plugins/SpecialUpdownload.php
changeset 366 7e16181545e1
parent 345 4ccdfeee9a11
child 372 5bd429428101
equal deleted inserted replaced
365:cc6bf4d63684 366:7e16181545e1
    41     ');
    41     ');
    42 
    42 
    43 function page_Special_UploadFile()
    43 function page_Special_UploadFile()
    44 {
    44 {
    45   global $db, $session, $paths, $template, $plugins; // Common objects
    45   global $db, $session, $paths, $template, $plugins; // Common objects
       
    46   global $lang;
    46   global $mime_types;
    47   global $mime_types;
    47   if(getConfig('enable_uploads')!='1') { die_friendly('Access denied', '<p>File uploads are disabled this website.</p>'); }
    48   if(getConfig('enable_uploads')!='1') { die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_disabled_site') . '</p>'); }
    48   if ( !$session->get_permissions('upload_files') )
    49   if ( !$session->get_permissions('upload_files') )
    49   {
    50   {
    50     die_friendly('Access denied', '<p>File uploads are disabled for your user account or group.<p>');
    51     die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_disabled_acl') . '</p>');
    51   }
    52   }
    52   if(isset($_POST['doit']))
    53   if(isset($_POST['doit']))
    53   {
    54   {
    54     if(isset($_FILES['data']))
    55     if(isset($_FILES['data']))
    55     {
    56     {
    59     {
    60     {
    60       $file = false;
    61       $file = false;
    61     }
    62     }
    62     if ( !is_array($file) )
    63     if ( !is_array($file) )
    63     {
    64     {
    64       die_friendly('Upload failed', '<p>The server could not retrieve the array $_FILES[\'data\'].</p>');
    65       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_cant_get_file_meta') . '</p>');
    65     }
    66     }
    66     if ( $file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size') )
    67     if ( $file['size'] == 0 || $file['size'] > (int)getConfig('max_file_size') )
    67     {
    68     {
    68       die_friendly('Upload failed', '<p>The file you uploaded is either too large or 0 bytes in length.</p>');
    69       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_too_big_or_small') . '</p>');
    69     }
    70     }
    70     /*
    71     
    71     $allowed_mime_types = Array(
       
    72         'text/plain',
       
    73         'image/png',
       
    74         'image/jpeg',
       
    75         'image/tiff',
       
    76         'image/gif',
       
    77         'text/html', // Safe because the file is stashed in the database
       
    78         'application/x-bzip2',
       
    79         'application/x-gzip',
       
    80         'text/x-c++'
       
    81       );
       
    82     if(function_exists('finfo_open') && $fi = finfo_open(FILEINFO_MIME, ENANO_ROOT.'/includes/magic')) // First try to use the fileinfo extension, this is the best way to determine the mimetype
       
    83     {
       
    84       if(!$fi) die_friendly('Upload failed', '<p>Enano was unable to determine the format of the uploaded file.</p><p>'.@finfo_file($fi, $file['tmp_name']).'</p>');
       
    85       $type = @finfo_file($fi, $file['tmp_name']);
       
    86       @finfo_close($fi);
       
    87     }
       
    88     elseif(function_exists('mime_content_type'))
       
    89       $type = mime_content_type($file['tmp_name']); // OK, no fileinfo function. Use a (usually) built-in PHP function
       
    90     elseif(isset($file['type']))
       
    91       $type = $file['type']; // LAST RESORT: use the mimetype the browser sent us, though this is likely to be spoofed
       
    92     else // DANG! Not even the browser told us. Bail out.
       
    93       die_friendly('Upload failed', '<p>Enano was unable to determine the format of the uploaded file.</p>');
       
    94     */
       
    95     $types = fetch_allowed_extensions();
    72     $types = fetch_allowed_extensions();
    96     $ext = substr($file['name'], strrpos($file['name'], '.')+1, strlen($file['name']));
    73     $ext = substr($file['name'], strrpos($file['name'], '.')+1, strlen($file['name']));
    97     if ( !isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) )
    74     if ( !isset($types[$ext]) || ( isset($types[$ext]) && !$types[$ext] ) )
    98     {
    75     {
    99       die_friendly('Upload failed', '<p>The file type ".'.$ext.'" is not allowed.</p>');
    76       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_banned_ext', array('ext' => htmlspecialchars($ext))) . '</p>');
   100     }
    77     }
   101     $type = $mime_types[$ext];
    78     $type = $mime_types[$ext];
   102     //$type = explode(';', $type); $type = $type[0];
    79     //$type = explode(';', $type); $type = $type[0];
   103     //if(!in_array($type, $allowed_mime_types)) die_friendly('Upload failed', '<p>The file type "'.$type.'" is not allowed.</p>');
    80     //if(!in_array($type, $allowed_mime_types)) die_friendly('Upload failed', '<p>The file type "'.$type.'" is not allowed.</p>');
   104     if($_POST['rename'] != '')
    81     if($_POST['rename'] != '')
   110       $filename = $file['name'];
    87       $filename = $file['name'];
   111     }
    88     }
   112     $bad_chars = Array(':', '\\', '/', '<', '>', '|', '*', '?', '"', '#', '+');
    89     $bad_chars = Array(':', '\\', '/', '<', '>', '|', '*', '?', '"', '#', '+');
   113     foreach($bad_chars as $ch)
    90     foreach($bad_chars as $ch)
   114     {
    91     {
   115       if(strstr($filename, $ch) || preg_match('/^([ ]+)$/is', $filename)) die_friendly('Upload failed', '<p>The filename contains invalid characters.</p>');
    92       if(strstr($filename, $ch) || preg_match('/^([ ]+)$/is', $filename))
       
    93       {
       
    94         die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_banned_chars') . '</p>');
       
    95       }
   116     }
    96     }
   117     
    97     
   118     if ( isset ( $paths->pages[ $paths->nslist['File'] . $filename ] ) && !isset ( $_POST['update'] ) )
    98     if ( isset ( $paths->pages[ $paths->nslist['File'] . $filename ] ) && !isset ( $_POST['update'] ) )
   119     {
    99     {
   120       die_friendly('Upload failed', '<p>The file already exists. You can <a href="'.makeUrlNS('Special', 'UploadFile/'.$filename).'">upload a new version of this file</a>.</p>');
   100       $upload_link = makeUrlNS('Special', 'UploadFile/'.$filename);
       
   101       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_already_exists', array('upload_link' => $upload_link)) . '</p>');
   121     }
   102     }
   122     else if ( isset($_POST['update']) && 
   103     else if ( isset($_POST['update']) && 
   123             ( !isset($paths->pages[$paths->nslist['File'].$filename]) ||
   104             ( !isset($paths->pages[$paths->nslist['File'].$filename]) ||
   124              (isset($paths->pages[$paths->nslist['File'].$filename]) &&
   105              (isset($paths->pages[$paths->nslist['File'].$filename]) &&
   125                $paths->pages[$paths->nslist['File'].$filename]['protected'] == 1 )
   106                $paths->pages[$paths->nslist['File'].$filename]['protected'] == 1 )
   126              )
   107              )
   127            )
   108            )
   128     {
   109     {
   129       die_friendly('Upload failed', '<p>Either the file does not exist (and therefore cannot be updated) or the file is protected.</p>');
   110       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_replace_protected') . '</p>');
   130     }
   111     }
   131     
   112     
   132     $utime = time();
   113     $utime = time();
   133            
   114            
   134     $filename = $db->escape($filename);
   115     $filename = $db->escape($filename);
   142     $key = md5($filename . '_' . file_get_contents($file['tmp_name']));
   123     $key = md5($filename . '_' . file_get_contents($file['tmp_name']));
   143     $targetname = ENANO_ROOT . '/files/' . $key . '_' . $utime . $ext;
   124     $targetname = ENANO_ROOT . '/files/' . $key . '_' . $utime . $ext;
   144     
   125     
   145     if(!@move_uploaded_file($file['tmp_name'], $targetname))
   126     if(!@move_uploaded_file($file['tmp_name'], $targetname))
   146     {
   127     {
   147       die_friendly('Upload failed', '<p>Could not move uploaded file to the new location.</p>');
   128       die_friendly($lang->get('upload_err_title'), '<p>' . $lang->get('upload_err_move_failed') . '</p>');
   148     }
   129     }
   149     
   130     
   150     if(getConfig('file_history') != '1')
   131     if(getConfig('file_history') != '1')
   151     {
   132     {
   152       if(!$db->sql_query('DELETE FROM  '.table_prefix.'files WHERE filename=\''.$filename.'\' LIMIT 1;')) $db->_die('The old file data could not be deleted.');
   133       if(!$db->sql_query('DELETE FROM  '.table_prefix.'files WHERE filename=\''.$filename.'\' LIMIT 1;')) $db->_die('The old file data could not be deleted.');
   160     }
   141     }
   161     else
   142     else
   162     {
   143     {
   163       if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.$utime.', \''.enano_date('d M Y h:i a').'\', \'page\', \'reupload\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\', \''.$comments.'\');')) $db->_die('The page log could not be updated.');
   144       if(!$db->sql_query('INSERT INTO '.table_prefix.'logs(time_id,date_string,log_type,action,author,page_id,namespace,edit_summary) VALUES('.$utime.', \''.enano_date('d M Y h:i a').'\', \'page\', \'reupload\', \''.$session->username.'\', \''.$filename.'\', \''.'File'.'\', \''.$comments.'\');')) $db->_die('The page log could not be updated.');
   164     }
   145     }
   165     die_friendly('Upload complete', '<p>Your file has been uploaded successfully. View the <a href="'.makeUrlNS('File', $filename).'">file\'s page</a>.</p>');
   146     die_friendly($lang->get('upload_success_title'), '<p>' . $lang->get('upload_success_body', array('file_link' => makeUrlNS('File', $filename))) . '</p>');
   166   }
   147   }
   167   else
   148   else
   168   {
   149   {
   169     $template->header();
   150     $template->header();
   170     $fn = $paths->getParam(0);
   151     $fn = $paths->getParam(0);
   171     if ( $fn && !$session->get_permissions('upload_new_version') )
   152     if ( $fn && !$session->get_permissions('upload_new_version') )
   172     {
   153     {
   173       die_friendly('Access denied', '<p>Uploading new versions of files has been disabled for your user account or group.<p>');
   154       die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('upload_err_replace_denied') . '<p>');
   174     }
   155     }
   175     ?>
   156     ?>
   176     <p>Using this form you can upload a file to the <?php echo getConfig('site_name'); ?> site.</p>
   157     <p><?php echo $lang->get('upload_intro'); ?></p>
   177     <p>The maximum file size is <?php 
   158     <p><?php 
   178       // Get the max file size, and format it in a way that is user-friendly
   159       // Get the max file size, and format it in a way that is user-friendly
       
   160       
   179       $fs = getConfig('max_file_size');
   161       $fs = getConfig('max_file_size');
   180       echo commatize($fs).' bytes';
       
   181       $fs = (int)$fs;
   162       $fs = (int)$fs;
   182       if($fs >= 1048576)
   163       if($fs >= 1048576)
   183       {
   164       {
   184         $fs = round($fs / 1048576, 1);
   165         $fs = round($fs / 1048576, 1);
   185         echo ' ('.$fs.' MB)';
   166         $unitized = $fs . ' ' . $lang->get('etc_unit_megabytes_short');
   186       }
   167       }
   187       elseif($fs >= 1024)
   168       elseif($fs >= 1024)
   188       {
   169       {
   189         $fs = round($fs / 1024, 1);
   170         $fs = round($fs / 1024, 1);
   190         echo ' ('.$fs.' KB)';
   171         $unitized = $fs . ' ' . $lang->get('etc_unit_kilobytes_short');
   191       }
   172       }
   192     ?>.</p>
   173       
       
   174       echo $lang->get('upload_max_filesize', array(
       
   175           'size' => $unitized
       
   176         ));
       
   177     ?></p>
   193     <form action="<?php echo makeUrl($paths->page); ?>" method="post" enctype="multipart/form-data">
   178     <form action="<?php echo makeUrl($paths->page); ?>" method="post" enctype="multipart/form-data">
   194       <table border="0" cellspacing="1" cellpadding="4">
   179       <table border="0" cellspacing="1" cellpadding="4">
   195         <tr><td>File:</td><td><input name="data" type="file" size="40" /></td></tr>
   180         <tr><td><?php echo $lang->get('upload_field_file'); ?></td><td><input name="data" type="file" size="40" /></td></tr>
   196         <tr><td>Rename to:</td><td><input name="rename" type="text" size="40"<?php if($fn) echo ' value="'.$fn.'" readonly="readonly"'; ?> /></td></tr>
   181         <tr><td><?php echo $lang->get('upload_field_renameto'); ?></td><td><input name="rename" type="text" size="40"<?php if($fn) echo ' value="'.$fn.'" readonly="readonly"'; ?> /></td></tr>
   197         <?php
   182         <?php
   198         if(!$fn) echo '<tr><td>Comments:<br />(can be wiki-formatted)</td><td><textarea name="comments" rows="20" cols="60"></textarea></td></tr>';
   183         if(!$fn) echo '<tr><td>' . $lang->get('upload_field_comments') . '</td><td><textarea name="comments" rows="20" cols="60"></textarea></td></tr>';
   199         else echo '<tr><td>Reason for uploading the new version: </td><td><input name="comments" size="50" /></td></tr>';
   184         else echo '<tr><td>' . $lang->get('upload_field_reason') . '</td><td><input name="comments" size="50" /></td></tr>';
   200         ?>
   185         ?>
   201         <tr><td colspan="2" style="text-align: center">
   186         <tr><td colspan="2" style="text-align: center">
   202           <?php
   187           <?php
   203           if($fn)
   188           if($fn)
   204             echo '<input type="hidden" name="update" value="true" />';
   189             echo '<input type="hidden" name="update" value="true" />';
   205           ?>
   190           ?>
   206           <input type="submit" name="doit" value="Upload file" />
   191           <input type="submit" name="doit" value="<?php echo $lang->get('upload_btn_upload'); ?>" />
   207         </td></tr>
   192         </td></tr>
   208       </table>
   193       </table>
   209     </form>
   194     </form>
   210     <?php
   195     <?php
   211     $template->footer();
   196     $template->footer();
   213 }                                                     
   198 }                                                     
   214 
   199 
   215 function page_Special_DownloadFile()
   200 function page_Special_DownloadFile()
   216 {
   201 {
   217   global $db, $session, $paths, $template, $plugins; // Common objects
   202   global $db, $session, $paths, $template, $plugins; // Common objects
       
   203   global $lang;
   218   global $do_gzip;
   204   global $do_gzip;
   219   $filename = rawurldecode($paths->getParam(0));
   205   $filename = rawurldecode($paths->getParam(0));
   220   $timeid = $paths->getParam(1);
   206   $timeid = $paths->getParam(1);
   221   if ( $timeid && preg_match('#^([0-9]+)$#', (string)$timeid) )
   207   if ( $timeid && preg_match('#^([0-9]+)$#', (string)$timeid) )
   222   {
   208   {
   233     $db->_die('The file data could not be selected.');
   219     $db->_die('The file data could not be selected.');
   234   }
   220   }
   235   if ( $db->numrows() < 1 )
   221   if ( $db->numrows() < 1 )
   236   {
   222   {
   237     header('HTTP/1.1 404 Not Found');
   223     header('HTTP/1.1 404 Not Found');
   238     die_friendly('File not found', '<p>The file "'.htmlspecialchars($filename).'" cannot be found.</p>');
   224     die_friendly($lang->get('upload_err_not_found_title'), '<p>' . $lang->get('upload_err_not_found_body', array('filename' => htmlspecialchars($filename))) . '</p>');
   239   }
   225   }
   240   $row = $db->fetchrow();
   226   $row = $db->fetchrow();
   241   $db->free_result();
   227   $db->free_result();
   242   
   228   
   243   // Check permissions
   229   // Check permissions
   244   $perms = $session->fetch_page_acl($row['page_id'], 'File');
   230   $perms = $session->fetch_page_acl($row['page_id'], 'File');
   245   if ( !$perms->get_permissions('read') )
   231   if ( !$perms->get_permissions('read') )
   246   {
   232   {
   247     die_friendly('Access denied', '<p>Access to the specified file is denied.</p>');
   233     die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
   248   }
   234   }
   249   
   235   
   250   $fname = ENANO_ROOT . '/files/' . $row['file_key'] . '_' . $row['time_id'] . $row['file_extension'];
   236   $fname = ENANO_ROOT . '/files/' . $row['file_key'] . '_' . $row['time_id'] . $row['file_extension'];
   251   
   237   
   252   if ( isset($_GET['preview']) && substr($row['mimetype'], 0, 6) == 'image/' )
   238   if ( isset($_GET['preview']) && substr($row['mimetype'], 0, 6) == 'image/' )