We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 3e0c2918 authored by Robin Millette's avatar Robin Millette

Added configurable options for attachments: supported mimetypes and quotas for uploads.

parent ed1e1d9f
......@@ -84,20 +84,24 @@ class NewnoticeAction extends Action
function handle($args)
{
parent::handle($args);
if (!common_logged_in()) {
$this->clientError(_('Not logged in.'));
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// check for this before token since all POST and FILES data
// is losts when size is exceeded
if (empty($_POST) && $_SERVER['CONTENT_LENGTH']) {
$this->clientError(sprintf(_('The server was unable to handle ' .
'that much POST data (%s bytes) due to its current configuration.'),
$_SERVER['CONTENT_LENGTH']));
}
parent::handle($args);
// CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
$this->clientError(_('There was a problem with your session token. '.
'Try again, please.'));
return;
}
try {
$this->saveNewNotice();
} catch (Exception $e) {
......@@ -109,8 +113,55 @@ class NewnoticeAction extends Action
}
}
function isFileAttached() {
return isset($_FILES['attach']['error']) && ($_FILES['attach']['error'] === UPLOAD_ERR_OK);
function isSupportedFileType() {
require_once 'MIME/Type.php';
$filetype = MIME_Type::autoDetect($_FILES['attach']['tmp_name']);
if (in_array($filetype, common_config('attachments', 'supported'))) {
return true;
}
$media = MIME_Type::getMedia($filetype);
if ('application' !== $media) {
$hint = sprintf(_(' Try using another %s format.'), $media);
} else {
$hint = '';
}
$this->clientError(sprintf(
_('%s is not a supported filetype on this server.'), $filetype) . $hint);
}
function isRespectsQuota($user) {
if ($_FILES['attach']['size'] > common_config('attachments', 'file_quota')) {
$this->clientError(sprintf(_('No file may be larger than %d bytes ' .
'and the file you sent was %d bytes. Try to upload a smaller version.'),
common_config('attachments', 'file_quota'), $_FILES['attach']['size']));
}
$query = "select sum(size) as total from file join file_to_post on file_to_post.file_id = file.id join notice on file_to_post.post_id = notice.id where profile_id = {$user->id} and file.url like '%/notice/%/file'";
$file = new File;
$file->query($query);
$file->fetch();
$total = $file->total + $_FILES['attach']['size'];
if ($total > common_config('attachments', 'user_quota')) {
$this->clientError(sprintf(_('A file this large would exceed your user quota of %d bytes.'), common_config('attachments', 'user_quota')));
}
$query .= ' month(modified) = month(now()) and year(modified) = year(now())';
$file2 = new File;
$file2->query($query);
$file2->fetch();
$total2 = $file2->total + $_FILES['attach']['size'];
if ($total2 > common_config('attachments', 'monthly_quota')) {
$this->clientError(sprintf(_('A file this large would exceed your monthly quota of %d bytes.'), common_config('attachments', 'monthly_quota')));
}
return true;
}
function isValidFileAttached($user) {
return isset($_FILES['attach']['error'])
&& ($_FILES['attach']['error'] === UPLOAD_ERR_OK)
&& $this->isSupportedFileType()
&& $this->isRespectsQuota($user);
}
/**
......@@ -135,7 +186,6 @@ class NewnoticeAction extends Action
$this->clientError(_('No content!'));
} else {
$content_shortened = common_shorten_links($content);
if (mb_strlen($content_shortened) > 140) {
$this->clientError(_('That\'s too long. '.
'Max notice size is 140 chars.'));
......@@ -162,19 +212,54 @@ class NewnoticeAction extends Action
$replyto = 'false';
}
switch ($_FILES['attach']['error']) {
case UPLOAD_ERR_NO_FILE:
// no file uploaded
// nothing to do
break;
case UPLOAD_ERR_OK:
// file was uploaded alright
// lets check if we really support its format
// and it doesn't go over quotas
if (!$this->isValidFileAttached($user)) {
die('clientError() should trigger an exception before reaching here.');
}
break;
case UPLOAD_ERR_INI_SIZE:
$this->clientError(_('The uploaded file exceeds the upload_max_filesize directive in php.ini.'));
case UPLOAD_ERR_FORM_SIZE:
$this->clientError(_('The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.'));
case UPLOAD_ERR_PARTIAL:
$this->clientError(_('The uploaded file was only partially uploaded.'));
case UPLOAD_ERR_NO_TMP_DIR:
$this->clientError(_('Missing a temporary folder.'));
case UPLOAD_ERR_CANT_WRITE:
$this->clientError(_('Failed to write file to disk.'));
case UPLOAD_ERR_EXTENSION:
$this->clientError(_('File upload stopped by extension.'));
default:
die('Should never reach here.');
}
$notice = Notice::saveNew($user->id, $content_shortened, 'web', 1,
($replyto == 'false') ? null : $replyto);
if (is_string($notice)) {
$this->clientError($notice);
return;
}
if ($this->isFileAttached()) {
$this->storeFile($notice);
}
$this->storeFile($notice);
$this->saveUrls($notice);
common_broadcast_notice($notice);
if ($this->boolean('ajax')) {
......@@ -201,12 +286,12 @@ class NewnoticeAction extends Action
}
function storeFile($notice) {
if (UPLOAD_ERR_NO_FILE === $_FILES['attach']['error']) return;
$filename = basename($_FILES['attach']['name']);
$destination = "file/{$notice->id}-$filename";
if (move_uploaded_file($_FILES['attach']['tmp_name'], INSTALLDIR . "/$destination")) {
$file = new File;
$file->url = common_local_url('file', array('notice' => $notice->id));
// $file->url = common_path($destination);
$file->size = filesize(INSTALLDIR . "/$destination");
$file->date = time();
$file->mimetype = $_FILES['attach']['type'];
......@@ -221,14 +306,9 @@ class NewnoticeAction extends Action
$f2p->post_id = $notice->id;
$f2p->insert();
} else {
die('inserting file, dying');
$this->clientError(_('There was a database error while saving your file. Please try again.'));
}
}
/*
$url = common_local_url('file', array('notice' => $notice->id));
echo "$destination<br />";
die($url);
*/
}
......
......@@ -215,3 +215,11 @@ $config['sphinx']['port'] = 3312;
// $config['snapshot']['run'] = 'never';
// If you want to report statistics in a cron job instead.
// $config['snapshot']['run'] = 'cron';
// Support for file uploads (attachments),
// select supported mimetypes and quotas (in bytes)
// $config['attachments']['supported'] = array('image/png', 'application/ogg');
// $config['attachments']['file_quota'] = 5000000;
// $config['attachments']['user_quota'] = 50000000;
// $config['attachments']['monthly_quota'] = 15000000;
<?php
/* vim: set expandtab tabstop=4 shiftwidth=4: */
// +----------------------------------------------------------------------+
// | PHP version 4 |
// +----------------------------------------------------------------------+
// | Copyright (c) 1997-2002, 2008 The PHP Group |
// +----------------------------------------------------------------------+
// | This source file is subject to version 3.0 of the PHP license, |
// | that is bundled with this package in the file LICENSE, and is |
// | available at through the world-wide-web at |
// | http://www.php.net/license/3_0.txt. |
// | If you did not receive a copy of the PHP license and are unable to |
// | obtain it through the world-wide-web, please send a note to |
// | license@php.net so we can mail you a copy immediately. |
// +----------------------------------------------------------------------+
// | Authors: Ian Eure <ieure@php.net> |
// +----------------------------------------------------------------------+
//
// $Id: Type.php,v 1.6 2009/01/16 11:49:45 cweiske Exp $
require_once 'PEAR.php';
$_fileCmd = &PEAR::getStaticProperty('MIME_Type', 'fileCmd');
$_fileCmd = 'file';
/**
* Class for working with MIME types
*
* @category MIME
* @package MIME_Type
* @license PHP License 3.0
* @version 1.2.0
* @link http://pear.php.net/package/MIME_Type
* @author Ian Eure <ieure@php.net>
*/
class MIME_Type
{
/**
* The MIME media type
*
* @var string
*/
var $media = '';
/**
* The MIME media sub-type
*
* @var string
*/
var $subType = '';
/**
* Optional MIME parameters
*
* @var array
*/
var $parameters = array();
/**
* List of valid media types.
* A media type is the string in front of the slash.
* The media type of "text/xml" would be "text".
*
* @var array
*/
var $validMediaTypes = array(
'text',
'image',
'audio',
'video',
'application',
'multipart',
'message'
);
/**
* Constructor.
*
* If $type is set, if will be parsed and the appropriate class vars set.
* If not, you get an empty class.
* This is useful, but not quite as useful as parsing a type.
*
* @param string $type MIME type
*
* @return void
*/
function MIME_Type($type = false)
{
if ($type) {
$this->parse($type);
}
}
/**
* Parse a mime-type and set the class variables.
*
* @param string $type MIME type to parse
*
* @return void
*/
function parse($type)
{
$this->media = $this->getMedia($type);
$this->subType = $this->getSubType($type);
$this->parameters = array();
if (MIME_Type::hasParameters($type)) {
require_once 'MIME/Type/Parameter.php';
foreach (MIME_Type::getParameters($type) as $param) {
$param = new MIME_Type_Parameter($param);
$this->parameters[$param->name] = $param;
}
}
}
/**
* Does this type have any parameters?
*
* @param string $type MIME type to check
*
* @return boolean true if $type has parameters, false otherwise
* @static
*/
function hasParameters($type)
{
if (strstr($type, ';')) {
return true;
}
return false;
}
/**
* Get a MIME type's parameters
*
* @param string $type MIME type to get parameters of
*
* @return array $type's parameters
* @static
*/
function getParameters($type)
{
$params = array();
$tmp = explode(';', $type);
for ($i = 1; $i < count($tmp); $i++) {
$params[] = trim($tmp[$i]);
}
return $params;
}
/**
* Strip parameters from a MIME type string.
*
* @param string $type MIME type string
*
* @return string MIME type with parameters removed
* @static
*/
function stripParameters($type)
{
if (strstr($type, ';')) {
return substr($type, 0, strpos($type, ';'));
}
return $type;
}
/**
* Removes comments from a media type, subtype or parameter.
*
* @param string $string String to strip comments from
* @param string &$comment Comment is stored in there.
*
* @return string String without comments
* @static
*/
function stripComments($string, &$comment)
{
if (strpos($string, '(') === false) {
return $string;
}
$inquote = false;
$quoting = false;
$incomment = 0;
$newstring = '';
for ($n = 0; $n < strlen($string); $n++) {
if ($quoting) {
if ($incomment == 0) {
$newstring .= $string[$n];
} else if ($comment !== null) {
$comment .= $string[$n];
}
$quoting = false;
} else if ($string[$n] == '\\') {
$quoting = true;
} else if (!$inquote && $incomment > 0 && $string[$n] == ')') {
$incomment--;
if ($incomment == 0 && $comment !== null) {
$comment .= ' ';
}
} else if (!$inquote && $string[$n] == '(') {
$incomment++;
} else if ($string[$n] == '"') {
if ($inquote) {
$inquote = false;
} else {
$inquote = true;
}
} else if ($incomment == 0) {
$newstring .= $string[$n];
} else if ($comment !== null) {
$comment .= $string[$n];
}
}
if ($comment !== null) {
$comment = trim($comment);
}
return $newstring;
}
/**
* Get a MIME type's media
*
* @note 'media' refers to the portion before the first slash
*
* @param string $type MIME type to get media of
*
* @return string $type's media
* @static
*/
function getMedia($type)
{
$tmp = explode('/', $type);
return strtolower(trim(MIME_Type::stripComments($tmp[0], $null)));
}
/**
* Get a MIME type's subtype
*
* @param string $type MIME type to get subtype of
*
* @return string $type's subtype, null if invalid mime type
* @static
*/
function getSubType($type)
{
$tmp = explode('/', $type);
if (!isset($tmp[1])) {
return null;
}
$tmp = explode(';', $tmp[1]);
return strtolower(trim(MIME_Type::stripComments($tmp[0], $null)));
}
/**
* Create a textual MIME type from object values
*
* This function performs the opposite function of parse().
*
* @return string MIME type string
*/
function get()
{
$type = strtolower($this->media . '/' . $this->subType);
if (count($this->parameters)) {
foreach ($this->parameters as $key => $null) {
$type .= '; ' . $this->parameters[$key]->get();
}
}
return $type;
}
/**
* Is this type experimental?
*
* @note Experimental types are denoted by a leading 'x-' in the media or
* subtype, e.g. text/x-vcard or x-world/x-vrml.
*
* @param string $type MIME type to check
*
* @return boolean true if $type is experimental, false otherwise
* @static
*/
function isExperimental($type)
{
if (substr(MIME_Type::getMedia($type), 0, 2) == 'x-' ||
substr(MIME_Type::getSubType($type), 0, 2) == 'x-') {
return true;
}
return false;
}
/**
* Is this a vendor MIME type?
*
* @note Vendor types are denoted with a leading 'vnd. in the subtype.
*
* @param string $type MIME type to check
*
* @return boolean true if $type is a vendor type, false otherwise
* @static
*/
function isVendor($type)
{
if (substr(MIME_Type::getSubType($type), 0, 4) == 'vnd.') {
return true;
}
return false;
}
/**
* Is this a wildcard type?
*
* @param string $type MIME type to check
*
* @return boolean true if $type is a wildcard, false otherwise
* @static
*/
function isWildcard($type)
{
if ($type == '*/*' || MIME_Type::getSubtype($type) == '*') {
return true;
}
return false;
}
/**
* Perform a wildcard match on a MIME type
*
* Example:
* MIME_Type::wildcardMatch('image/*', 'image/png')
*
* @param string $card Wildcard to check against
* @param string $type MIME type to check
*
* @return boolean true if there was a match, false otherwise
* @static
*/
function wildcardMatch($card, $type)
{
if (!MIME_Type::isWildcard($card)) {
return false;
}
if ($card == '*/*') {
return true;
}
if (MIME_Type::getMedia($card) == MIME_Type::getMedia($type)) {
return true;
}
return false;
}
/**
* Add a parameter to this type
*
* @param string $name Attribute name
* @param string $value Attribute value
* @param string $comment Comment for this parameter
*
* @return void
*/
function addParameter($name, $value, $comment = false)
{
$tmp = new MIME_Type_Parameter();
$tmp->name = $name;
$tmp->value = $value;
$tmp->comment = $comment;
$this->parameters[$name] = $tmp;
}
/**
* Remove a parameter from this type
*
* @param string $name Parameter name
*
* @return void
*/
function removeParameter($name)
{
unset($this->parameters[$name]);
}
/**
* Autodetect a file's MIME-type
*
* This function may be called staticly.
*
* @internal Tries to use fileinfo extension at first. If that
* does not work, mime_magic is used. If this is also not available
* or does not succeed, "file" command is tried to be executed with
* System_Command. When that fails, too, then we use our in-built
* extension-to-mimetype-mapping list.
*
* @param string $file Path to the file to get the type of
* @param bool $params Append MIME parameters if true
*
* @return string $file's MIME-type on success, PEAR_Error otherwise
*
* @since 1.0.0beta1
* @static
*/
function autoDetect($file, $params = false)
{
// Sanity checks
if (!file_exists($file)) {
return PEAR::raiseError("File \"$file\" doesn't exist");
}
if (!is_readable($file)) {
return PEAR::raiseError("File \"$file\" is not readable");
}
if (function_exists('finfo_file')) {
$finfo = finfo_open(FILEINFO_MIME);
$type = finfo_file($finfo, $file);
finfo_close($finfo);
if ($type !== false && $type !== '') {
return MIME_Type::_handleDetection($type, $params);
}
}
if (function_exists('mime_content_type')) {
$type = mime_content_type($file);
if ($type !== false && $type !== '') {
return MIME_Type::_handleDetection($type, $params);
}
}
@include_once 'System/Command.php';
if (class_exists('System_Command')) {
return MIME_Type::_handleDetection(
MIME_Type::_fileAutoDetect($file),
$params
);
}
require_once 'MIME/Type/Extension.php';
$mte = new MIME_Type_Extension();
return $mte->getMIMEType($file);
}