0; @@ -52,7 +53,6 @@ $parent_id = $_GET['id']; } - $i = 0; $sum['size'] = 0; $sum['files'] = 0; @@ -96,7 +96,7 @@ } /** - * use this for child object + * use this for child objects */ if( $GLOBALS['linpha']->sql->photoIsAllowed( $parent_id, 'write' ) ) { @@ -107,10 +107,16 @@ $isWriteAble = false; } +/** + * output buffering, to use in template + */ ob_start(); /** * parsing POST data + * + * cmd = file_action -> show forms + * cmd = do_file_action -> do actions */ if(isset($_REQUEST['cmd'])) { @@ -118,7 +124,7 @@ { switch($_REQUEST['cmd']) { - case 'file_action': + case 'file_action': if(!isset($_REQUEST['checkedfiles'])) { throw new Exception(i18n("No Files Selected")); @@ -139,7 +145,7 @@ echo '<b>'.i18n("Rename File/Folder").':</b><br />'; ?> - <input type="text" name="new_name" value="<?php echo $data['name']; ?>" style="width: 300px;" /> + <input type="text" name="new_name" value="<?php echo htmlspecialchars($data['name'],ENT_QUOTES); ?>" style="width: 300px;" /> <input type="hidden" name="file_id" value="<?php echo $_REQUEST['checkedfiles'][0]; ?>" /> <?php break; @@ -160,7 +166,7 @@ { $data = $GLOBALS['linpha']->db->GetRow("SELECT name FROM ".PREFIX."photos " . "WHERE id = '".LinSql::linAddslashes($value)."'"); - echo $data['name'].', '; + echo htmlspecialchars($data['name'],ENT_QUOTES).', '; } echo '<br /><br />'; echo i18n("To").':'; @@ -181,7 +187,7 @@ { $data = $GLOBALS['linpha']->db->GetRow("SELECT name FROM ".PREFIX."photos " . "WHERE id = '".LinSql::linAddslashes($value)."'"); - echo $data['name'].', '; + echo htmlspecialchars($data['name'],ENT_QUOTES).', '; } echo '<br /><br />'; echo i18n("Really Sure?"); @@ -203,7 +209,7 @@ (substr($perm, 8, 1)!="-" ? $ow = 1 : ''); (substr($perm, 9, 1)!="-" ? $ox = 1 : ''); - echo i18n("Change Permission Of:").' '.$full_filename; + echo i18n("Change Permission Of:").' '.htmlspecialchars($full_filename,ENT_QUOTES); ?> <br /> <table border="1" cellpadding="0" cellspacing="0"> @@ -244,7 +250,8 @@ <hr /><br /> <?php break; - case 'do_file_action': + + case 'do_file_action': switch($_POST['file_action']) { case 'rename': @@ -281,7 +288,13 @@ } else { - linSysLog(i18n(sprintf(i18n("Error While Renaming File/Folder \"%s\" to \"%s\"!"),$full_filename,$parent_dirname.'/'.$new_name)).'<br />'); + linSysLog( + sprintf( + i18n("Error While Renaming File/Folder \"%s\" to \"%s\"!"), + htmlspecialchars($full_filename,ENT_QUOTES), + htmlspecialchars($parent_dirname.'/'.$new_name,ENT_QUOTES) + ).'<br />' + ); linSysLog(i18n($str_checkpermissions).'<br />'); } break; @@ -345,14 +358,20 @@ linSysLog( sprintf( i18n("Successfully Moved \"%s\" to \"%s\"!"), - $full_sourcename, - $full_destparentname.'/'.basename($full_sourcename) + htmlspecialchars($full_sourcename,ENT_QUOTES), + htmlspecialchars($full_destparentname.'/'.basename($full_sourcename),ENT_QUOTES) ) . "<br />" ); } else { - linSysLog(i18n(sprintf(i18n("Error While Moving Files/Folders \"%s\" to \"%s\"!"),$full_sourcename,$full_destparentname.'/'.basename($full_sourcename))).'<br />'); + linSysLog( + sprintf( + i18n("Error While Moving Files/Folders \"%s\" to \"%s\"!"), + htmlspecialchars($full_sourcename,ENT_QUOTES), + htmlspecialchars($full_destparentname.'/'.basename($full_sourcename),ENT_QUOTES) + ).'<br />' + ); linSysLog(i18n($str_checkpermissions).'<br />'); } } @@ -376,17 +395,37 @@ */ copy_r( $value, $full_sourcename, $full_destparentname); + if(file_exists( $full_destparentname.'/'.basename($full_sourcename) )) + { + linSysLog( + sprintf( + i18n("Successfully Copied \"%s\" to \"%s\"!"), + $full_sourcename, + $full_destparentname.'/'.basename($full_sourcename) + ) . "<br />" + ); + } + else + { + linSysLog( + sprintf( + i18n("Error While Copying Files/Folders \"%s\" to \"%s\"!"), + htmlspecialchars($full_sourcename,ENT_QUOTES), + htmlspecialchars($full_destparentname.'/'.basename($full_sourcename),ENT_QUOTES) + ).'<br />' + ); + linSysLog(i18n($str_checkpermissions).'<br />'); + } + } + else + { linSysLog( sprintf( - i18n("Successfully Copied \"%s\" to \"%s\"!"), - $full_sourcename, - $full_destparentname.'/'.basename($full_sourcename) - ) . "<br />" + i18n("Error While Copying Files/Folders \"%s\" to \"%s\"!"), + htmlspecialchars($full_sourcename,ENT_QUOTES), + htmlspecialchars($full_destparentname.'/'.basename($full_sourcename),ENT_QUOTES) + ).'<br />' ); - } - else - { - linSysLog(i18n(sprintf(i18n("Error While Copying Files/Folders \"%s\" to \"%s\"!"),$full_sourcename,$full_destparentname.'/'.basename($full_sourcename))).'<br />'); linSysLog(i18n($str_checkpermissions).'<br />'); } } @@ -411,17 +450,19 @@ $full_filename = LinSql::getFullImagePath( $value ); - if(LinFilesys::rm_rf($full_filename)) + LinFilesys::rm_rf($full_filename); + + if(file_exists($full_filename)) { + linSysLog(i18n("Error While Deleting Files/Folders")." \"".htmlspecialchars($full_filename,ENT_QUOTES)."\"".'<br />'); + linSysLog(i18n($str_checkpermissions).'<br />'); + } + else + { LinImport::deleteEntry( $value, $full_filename); linSysLog(i18n("File/Folder deleted successfully!").'<br />'); } - else - { - linSysLog(i18n("Error While Deleting Files/Folders")." \"".$full_filename."\"".'<br />'); - linSysLog(i18n($str_checkpermissions).'<br />'); - } } break; @@ -449,12 +490,12 @@ if( ! $linpha->sql->config->value['sys_import_autoimport'] ) { - linSysLog(i18n("Autoimport is disabled, you need now to start the manual import to make your changes appear, but you maybe don't have permissions to do that...").'<br />'); + linSysLog(i18n($str_autoimportdisabled).'<br />'); } } else { - linSysLog(i18n("Error While Creating Folder")." \"".$new_name."\"".'<br />'); + linSysLog(i18n("Error While Creating Folder")." \"".htmlspecialchars($new_name,ENT_QUOTES)."\"".'<br />'); linSysLog(i18n($str_checkpermissions).'<br />'); } break; @@ -495,104 +536,98 @@ for($i = 0; $i < $GLOBALS['linpha']->sql->config->value['plugins_filemanager_nruploads']; $i++ ) { - if( isset( $_FILES[ 'file' . $i ] ) && !empty( $_FILES[ 'file' . $i]['name'] ) ) // need empty check because it file$i exists in PHP 4.1 + if( isset( $_FILES[ 'file' . $i ] ) && !empty( $_FILES[ 'file' . $i]['name'] ) ) // need empty check because "file$i" exists in PHP 4.1 { $thisfile = $_FILES[ 'file' . $i ]; - $failed = 0; if (isset($thisfile['error']) && $thisfile['error'] != 0 ) // ['error'] was added in PHP 4.2.0 { switch ( $thisfile['error'] ) { case 1: - echo sprintf(i18n("Error: The uploaded file %s exceeds the upload_max_filesize directive in php.ini - %s"), $thisfile['name'], ini_get('upload_max_filesize') ); - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload failed for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_ERROR_FILE_EXCEEDS_INI_SIZE.")"); + throw new Exception( sprintf(i18n("Error: The uploaded file %s exceeds the upload_max_filesize directive in php.ini - %s"), + htmlspecialchars($thisfile['name'],ENT_QUOTES), ini_get('upload_max_filesize') ) ); break; case 2: - echo sprintf(i18n("Error: size of uploaded file %s exceeds the HTML FORM settings"), $thisfile['name'] ); - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload failed for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_ERROR_FILE_EXCEEDS_FORM_SIZE.")"); + throw new Exception( sprintf(i18n("size of uploaded file %s exceeds the HTML FORM settings"), htmlspecialchars($thisfile['name'],ENT_QUOTES) ) ); break; case 3: - echo sprintf(i18n("Error: The uploaded file %s was only partially uploaded"), $thisfile['name'] ); - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload failed for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_ERROR_FILE_PARTIAL.")"); + throw new Exception( sprintf(i18n("The uploaded file %s was only partially uploaded"), htmlspecialchars($thisfile['name'],ENT_QUOTES) ) ); break; } } - else + + if ( $_POST[ 'app' . $i ] == '-' ) { - if ( !move_uploaded_file( $thisfile['tmp_name'], $targetdir . '/' . $thisfile['name']) ) + if ( !move_uploaded_file( $thisfile['tmp_name'], $targetdir . '/' . $thisfile['name'] ) ) { - $failed = 1; + throw new Exception( sprintf(i18n("Unable to move file %s to directory %s"),htmlspecialchars($thisfile[ 'name' ],ENT_QUOTES),htmlspecialchars($targetdir,ENT_QUOTES ) ) ); } - - if ( $_POST[ 'app' . $i ] != '-' ) // extracting selected + } + else // $_POST[ 'app' . $i ] != '-' + { + $tmpfolder = LinFilesys::createTmpFolder('filemanager'); + + if ( !move_uploaded_file( $thisfile['tmp_name'], $tmpfolder . '/' . $thisfile['name'] ) ) { - $command = $apps->apps[$_POST['app'.$i]]['command_extract']; - $apps->searchApp($_POST['app'.$i]); - - $executable = $apps->found_apps[$_POST['app'.$i]].$apps->apps[$_POST['app'.$i]]['executable_extract']; - - $command = str_replace('{executable}',$executable,$command); - $command = str_replace('{archive_name}',linEscapeString($thisfile['name']),$command); - - $oldpwd = getcwd(); - if ( !chdir( $targetdir ) ) { - $failed = 2; - } - else - { - exec( $command, $output, $return_value ); - chdir( $oldpwd ); - - - echo '<textarea cols="80" rows="4"">' . - $command . "\n". - implode( "\n", $output ) . - '</textarea><br />'; - - unset($output); - - if (!unlink( $targetdir . '/' . $thisfile['name'] )) { - $failed = 3; - } - } + throw new Exception(sprintf( i18n("Unable to move file %s to directory %s"), htmlspecialchars($thisfile[ 'name' ],ENT_QUOTES), htmlspecialchars($targetdir,ENT_QUOTES) ) ); } - - switch ($failed) + + + $command = $apps->apps[$_POST['app'.$i]]['command_extract']; + $apps->searchApp($_POST['app'.$i]); + + $executable = $apps->found_apps[$_POST['app'.$i]].$apps->apps[$_POST['app'.$i]]['executable_extract']; + + $command = str_replace('{executable}',$executable,$command); + $command = str_replace('{archive_name}',linEscapeString($thisfile['name']),$command); + + $oldpwd = getcwd(); + if ( !chdir( $tmpfolder ) ) { - case 0: - //linpha_log('filemanager','notice', - // 'User '.$_SESSION['user_name'].": uploaded file (".$thisfile['tmp_name']." ".$targetdir.'/'.$thisfile['name'].")"); - - break; - case 1: - echo sprintf( i18n("Error: Unable to move file %s to directory %s"), $thisfile[ 'name' ], $targetdir ); - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload failed for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_ERROR.")"); - break; - case 2: - echo sprintf( i18n("Error: Unable to switch (chdir) to %s directory. File being processed: %s"), $targetdir, $thisfile[ 'name' ] ); - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload chdir failed for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_CHDIR_ERROR.")"); - break; - case 3: - echo sprintf( i18n("Error: Unable to delete %s after processing."), $targetdir . '/' . $thisfile['name'] ); break; - //linpha_log('filemanager','error', - // 'User '.$_SESSION['user_name'].": upload unlink for(".$thisfile['name'].") message: (".STR_FILE_UPLOAD_UNLINK_ERROR.")"); - break; + throw new Exception( sprintf( i18n("Unable to switch (chdir) to %s directory. File being processed: %s"), $tmpfolder, $thisfile[ 'name' ] ) ); } + + exec( $command, $output, $return_value ); + chdir( $oldpwd ); + + + echo '<textarea cols="80" rows="4"">' . + htmlspecialchars( $command . "\n". implode( "\n", $output ), ENT_QUOTES ) . + '</textarea><br />'; + + unset($output); + + /** + * move valid images and videos to target dir + * this will delete the archive file automatically... + * and also delete the tmpfolder + */ + moveValidEntries( $tmpfolder, $targetdir ); + + $somethingUploaded = true; + //linpha_log('filemanager','notice', + // 'User '.$_SESSION['user_name'].": uploaded file (".$thisfile['tmp_name']." ".$targetdir.'/'.$thisfile['name'].")"); } } } + + if(isset($somethingUploaded)) + { + if( ! $linpha->sql->config->value['sys_import_autoimport'] ) + { + linSysLog(i18n($str_autoimportdisabled).'<br />'); + } + } break; } } catch(Exception $error) { echo "Error: ".$error -> getMessage().'<br /><br />'; + //linpha_log('filemanager','error', + // 'User '.$_SESSION['user_name'].": ".$message); + } /** @@ -629,35 +664,36 @@ unset($GLOBALS['linpha']->template->output['sys_log']); } } + +echo i18n("Current Folder:").' '.setNavigationLine( $parent_id, LINPHA_DIR.'/?cat=filemanager&id=').'<br />'; ?> <form method="POST" action="<?php echo LINPHA_DIR.'/?cat=filemanager&id='.$parent_id; ?>"> <div id="filemanager"> <table> <tr> - <td> </td> - <td width="500"> </td> + <td width="20"> </td> + <td width="500"> + <?php + if($parent_id == 0) + { + echo ' '; + } + else + { + $data = $GLOBALS['linpha']->db->GetRow("SELECT name, parent_id FROM ".PREFIX."photos WHERE id = '".LinSql::linAddslashes($parent_id)."'"); + ?> + <a href="<?php echo LINPHA_DIR.'/?cat=filemanager&id='.$data['parent_id']; ?>">..</a> + <?php + } + ?> + </td> <td width="100"> </td> <td width="150"> </td> <td width="100"> </td> </tr> <?php -if($parent_id != 0) -{ - echo i18n("Current Folder:").' / '.implode(' / ',LinSql::getFullFilenameFromId( $parent_id )).'<br />'; - - $data = $GLOBALS['linpha']->db->GetRow("SELECT name, parent_id FROM ".PREFIX."photos WHERE id = '".LinSql::linAddslashes($parent_id)."'"); - ?> - <tr> - <td> </td> - <td><a href="<?php echo LINPHA_DIR.'/?cat=filemanager&id='.$data['parent_id']; ?>">..</a></td> - <td> </td> - <td> </td> - <td> </td> - </tr> - <?php -} $query = $GLOBALS['linpha']->db->Execute("SELECT id, name, img_type FROM ".PREFIX."photos WHERE parent_id = '".LinSql::linAddslashes($parent_id)."' ORDER by name"); while($data = $query->FetchRow()) @@ -682,7 +718,7 @@ $sum['size'] += $filestat['size']; $sum['files']++; } - + /** * owner and group name */ @@ -752,15 +788,15 @@ <?php if($data['img_type']==0) { - echo '<a href="'.LINPHA_DIR.'/?cat=filemanager&id='.$data['id'].'">'.$data['name'].'</a>'; + echo '<a href="'.LINPHA_DIR.'/?cat=filemanager&id='.$data['id'].'">'.htmlspecialchars($data['name'],ENT_QUOTES).'</a>'; } else { - echo $data['name']; + echo htmlspecialchars($data['name'],ENT_QUOTES); } ?> </td> - <td align="right"><?php echo ($data['img_type']==0 OR $data['img_type']==9999999) ? ' ' : niceFilesize($filestat['size'],1); ?></td> + <td align="right"><?php echo $data['img_type']==0 ? ' ' : niceFilesize($filestat['size'],1); ?></td> <td align="center"><?php echo strftime("%x %X",$filestat['mtime']); ?></td> <td align="center" title="<?php echo $owner_info['name'].' '.$group_info['name']; ?>"><?php echo $file_permissions; ?></td> </tr> @@ -799,6 +835,7 @@ if($isWriteAble) { ?> + ^ <a href="javascript:select_all()"><?php echo i18n("Select All"); ?></a> <input type="radio" id="file_rename" name="file_action" value="rename"<?php echo $arr_checked['rename']; ?> /><label for="file_rename"> <?php echo i18n("Rename"); ?></label> <input type="radio" id="file_move" name="file_action" value="move"<?php echo $arr_checked['move']; ?> /><label for="file_move"> <?php echo i18n("Move"); ?></label> <input type="radio" id="file_copy" name="file_action" value="copy"<?php echo $arr_checked['copy']; ?> /><label for="file_copy"> <?php echo i18n("Copy"); ?></label> @@ -815,17 +852,24 @@ <input type="submit" name="submit" value="<?php echo i18n("Create Folder"); ?>" /> </form> -<br /><br /> +<br /> <h2><?php echo i18n("Upload Files"); ?></h2> <form method="POST" enctype="multipart/form-data" action="<?php echo LINPHA_DIR.'/?cat=filemanager&id='.$parent_id; ?>"> -<?php echo i18n("Choose files you would like to upload. Choose desired action to accomplish upon succesful upload.").'<br />'; ?> -<?php echo i18n("Allowed filesize (each file!) maximum currently set in php.ini is:").' '.ini_get('upload_max_filesize').'<br />'; ?> -<br /> -<?php echo i18n("Note: You don't have to upload your images through this form. You can use whatever you want (ftp,scp,nfs,local,...). Just copy them to the albums folder."); ?> -<br /> +<?php +echo i18n("Choose files you would like to upload. Choose desired action to accomplish upon succesful upload."); +echo '<br />'; +echo i18n("Allowed filesize (each file!) maximum currently set in php.ini is:").' '.ini_get('upload_max_filesize'); +echo '<br />'; +if( $GLOBALS['linpha']->sql->isAdmin() ) +{ + echo i18n("Note: You should set post_max_size to a higher value than upload_max_filesize (currently set to:".' '.ini_get('post_max_size').")"); + echo '<br />'; + echo i18n("Note: You don't have to upload your images through this form. You can use whatever you want (ftp,scp,nfs,local,...). Just copy them to the albums folder."); + echo '<br />'; +} -<?php -$max_uploads = 5; +echo '<br />'; + for($i = 0; $i < $GLOBALS['linpha']->sql->config->value['plugins_filemanager_nruploads']; $i++) { echo '<input type="file" name="file'.$i.'" value="" /> '; @@ -841,7 +885,42 @@ ?> </div> +<script language="JavaScript" type="text/javascript"> +var is_checked = false; +function select_all() +{ + var input_forms = document.getElementsByTagName('input'); + // loop through all anchor tags + for (var i=0; i < input_forms.length; i++) + { + var anchor = input_forms[i]; + + if(anchor.type == 'checkbox') + { + if( is_checked ) + { + anchor.checked = false; + } + else + { + anchor.checked = true; + } + } + } + + if( is_checked ) + { + is_checked = false; + } + else + { + is_checked = true; + } +} +</script> + + <?php $linpha->template->output['filemanager'] = ob_get_clean(); ?> @@ -1016,4 +1095,40 @@ } } } + +/** + * recursively move files/folders + * check that only valid images/videos will be uploaded + * and not any malicious data (like php scripts etc.) + */ +function moveValidEntries( $source, $dest ) +{ + $dirHandle = dir( $source ); + while (false !== ($entry = $dirHandle->read())) + { + if($entry != '.' && $entry != '..') + { + if(is_dir($source .'/'. $entry)) + { + mkdir( $dest.'/'.$entry ); + moveValidEntries( $source .'/'. $entry, $dest .'/'. $entry ); + } + else + { + list($org_width, $org_height, $org_type) = LinIdentify::linGetImageSize( $source .'/'. $entry ); + + if( LinIdentify::isSupportedImage( $org_type ) OR LinIdentify::isVideo( $org_type ) ) + { + rename( $source .'/'. $entry, $dest .'/'. $entry); + } + else + { + unlink( $source .'/'. $entry ); + } + } + } + } + $dirHandle->close(); + rmdir( $source ); +} ?> \ No newline at end of file Modified: trunk/linpha2/templates/default/basket.html.php =================================================================== --- trunk/linpha2/templates/default/basket.html.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/templates/default/basket.html.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -185,7 +185,7 @@ $i = 1; foreach($GLOBALS['linpha']->template->output['basket_folders'] AS $value) { - echo set_navigation_line($value).'<br />'; + echo setNavigationLine( $value, LINPHA_DIR.'/?cat=alb&id=' ).'<br />'; foreach($GLOBALS['linpha']->template->output['basket_folder_contents'][$value] AS $sub_value) { ?> Modified: trunk/linpha2/templates/default/view_img.html.php =================================================================== --- trunk/linpha2/templates/default/view_img.html.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/templates/default/view_img.html.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -70,9 +70,9 @@ <!-- show image comments --> <?php while($data = $GLOBALS['linpha']->template->output['image_comments']->FetchRow()) { ?> <div class="comments"> - <?php echo $data['meta_time']; ?> <?php echo $data['meta_author']; ?> + <?php echo $data['meta_time']; ?> <?php echo htmlspecialchars($data['meta_author'],ENT_QUOTES); ?> <br /> - <?php echo $data['meta_comment']; ?> + <?php echo htmlspecialchars($data['meta_comment'],ENT_QUOTES); ?> <br /><br /> </div> <?php } ?> Modified: trunk/linpha2/templates/default/view_meta.html.php =================================================================== --- trunk/linpha2/templates/default/view_meta.html.php 2006-04-28 19:08:11 UTC (rev 4552) +++ trunk/linpha2/templates/default/view_meta.html.php 2006-04-29 22:13:09 UTC (rev 4553) @@ -50,11 +50,11 @@ case 1: case 3: if(isset($meta_data['meta_data'])) { - $value = $meta_data['meta_data']; + $value = htmlspecialchars($meta_data['meta_data'],ENT_QUOTES); } else { $value = ''; } - echo '<input type="text" name="field['.$data['id'].']" value="'.$value.'" style="width: 200px;" maxlength="255"/>'; + echo '<input type="text" name="field['.$data['id'].']" value="'.$value.'" style="width: 200px;" maxlength="255" />'; break; case 2: if(isset($meta_data['meta_data'])) { @@ -76,7 +76,7 @@ $checked = ''; } - echo '<option value="'.$cat_data['id'].'"'.$checked.'>'.$cat_data['name'].'</option>'."\n"; + echo '<option value="'.$cat_data['id'].'"'.$checked.'>'.htmlspecialchars($cat_data['name'],ENT_QUOTES).'</option>'."\n"; } ?> </select> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
