[Mapbender-commits] r5841 - trunk/mapbender/http/plugins

Fri Mar 26 10:14:18 EDT 2010

Author: christoph
Date: 2010-03-26 10:14:18 -0400 (Fri, 26 Mar 2010)
New Revision: 5841

Modified:
   trunk/mapbender/http/plugins/jq_upload.js
   trunk/mapbender/http/plugins/jq_upload.php
Log:
some improvements like
* blacklist
* whitelist
* max filesize
* message transmission

Modified: trunk/mapbender/http/plugins/jq_upload.js
===================================================================

--- trunk/mapbender/http/plugins/jq_upload.js	2010-03-26 11:25:19 UTC (rev 5840)
+++ trunk/mapbender/http/plugins/jq_upload.js	2010-03-26 14:14:18 UTC (rev 5841)
@@ -1,15 +1,17 @@
 $.fn.upload = function (args) {
 	return this.each(function () {
+		if (this.id === "upload") {
+			return;
+		}
 
 		var options = args || {};
 		var $this = $(this);
-		$this.append();
 		var id = this.id;
 		var time = 0;
 		var timeout = options.timeout || 7000;
 		var timeinterval = options.interval || 200;
 		// we want the default to be true, and we want the user to be able to write {displaySubmit: false}
-		var displaySubmit = options.displaySubmit? true : false;
+		var displaySubmit = options.displaySubmit === undefined ? true : !!options.displaySubmit;
 		var url = options.url || "../plugins/jq_upload.php";
 		var width = options.width || 30;
 
@@ -27,14 +29,16 @@
 					var success = false;
 					if (returnValue.match(/_finished/)) {
 						window.frames[id + "_target"].id = undefined;
-							if (typeof options.callback === "function") {
-							options.callback(filename, true, "");						
+						if (typeof options.callback === "function") {
+							var msgArray = returnValue.split("_");
+							msg = msgArray.pop();
+							options.callback(filename, true, msg);						
 						}
 					}
 					else if (returnValue.match(/_cancelled/)) {
 						window.frames[id + "_target"].id = undefined;
-						msg = "File upload cancelled.";
-						new Mb_exception(msg);		
+						var msgArray = returnValue.split("_");
+						msg = msgArray.pop();
 						if (typeof options.callback === "function") {
 							options.callback("", false, msg);						
 						}
@@ -66,7 +70,7 @@
 			return true;
 		});
 		$form.append($(
-			"<p id=" + id + "'_form' align='center'><br/>" + 
+			"<p id='" + id + "_form' align='center'><br/>" + 
 				"<input name='myfile' type='file' size='"+width+"' />" + 
 
 				(displaySubmit ? "<input type='submit' value='Upload' />": "") + 

Modified: trunk/mapbender/http/plugins/jq_upload.php
===================================================================
--- trunk/mapbender/http/plugins/jq_upload.php	2010-03-26 11:25:19 UTC (rev 5840)
+++ trunk/mapbender/http/plugins/jq_upload.php	2010-03-26 14:14:18 UTC (rev 5841)
@@ -7,15 +7,74 @@
 	}
 	else {
 		$result = 0;
-		$clientFilename = $_FILES['myfile']['tmp_name'];
+		$cancel = false;
+		
+		$uploadedFile = $_FILES['myfile']['tmp_name'];
+		$clientFilename = $_FILES['myfile']['name'];
+		$serverFilename = Mapbender::session()->get("mb_user_id") . "_" . uniqid(true);
 
-		$serverFilename = uniqid(true);
-		$serverFullFilename = TMPDIR . "/" . $serverFilename;
-		if (copy($clientFilename, $serverFullFilename)) {
-			$message = "finished";
+		$uploadDir = TMPDIR;
+		if (defined("UPLOAD_DIR")) {
+			$uploadDir = UPLOAD_DIR;
 		}
+		$allowedFileTypes = array();
+		if (defined("UPLOAD_WHITELIST_FILE_TYPES")) {
+			$allowedFileTypes = explode(",", UPLOAD_WHITELIST_FILE_TYPES);
+		}
+
+		// check if file type is valid
+		foreach ($allowedFileTypes as $item) {
+			$cancel = true;
+			$message = _mb("Files with this extension are not allowed. Must be %s.", implode(", ", $allowedFileTypes));
+			if(preg_match("/\.$item\$/i", $clientFilename)) {
+				$cancel = false;
+				break;
+			}
+		}
+		
+		$disallowedFileTypes = array("PHP", "PHP3", "PHP4", "PHTML", "PHP5", "PHP6");
+		if (defined("UPLOAD_BLACKLIST_FILE_TYPES")) {
+			$disallowedFileTypes = array_merge(
+				explode(",", UPLOAD_BLACKLIST_FILE_TYPES), 
+				$disallowedFileTypes
+			);
+		}
+		
+		// check if file type is valid
+		foreach ($disallowedFileTypes as $item) {
+			if(preg_match("/\.$item\$/i", $clientFilename)) {
+				$cancel = true;
+				$message = _mb("Files with extension %s are not allowed. Must be %s.", $item, implode(", ", $allowedFileTypes));
+				break;
+			}
+		}
+		$maxSize = intval(ini_get("upload_max_filesize"))*1024;
+		if (defined("UPLOAD_MAX_SIZE_KB") && UPLOAD_MAX_SIZE_KB < $maxSize) {
+			$maxSize = UPLOAD_MAX_SIZE_KB;
+		}
+		if (count($_FILES) === 0 || filesize($uploadedFile) > UPLOAD_MAX_SIZE_KB * 1024) {
+			$cancel = true;
+			$message = _mb("File size limit (%s KB) exceeded.", UPLOAD_MAX_SIZE_KB);
+		}
+		
+		$extension = "";
+		$pos = strrpos($clientFilename, ".");
+		if ($pos !== false) {
+			$extension = substr($clientFilename, $pos);
+		}
+		$serverFullFilename = $uploadDir . "/" . $serverFilename . $extension;
+		if (!$cancel) {
+			if (!copy($uploadedFile, $serverFullFilename)) {
+				$status = "cancelled";
+				$message = _mb("File could not be stored on server. Please contact the administrator.");
+			}
+			else {
+				$status = "finished";
+				$message = _mb("File has been uploaded.");
+			}
+		}
 		else {
-	   		$message = "cancelled";
+	   		$status = "cancelled";
 		}
 	}
 ?>
@@ -23,7 +82,7 @@
 	<head>
 		<script type="text/javascript">
 			window.id = "<?php 
-				echo $id . "_" . $serverFilename . "_" . $message;
+				echo $id . "_" . $serverFilename . "_" . $status . "_" . $message;
 			?>";
 		</script>
 	</head>

