chamilo-lms/main/document/save_pixlr.php

<?php
/* For licensing terms, see /license.txt */

use ChamiloSession as Session;

/**
 * This file allows creating new svg and png documents with an online editor.
 *
 * @package chamilo.document
 *
 * @author Juan Carlos Raña Trabado
 * @since 30/january/2011
*/
require_once __DIR__.'/../inc/global.inc.php';

api_protect_course_script();
api_block_anonymous_users();

if ($_user['user_id'] != api_get_user_id() || api_get_user_id() == 0 || $_user['user_id'] == 0) {
    api_not_allowed();
    die();
}

if (!isset($_GET['title']) || !isset($_GET['type']) || !isset($_GET['image'])) {
    api_not_allowed();
    die();
}

$paintDir = Session::read('paint_dir');
if (empty($paintDir)) {
    api_not_allowed();
    die();
}

//pixlr return

$filename = Security::remove_XSS($_GET['title']); //The user preferred file name of the image.
$extension = Security::remove_XSS($_GET['type']); //The image type, "pdx", "jpg", "bmp" or "png".
$urlcontents = Security::remove_XSS($_GET['image']); //A URL to the image on Pixlr.com server or the raw file post of the saved image.

//make variables

$title = Database::escape_string(str_replace('_', ' ', $filename));
$current_session_id = api_get_session_id();
$groupId = api_get_group_id();
$groupInfo = GroupManager::get_group_properties($groupId);
$relativeUrlPath = Session::read('paint_dir');
$dirBaseDocuments = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
$saveDir = $dirBaseDocuments.$paintDir;
$contents = file_get_contents($urlcontents);

//Security. Verify that the URL is pointing to a file @ pixlr.com domain or an ip @ pixlr.com. Comment because sometimes return a ip number
/*
if (strpos($urlcontents, "pixlr.com") === 0){
    echo "Invalid referrer";
    exit;
}
*/

//Security. Allway get from pixlr.com. Comment because for now this does not run
/*
$urlcontents1='http://pixlr.com/';
$urlcontents2 = strstr($urlcontents, '_temp');
$urlcontents_to_save=$urlcontents1.$urlcontents2;
$contents = file_get_contents($urlcontents_to_save);//replace line 45.
*/

//a bit title security
$filename = addslashes(trim($filename));
$filename = Security::remove_XSS($filename);
$filename = api_replace_dangerous_char($filename);
$filename = disable_dangerous_file($filename);

if (strlen(trim($filename)) == 0) {
     echo "The title is empty"; //if title is empty, headers Content-Type = application/octet-stream, then not create a new title here please
     exit;
}

//check file_get_contents
if ($contents === false) {
    echo "I cannot read: ".$urlcontents;
    exit;
}

// Extension security
if ($extension != 'jpg' && $extension != 'png' && $extension != 'pxd') {
    die();
}
if ($extension == 'pxd') {
    echo "pxd file type does not supported"; // not secure because check security headers and finfo() return  Content-Type = application/octet-stream
    exit;
}

//Verify that the file is an image. Headers method
$headers = get_headers($urlcontents, 1);
$content_type = explode("/", $headers['Content-Type']);
if ($content_type[0] != "image") {
    echo "Invalid file type";
    exit;
}

//Verify that the file is an image. Fileinfo method
$finfo = new finfo(FILEINFO_MIME);
$current_mime = $finfo->buffer($contents);

if (strpos($current_mime, 'image') === false) {
    echo "Invalid mime type file";
    exit;
}


//path, file and title
$paintFileName = $filename.'.'.$extension;
$title = $title.'.'.$extension;

if ($currentTool == 'document/createpaint') {
    //check save as and prevent rewrite an older file with same name
    if (0 != $groupId) {
        $group_properties = GroupManager :: get_group_properties($groupId);
        $groupPath = $group_properties['directory'];
    } else {
        $groupPath = '';
    }

    if (file_exists($saveDir.'/'.$filename.'.'.$extension)) {
        $i = 1;
        while (file_exists($saveDir.'/'.$filename.'_'.$i.'.'.$extension)) $i++;
        $paintFileName = $filename.'_'.$i.'.'.$extension;
        $title = $filename.'_'.$i.'.'.$extension;
    }

    //
    $documentPath = $saveDir.'/'.$paintFileName;
    //add new document to disk
    file_put_contents($documentPath, $contents);
    //add document to database
    $doc_id = add_document($_course, $relativeUrlPath.'/'.$paintFileName, 'file', filesize($documentPath), $title);
    api_item_property_update(
        $_course,
        TOOL_DOCUMENT,
        $doc_id,
        'DocumentAdded',
        $_user['user_id'],
        $groupInfo,
        null,
        null,
        null,
        $current_session_id
    );
} elseif ($currentTool == 'document/editpaint') {
    $documentPath = $saveDir.'/'.$paintFileName;
    //add new document to disk
    file_put_contents($documentPath, $contents);

    $paintFile = Session::read('paint_file');

    //check path
    if (empty($paintFile)) {
        api_not_allowed();
        die();
    }
    if ($paintFile == $paintFileName) {
        $document_id = DocumentManager::get_document_id($_course, $relativeUrlPath.'/'.$paintFileName);
        update_existing_document($_course, $document_id, filesize($documentPath), null);
        api_item_property_update(
            $_course,
            TOOL_DOCUMENT,
            $document_id,
            'DocumentUpdated',
            $_user['user_id'],
            $groupInfo,
            null,
            null,
            null,
            $current_session_id
        );
    } else {
        //add a new document
        $doc_id = add_document(
            $_course,
            $relativeUrlPath.'/'.$paintFileName,
            'file',
            filesize($documentPath),
            $title
        );
        api_item_property_update(
            $_course,
            TOOL_DOCUMENT,
            $doc_id,
            'DocumentAdded',
            $_user['user_id'],
            $groupInfo,
            null,
            null,
            null,
            $current_session_id
        );
    }
}


//delete temporal file
$temp_file_2delete = Session::read('temp_realpath_image');
unlink($temp_file_2delete);

//Clean sessions and return to Chamilo file list
Session::erase('paint_dir');
Session::erase('paint_file');
Session::erase('temp_realpath_image');

$exit = Session::read('exit_pixlr');
if (empty($exit)) {
    $location = api_get_path(WEB_CODE_PATH).'document/document.php?'.api_get_cidreq();
    echo '<script>window.parent.location.href="'.$location.'"</script>';
    api_not_allowed(true);
} else {
    echo '<div align="center" style="padding-top:150; font-family:Arial, Helvetica, Sans-serif;font-size:25px;color:#aaa;font-weight:bold;">'.get_lang('PleaseStandBy').'</div>';
    $location = api_get_path(WEB_CODE_PATH).'document/document.php?id='.Security::remove_XSS($exit).'&'.api_get_cidreq();
    echo '<script>window.parent.location.href="'.$location.'"</script>';
    Session::erase('exit_pixlr');
}
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`<?php`
			`/* For licensing terms, see /license.txt */`
Remove use of $_SESSION, fix edit svg files. 8 years ago
			`use ChamiloSession as Session;`

Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`/**`
Minor - format code. 8 years ago			`* This file allows creating new svg and png documents with an online editor.`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`*`
Minor - format code. 8 years ago			`* @package chamilo.document`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`*`
Bug #4266 fix save a picture from photographic retouching 14 years ago			`* @author Juan Carlos Raña Trabado`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`* @since 30/january/2011`
			`*/`
Use __DIR__ when calling global.inc.php This is needed for an easy migration to chamilo v2 9 years ago			`require_once __DIR__.'/../inc/global.inc.php';`
tunning pixlr security 14 years ago
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`api_protect_course_script();`
			`api_block_anonymous_users();`
tunning pixlr security 14 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if ($_user['user_id'] != api_get_user_id() \|\| api_get_user_id() == 0 \|\| $_user['user_id'] == 0) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`api_not_allowed();`
			`die();`
tunning pixlr security 14 years ago			`}`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if (!isset($_GET['title']) \|\| !isset($_GET['type']) \|\| !isset($_GET['image'])) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`api_not_allowed();`
			`die();`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`}`

Remove use of $_SESSION, fix edit svg files. 8 years ago			`$paintDir = Session::read('paint_dir');`
			`if (empty($paintDir)) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`api_not_allowed();`
			`die();`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`}`

			`//pixlr return`
tunning pixlr security 14 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`$filename = Security::remove_XSS($_GET['title']); //The user preferred file name of the image.`
			`$extension = Security::remove_XSS($_GET['type']); //The image type, "pdx", "jpg", "bmp" or "png".`
			`$urlcontents = Security::remove_XSS($_GET['image']); //A URL to the image on Pixlr.com server or the raw file post of the saved image.`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago
			`//make variables`

Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`$title = Database::escape_string(str_replace('_', ' ', $filename));`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`$current_session_id = api_get_session_id();`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`$groupId = api_get_group_id();`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`$groupInfo = GroupManager::get_group_properties($groupId);`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`$relativeUrlPath = Session::read('paint_dir');`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`$dirBaseDocuments = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`$saveDir = $dirBaseDocuments.$paintDir;`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`$contents = file_get_contents($urlcontents);`
delete a forgotten echo debug 14 years ago
tunning pixlr security 14 years ago			`//Security. Verify that the URL is pointing to a file @ pixlr.com domain or an ip @ pixlr.com. Comment because sometimes return a ip number`
			`/*`
			`if (strpos($urlcontents, "pixlr.com") === 0){`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo "Invalid referrer";`
			`exit;`
tunning pixlr security 14 years ago			`}`
			`*/`
fix save pixlr logic control 14 years ago
tunning pixlr security 14 years ago			`//Security. Allway get from pixlr.com. Comment because for now this does not run`
Bug #4266 erase old referrer check and make a new experimental disabled 14 years ago			`/*`
			`$urlcontents1='http://pixlr.com/';`
			`$urlcontents2 = strstr($urlcontents, '_temp');`
			`$urlcontents_to_save=$urlcontents1.$urlcontents2;`
			`$contents = file_get_contents($urlcontents_to_save);//replace line 45.`
			`*/`

tunning pixlr security 14 years ago			`//a bit title security`
			`$filename = addslashes(trim($filename));`
			`$filename = Security::remove_XSS($filename);`
Remove "stric"t option the api_replace_dangerous_char() is always strict. 11 years ago			`$filename = api_replace_dangerous_char($filename);`
tunning pixlr security 14 years ago			`$filename = disable_dangerous_file($filename);`

Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if (strlen(trim($filename)) == 0) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo "The title is empty"; //if title is empty, headers Content-Type = application/octet-stream, then not create a new title here please`
			`exit;`
tunning pixlr security 14 years ago			`}`

			`//check file_get_contents`
Use api_replace_dangerous_char 11 years ago			`if ($contents === false) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo "I cannot read: ".$urlcontents;`
fix save pixlr logic control 14 years ago			`exit;`
tunning pixlr security 14 years ago			`}`
fix save pixlr logic control 14 years ago
tunning pixlr security 14 years ago			`// Extension security`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if ($extension != 'jpg' && $extension != 'png' && $extension != 'pxd') {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`die();`
tunning pixlr security 14 years ago			`}`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if ($extension == 'pxd') {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo "pxd file type does not supported"; // not secure because check security headers and finfo() return Content-Type = application/octet-stream`
tunning pixlr security 14 years ago			`exit;`
			`}`

			`//Verify that the file is an image. Headers method`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`$headers = get_headers($urlcontents, 1);`
			`$content_type = explode("/", $headers['Content-Type']);`
tunning pixlr security 14 years ago			`if ($content_type[0] != "image") {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo "Invalid file type";`
			`exit;`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`}`

tunning pixlr security 14 years ago			`//Verify that the file is an image. Fileinfo method`
Fixing some document redirections see #4780 14 years ago			`$finfo = new finfo(FILEINFO_MIME);`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`$current_mime = $finfo->buffer($contents);`
Remove E_NOTICE when saving image with pixlr finfo_close is necessary when using finfo in procedural style 9 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if (strpos($current_mime, 'image') === false) {`
Fixing some document redirections see #4780 14 years ago			`echo "Invalid mime type file";`
			`exit;`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`}`

Fixing some document redirections see #4780 14 years ago
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`//path, file and title`
			`$paintFileName = $filename.'.'.$extension;`
			`$title = $title.'.'.$extension;`

Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`if ($currentTool == 'document/createpaint') {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`//check save as and prevent rewrite an older file with same name`
			`if (0 != $groupId) {`
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com 9 years ago			`$group_properties = GroupManager :: get_group_properties($groupId);`
Fixing some document redirections see #4780 14 years ago			`$groupPath = $group_properties['directory'];`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`} else {`
			`$groupPath = '';`
			`}`

			`if (file_exists($saveDir.'/'.$filename.'.'.$extension)) {`
			`$i = 1;`
			`while (file_exists($saveDir.'/'.$filename.'_'.$i.'.'.$extension)) $i++;`
			`$paintFileName = $filename.'_'.$i.'.'.$extension;`
			`$title = $filename.'_'.$i.'.'.$extension;`
			`}`

			`//`
			`$documentPath = $saveDir.'/'.$paintFileName;`
			`//add new document to disk`
			`file_put_contents($documentPath, $contents);`
			`//add document to database`
			`$doc_id = add_document($_course, $relativeUrlPath.'/'.$paintFileName, 'file', filesize($documentPath), $title);`
			`api_item_property_update(`
			`$_course,`
			`TOOL_DOCUMENT,`
			`$doc_id,`
			`'DocumentAdded',`
			`$_user['user_id'],`
			`$groupInfo,`
			`null,`
			`null,`
			`null,`
			`$current_session_id`
			`);`
			`} elseif ($currentTool == 'document/editpaint') {`
			`$documentPath = $saveDir.'/'.$paintFileName;`
			`//add new document to disk`
			`file_put_contents($documentPath, $contents);`

Remove use of $_SESSION, fix edit svg files. 8 years ago			`$paintFile = Session::read('paint_file');`

Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`//check path`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`if (empty($paintFile)) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`api_not_allowed();`
			`die();`
			`}`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`if ($paintFile == $paintFileName) {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`$document_id = DocumentManager::get_document_id($_course, $relativeUrlPath.'/'.$paintFileName);`
			`update_existing_document($_course, $document_id, filesize($documentPath), null);`
			`api_item_property_update(`
			`$_course,`
			`TOOL_DOCUMENT,`
			`$document_id,`
			`'DocumentUpdated',`
			`$_user['user_id'],`
			`$groupInfo,`
			`null,`
			`null,`
			`null,`
			`$current_session_id`
			`);`
			`} else {`
			`//add a new document`
			`$doc_id = add_document(`
			`$_course,`
			`$relativeUrlPath.'/'.$paintFileName,`
			`'file',`
			`filesize($documentPath),`
			`$title`
			`);`
			`api_item_property_update(`
			`$_course,`
			`TOOL_DOCUMENT,`
			`$doc_id,`
			`'DocumentAdded',`
			`$_user['user_id'],`
			`$groupInfo,`
			`null,`
			`null,`
			`null,`
			`$current_session_id`
			`);`
			`}`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`}`


Feature #2712 delete temporal file when user exit or save 15 years ago			`//delete temporal file`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`$temp_file_2delete = Session::read('temp_realpath_image');`
tunning pixlr security 14 years ago			`unlink($temp_file_2delete);`
Feature #2712 delete temporal file when user exit or save 15 years ago
Feature #2712 Integrate external services Pixlr. Second step 15 years ago			`//Clean sessions and return to Chamilo file list`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`Session::erase('paint_dir');`
			`Session::erase('paint_file');`
			`Session::erase('temp_realpath_image');`
Feature #2712 Integrate external services Pixlr. Second step 15 years ago
Remove use of $_SESSION, fix edit svg files. 8 years ago			`$exit = Session::read('exit_pixlr');`
			`if (empty($exit)) {`
			`$location = api_get_path(WEB_CODE_PATH).'document/document.php?'.api_get_cidreq();`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo '<script>window.parent.location.href="'.$location.'"</script>';`
			`api_not_allowed(true);`
Use api_replace_dangerous_char 11 years ago			`} else {`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo '<div align="center" style="padding-top:150; font-family:Arial, Helvetica, Sans-serif;font-size:25px;color:#aaa;font-weight:bold;">'.get_lang('PleaseStandBy').'</div>';`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`$location = api_get_path(WEB_CODE_PATH).'document/document.php?id='.Security::remove_XSS($exit).'&'.api_get_cidreq();`
Use group info instead of group id as parameter Function api_item_property_update 9 years ago			`echo '<script>window.parent.location.href="'.$location.'"</script>';`
Remove use of $_SESSION, fix edit svg files. 8 years ago			`Session::erase('exit_pixlr');`
Use api_replace_dangerous_char 11 years ago			`}`