chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r13804] Filter files by extensions in documents, work (student publications) and dropbox (linked with FS#1420)

Browse Source
skala
Yannick Warnier 18 years ago
parent 59c371f7ee
commit 5ded415095
4 changed files with 284 additions and 254 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 11
      main/dropbox/dropbox_functions.inc.php
  2. 171
      main/dropbox/dropbox_submit.php
  3. 235
      main/inc/lib/fileUpload.lib.php
  4. 89
      main/work/work.php

11
main/dropbox/dropbox_functions.inc.php
Unescape View File

@ -800,7 +800,6 @@ function store_add_dropbox()
global $dropbox_cnf;
global $_user;
global $_course;
require_once(api_get_path(LIBRARY_PATH) . "/fileUpload.lib.php");
// ----------------------------------------------------------
// Validating the form data
@ -899,6 +898,12 @@ function store_add_dropbox()
$dropbox_filename = replace_dangerous_char( $dropbox_filename);
// Transform any .php file in .phps fo security
$dropbox_filename = php2phps ( $dropbox_filename);
//filter extension
if(!filter_extension($dropbox_filename))
{
return get_lang('UplUnableToSaveFileFilteredExtension');
}
// set title
$dropbox_title = $dropbox_filename;
// set author
@ -911,7 +916,7 @@ function store_add_dropbox()
if ( $dropbox_overwrite) // RH: Mailing: adapted
{
$dropbox_person = new Dropbox_Person( $_user['user_id'], $is_courseAdmin, $is_courseTutor);
$dropbox_person = new Dropbox_Person( $_user['user_id'], api_is_course_admin(), api_is_course_tutor());
foreach($dropbox_person->sentWork as $w)
{
@ -949,7 +954,7 @@ function store_add_dropbox()
$userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_') ));
foreach ($userList as $usr)
{
if (! in_array($usr['user_id'], $newWorkRecipients) && $usr['user_id'] != $_user['user_id'])
if (! in_array($usr['user_id'], $new_work_recipients) && $usr['user_id'] != $_user['user_id'])
{
$new_work_recipients[] = $usr['user_id'];
}

171
main/dropbox/dropbox_submit.php
Unescape View File

@ -88,7 +88,7 @@ if ( isset( $_POST["submitWork"]))
/**
* --------------------------------------
*      FORM SUBMIT : VALIDATE POSTED DATA
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>FORM SUBMIT : VALIDATE POSTED DATA
* --------------------------------------
*/
// the author or description field is empty
@ -162,7 +162,7 @@ if ( isset( $_POST["submitWork"]))
/**
* --------------------------------------
*     FORM SUBMIT : UPLOAD NEW FILE
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD>FORM SUBMIT : UPLOAD NEW FILE
* --------------------------------------
*/
if ( !$error)
@ -193,105 +193,112 @@ if ( isset( $_POST["submitWork"]))
$dropbox_filename = replace_dangerous_char( $dropbox_filename);
// Transform any .php file in .phps fo security
$dropbox_filename = php2phps ( $dropbox_filename);
// set title
$dropbox_title = $dropbox_filename;
// set author
if ( $_POST['authors'] == '')
if(!filter_extension($dropbox_filename))
{
$_POST['authors'] = getUserNameFromId( $_user['user_id']);
$error = true;
$errormsg = get_lang('UplUnableToSaveFileFilteredExtension');
}
else
{
// set title
$dropbox_title = $dropbox_filename;
if ( $dropbox_overwrite) // RH: Mailing: adapted
{
$dropbox_person = new Dropbox_Person( $_user['user_id'], $is_courseAdmin, $is_courseTutor);
// set author
if ( $_POST['authors'] == '')
{
$_POST['authors'] = getUserNameFromId( $_user['user_id']);
}
foreach($dropbox_person->sentWork as $w)
if ( $dropbox_overwrite) // RH: Mailing: adapted
{
if ($w->title == $dropbox_filename)
$dropbox_person = new Dropbox_Person( $_user['user_id'], $is_courseAdmin, $is_courseTutor);
foreach($dropbox_person->sentWork as $w)
{
if ( ($w->recipients[0]['id'] > dropbox_cnf("mailingIdBase")) xor $thisIsAMailing)
{
$error = TRUE;
$errormsg = dropbox_lang("mailingNonMailingError");
}
if ( ($w->recipients[0]['id'] == $_user['user_id']) xor $thisIsJustUpload)
if ($w->title == $dropbox_filename)
{
$error = TRUE;
$errormsg = dropbox_lang("mailingJustUploadNoOther");
if ( ($w->recipients[0]['id'] > dropbox_cnf("mailingIdBase")) xor $thisIsAMailing)
{
$error = TRUE;
$errormsg = dropbox_lang("mailingNonMailingError");
}
if ( ($w->recipients[0]['id'] == $_user['user_id']) xor $thisIsJustUpload)
{
$error = TRUE;
$errormsg = dropbox_lang("mailingJustUploadNoOther");
}
$dropbox_filename = $w->filename; $found = true;
break;
}
$dropbox_filename = $w->filename; $found = true;
break;
}
}
}
else // rename file to login_filename_uniqueId format
{
$dropbox_filename = getLoginFromId( $_user['user_id']) . "_" . $dropbox_filename . "_".uniqid('');
}
else // rename file to login_filename_uniqueId format
{
$dropbox_filename = getLoginFromId( $_user['user_id']) . "_" . $dropbox_filename . "_".uniqid('');
}
if ( ( ! is_dir( dropbox_cnf("sysPath"))))
{
//The dropbox subdir doesn't exist yet so make it and create the .htaccess file
mkdir( dropbox_cnf("sysPath"), 0700) or die ( dropbox_lang("errorCreatingDir")." (code 404)");
$fp = fopen( dropbox_cnf("sysPath")."/.htaccess", "w") or die (dropbox_lang("errorCreatingDir")." (code 405)");
fwrite($fp, "AuthName AllowLocalAccess
AuthType Basic
if ( ( ! is_dir( dropbox_cnf("sysPath"))))
{
//The dropbox subdir doesn't exist yet so make it and create the .htaccess file
mkdir( dropbox_cnf("sysPath"), 0700) or die ( dropbox_lang("errorCreatingDir")." (code 404)");
$fp = fopen( dropbox_cnf("sysPath")."/.htaccess", "w") or die (dropbox_lang("errorCreatingDir")." (code 405)");
fwrite($fp, "AuthName AllowLocalAccess
AuthType Basic
order deny,allow
deny from all
order deny,allow
deny from all
php_flag zlib.output_compression off") or die (dropbox_lang("errorCreatingDir")." (code 406)");
}
php_flag zlib.output_compression off") or die (dropbox_lang("errorCreatingDir")." (code 406)");
}
if ( $error) {}
elseif ( $thisIsAMailing) // RH: $newWorkRecipients is integer - see class
{
if ( preg_match( dropbox_cnf("mailingZipRegexp"), $dropbox_title))
if ( $error) {}
elseif ( $thisIsAMailing) // RH: $newWorkRecipients is integer - see class
{
$newWorkRecipients = dropbox_cnf("mailingIdBase");
if ( preg_match( dropbox_cnf("mailingZipRegexp"), $dropbox_title))
{
$newWorkRecipients = dropbox_cnf("mailingIdBase");
}
else
{
$error = TRUE;
$errormsg = $dropbox_title . ": " . dropbox_lang("mailingWrongZipfile");
}
}
else
elseif ( $thisIsJustUpload) // RH: $newWorkRecipients is empty array
{
$error = TRUE;
$errormsg = $dropbox_title . ": " . dropbox_lang("mailingWrongZipfile");
}
}
elseif ( $thisIsJustUpload) // RH: $newWorkRecipients is empty array
{
$newWorkRecipients = array();
}
else
{ // creating the array that contains all the users who will receive the file
$newWorkRecipients = array();
foreach ($_POST["recipients"] as $rec)
{
if (strpos($rec, 'user_') === 0) {
$newWorkRecipients[] = substr($rec, strlen('user_') );
}
elseif (strpos($rec, 'group_') === 0 )
{
$userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_') ));
foreach ($userList as $usr)
{
if (! in_array($usr['user_id'], $newWorkRecipients) && $usr['user_id'] != $_user['user_id'])
{
$newWorkRecipients[] = $usr['user_id'];
}
}
}
}
}
$newWorkRecipients = array();
}
else
{ // creating the array that contains all the users who will receive the file
$newWorkRecipients = array();
foreach ($_POST["recipients"] as $rec)
{
if (strpos($rec, 'user_') === 0) {
$newWorkRecipients[] = substr($rec, strlen('user_') );
}
elseif (strpos($rec, 'group_') === 0 )
{
$userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_') ));
foreach ($userList as $usr)
{
if (! in_array($usr['user_id'], $newWorkRecipients) && $usr['user_id'] != $_user['user_id'])
{
$newWorkRecipients[] = $usr['user_id'];
}
}
}
}
}
//After uploading the file, create the db entries
//After uploading the file, create the db entries
if ( !$error)
{
@move_uploaded_file( $dropbox_filetmpname, dropbox_cnf("sysPath") . '/' . $dropbox_filename)
or die( dropbox_lang("uploadError")." (code 407)");
new Dropbox_SentWork( $_user['user_id'], $dropbox_title, $_POST['description'], strip_tags($_POST['authors']), $dropbox_filename, $dropbox_filesize, $newWorkRecipients);
}
if ( !$error)
{
@move_uploaded_file( $dropbox_filetmpname, dropbox_cnf("sysPath") . '/' . $dropbox_filename)
or die( dropbox_lang("uploadError")." (code 407)");
new Dropbox_SentWork( $_user['user_id'], $dropbox_title, $_POST['description'], strip_tags($_POST['authors']), $dropbox_filename, $dropbox_filesize, $newWorkRecipients);
}
}
}
} //end if(!$error)

235
main/inc/lib/fileUpload.lib.php
Unescape View File

@ -309,131 +309,106 @@ function handle_uploaded_document($_course,$uploaded_file,$base_work_dir,$upload
$clean_name = replace_dangerous_char($uploaded_file['name']);
//no "dangerous" files
$clean_name = disable_dangerous_file($clean_name);
//echo "<br/>clean name = ".$clean_name;
//echo "<br/>upload_path = ".$upload_path;
//if the upload path differs from / (= root) it will need a slash at the end
if ($upload_path!='/')
$upload_path = $upload_path.'/';
//echo "<br/>upload_path = ".$upload_path;
$file_path = $upload_path.$clean_name;
//echo "<br/>file path = ".$file_path;
//full path to where we want to store the file with trailing slash
$where_to_save = $base_work_dir.$upload_path;
//at least if the directory doesn't exist, tell so
if(!is_dir($where_to_save)){
Display::display_error_message(get_lang('DestDirectoryDoesntExist').' ('.$upload_path.')');
if(!filter_extension($clean_name))
{
Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
return false;
}
//echo "<br/>where to save = ".$where_to_save;
// full path of the destination
$store_path = $where_to_save.$clean_name;
//echo "<br/>store path = ".$store_path;
//name of the document without the extension (for the title)
$document_name = get_document_title($uploaded_file['name']);
//size of the uploaded file (in bytes)
$file_size = $uploaded_file['size'];
//what to do if the target file exists
switch ($what_if_file_exists)
{
//overwrite the file if it exists
case 'overwrite':
//check if the target file exists, so we can give another message
if (file_exists($store_path))
{
$file_exists = true;
}
else
{
$file_exists = false;
}
if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path))
else
{
//extension is good
//echo "<br/>clean name = ".$clean_name;
//echo "<br/>upload_path = ".$upload_path;
//if the upload path differs from / (= root) it will need a slash at the end
if ($upload_path!='/')
$upload_path = $upload_path.'/';
//echo "<br/>upload_path = ".$upload_path;
$file_path = $upload_path.$clean_name;
//echo "<br/>file path = ".$file_path;
//full path to where we want to store the file with trailing slash
$where_to_save = $base_work_dir.$upload_path;
//at least if the directory doesn't exist, tell so
if(!is_dir($where_to_save)){
Display::display_error_message(get_lang('DestDirectoryDoesntExist').' ('.$upload_path.')');
return false;
}
//echo "<br/>where to save = ".$where_to_save;
// full path of the destination
$store_path = $where_to_save.$clean_name;
//echo "<br/>store path = ".$store_path;
//name of the document without the extension (for the title)
$document_name = get_document_title($uploaded_file['name']);
//size of the uploaded file (in bytes)
$file_size = $uploaded_file['size'];
//what to do if the target file exists
switch ($what_if_file_exists)
{
if($file_exists)
//overwrite the file if it exists
case 'overwrite':
//check if the target file exists, so we can give another message
if (file_exists($store_path))
{
//UPDATE DATABASE!
$document_id = DocumentManager::get_document_id($_course,$file_path);
if ($document_id)
{
//update filesize
update_existing_document($_course,$document_id,$uploaded_file['size']);
//update document item_property
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentUpdated',$user_id,$to_group_id,$to_user_id);
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message with extra info to user
if($output){
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path .' '. get_lang('UplFileOverwritten'),false);
}
return $file_path;
$file_exists = true;
}
else
{
//put the document data in the database
$document_id = add_document($_course,$file_path,'file',$file_size,$document_name);
if ($document_id)
$file_exists = false;
}
if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path))
{
if($file_exists)
{
//put the document in item_property update
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id);
//UPDATE DATABASE!
$document_id = DocumentManager::get_document_id($_course,$file_path);
if ($document_id)
{
//update filesize
update_existing_document($_course,$document_id,$uploaded_file['size']);
//update document item_property
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentUpdated',$user_id,$to_group_id,$to_user_id);
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message with extra info to user
if($output){
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path .' '. get_lang('UplFileOverwritten'),false);
}
return $file_path;
}
else
{
//put the document data in the database
$document_id = add_document($_course,$file_path,'file',$file_size,$document_name);
if ($document_id)
{
//put the document in item_property update
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id);
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message to user
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path,false);
return $file_path;
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message to user
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path,false);
return $file_path;
}
}
else
{
Display::display_error_message(get_lang('UplUnableToSaveFile'));
return false;
}
break;
//rename the file if it exists
case 'rename':
$new_name = unique_name($where_to_save, $clean_name);
$store_path = $where_to_save.$new_name;
$new_file_path = $upload_path.$new_name;
if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path))
{
//put the document data in the database
$document_id = add_document($_course,$new_file_path,'file',$file_size,$document_name);
if ($document_id)
else
{
//update document item_property
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id);
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message to user
if($output){
Display::display_confirmation_message(get_lang('UplUploadSucceeded'). "<br>" .get_lang('UplFileSavedAs') . $new_file_path,false);
Display::display_error_message(get_lang('UplUnableToSaveFile'));
return false;
}
return $new_file_path;
}
else
{
Display::display_error_message(get_lang('UplUnableToSaveFile'));
return false;
}
break;
break;
//rename the file if it exists
case 'rename':
$new_name = unique_name($where_to_save, $clean_name);
$store_path = $where_to_save.$new_name;
$new_file_path = $upload_path.$new_name;
//only save the file if it doesn't exist or warn user if it does exist
default:
if (file_exists($store_path))
{
Display::display_error_message($clean_name.' '.get_lang('UplAlreadyExists'));
}
else
{
if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path))
{
//put the document data in the database
$document_id = add_document($_course,$file_path,'file',$file_size,$document_name);
$document_id = add_document($_course,$new_file_path,'file',$file_size,$document_name);
if ($document_id)
{
//update document item_property
@ -443,18 +418,52 @@ function handle_uploaded_document($_course,$uploaded_file,$base_work_dir,$upload
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message to user
if($output){
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path,false);
Display::display_confirmation_message(get_lang('UplUploadSucceeded'). "<br>" .get_lang('UplFileSavedAs') . $new_file_path,false);
}
return $file_path;
return $new_file_path;
}
else
{
Display::display_error_message(get_lang('UplUnableToSaveFile'));
return false;
}
break;
//only save the file if it doesn't exist or warn user if it does exist
default:
if (file_exists($store_path))
{
Display::display_error_message($clean_name.' '.get_lang('UplAlreadyExists'));
}
else
{
if (@move_uploaded_file($uploaded_file['tmp_name'], $store_path))
{
//put the document data in the database
$document_id = add_document($_course,$file_path,'file',$file_size,$document_name);
if ($document_id)
{
//update document item_property
api_item_property_update($_course,TOOL_DOCUMENT,$document_id,'DocumentAdded',$user_id,$to_group_id,$to_user_id);
}
//if the file is in a folder, we need to update all parent folders
item_property_update_on_folder($_course,$upload_path,$user_id);
//display success message to user
if($output){
Display::display_confirmation_message(get_lang('UplUploadSucceeded')."<br/>".$file_path,false);
}
return $file_path;
}
else
{
Display::display_error_message(get_lang('UplUnableToSaveFile'));
return false;
}
}
break;
}
break;
}
}
}
}

89
main/work/work.php
Unescape View File

@ -23,7 +23,7 @@
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
* @author Roan Embrechts, code refactoring and virtual course support
* @author Frederic Vauthier, directories management
* @version $Id: work.php 13756 2007-11-23 16:30:17Z elixir_inter $
* @version $Id: work.php 13804 2007-11-28 06:08:00Z yannoo $
*
* @todo refactor more code into functions, use quickforms, coding standards, ...
*/
@ -631,56 +631,65 @@ if($_POST['submitWork'] && $is_course_member && $check)
// Transform any .php file in .phps fo security
$new_file_name = php2phps($new_file_name);
if( ! $title )
//filter extension
if(!filter_extension($new_file_name))
{
Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
$succeed = false;
}
else
{
$title = $_FILES['file']['name'];
}
if ( ! $authors)
{
$authors = $currentUserFirstName." ".$currentUserLastName;
}
if( ! $title )
{
$title = $_FILES['file']['name'];
}
// compose a unique file name to avoid any conflict
if ( ! $authors)
{
$authors = $currentUserFirstName." ".$currentUserLastName;
}
$new_file_name = uniqid('').$new_file_name;
// compose a unique file name to avoid any conflict
if (isset($_SESSION['toolgroup']))
{
$post_group_id = $_SESSION['toolgroup'];
}
else
{
$post_group_id = '0';
}
//if we come from the group tools the groupid will be saved in $work_table
$new_file_name = uniqid('').$new_file_name;
move_uploaded_file($_FILES['file']['tmp_name'],$updir.$my_cur_dir_path.$new_file_name);
if (isset($_SESSION['toolgroup']))
{
$post_group_id = $_SESSION['toolgroup'];
}
else
{
$post_group_id = '0';
}
//if we come from the group tools the groupid will be saved in $work_table
$url = "work/".$my_cur_dir_path.$new_file_name;
$result = api_sql_query("SHOW FIELDS FROM ".$work_table." LIKE 'sent_date'",__FILE__,__LINE__);
move_uploaded_file($_FILES['file']['tmp_name'],$updir.$my_cur_dir_path.$new_file_name);
if(!mysql_num_rows($result))
{
api_sql_query("ALTER TABLE ".$work_table." ADD sent_date DATETIME NOT NULL");
}
$url = "work/".$my_cur_dir_path.$new_file_name;
$result = api_sql_query("SHOW FIELDS FROM ".$work_table." LIKE 'sent_date'",__FILE__,__LINE__);
$sql_add_publication = "INSERT INTO ".$work_table."
SET url = '".$url."',
title = '".$title."',
description = '".$description."',
author = '".$authors."',
active = '".$active."',
accepted = '".(!$uploadvisibledisabled)."',
post_group_id = '".$post_group_id."',
sent_date = NOW()";
if(!mysql_num_rows($result))
{
api_sql_query("ALTER TABLE ".$work_table." ADD sent_date DATETIME NOT NULL");
}
api_sql_query($sql_add_publication,__FILE__,__LINE__);
$sql_add_publication = "INSERT INTO ".$work_table."
SET url = '".$url."',
title = '".$title."',
description = '".$description."',
author = '".$authors."',
active = '".$active."',
accepted = '".(!$uploadvisibledisabled)."',
post_group_id = '".$post_group_id."',
sent_date = NOW()";
$Id = mysql_insert_id();
api_item_property_update($_course,'work',$Id,get_lang('DocumentAdded'),$user_id);
$succeed = true;
api_sql_query($sql_add_publication,__FILE__,__LINE__);
$Id = mysql_insert_id();
api_item_property_update($_course,'work',$Id,get_lang('DocumentAdded'),$user_id);
$succeed = true;
}
}
/*

Write Preview
Loading…
Cancel
Save