| 1 | <?php |
| 2 | |
| 3 | function upload_data_file() { |
| 4 | // XXX sec. bug over sec. bug |
| 5 | |
| 6 | global $db,$error,$node; |
| 7 | |
| 8 | require(INCLUDE_DIR.'filez.inc'); |
| 9 | |
| 10 | if (($node['node_permission']!='owner') && |
| 11 | ($node['node_permission']!='master')) { |
| 12 | $error=$error_messages['EVENT_PERMISSION_ERROR']; |
| 13 | return false; |
| 14 | } |
| 15 | |
| 16 | $node_id=$node['node_id']; |
| 17 | filez::upload_data_file($node_id); |
| 18 | /* |
| 19 | if ($suffix=='zip' && $_POST['unzip']) { |
| 20 | mkdir(TMP."/".$_FILES['data_file']['name']); |
| 21 | |
| 22 | // directory traversal si dissabled by default from zip v 5.50 |
| 23 | $cmd="unzip ".$_FILES['data_file']['tmp_name']." -d " |
| 24 | .TMP."/".$_FILES['data_file']['name']; |
| 25 | |
| 26 | shell_exec($cmd); |
| 27 | $handle=opendir(TMP."/".$_FILES['data_file']['name']); |
| 28 | |
| 29 | // XXX move this mess into a function |
| 30 | while (($file = readdir($handle))!==false) { |
| 31 | if ($file!="." && $file!="..") { |
| 32 | |
| 33 | // Need to check extenstions of all extracted files |
| 34 | if ( !filez::filename_secure($_FILES['data_file']['file'])) { |
| 35 | $error = 'ale ale, kto nam to tady loupe pernicek.. '; |
| 36 | return false; |
| 37 | } |
| 38 | |
| 39 | $node_params['node_name']=$file; |
| 40 | $node_params['node_creator']=$_SESSION['user_id']; |
| 41 | $node_params['template_id']=DEF_DATA_TEMPLATE; |
| 42 | $node_params['node_parent']=$node['node_id']; |
| 43 | |
| 44 | $node_params['node_content']=$file; |
| 45 | $datanode_id=nodes::addNode($node_params); |
| 46 | $file_suffix = array_pop(explode('.', basename($file))); |
| 47 | copy(TMP."/".$_FILES['data_file']['name']."/".$file, |
| 48 | FILE_DIR.$_SESSION['user_id'].'/'.$datanode_id.".$file_suffix"); |
| 49 | symlink(FILE_DIR.$_SESSION['user_id'].'/'.$datanode_id.".$file_suffix", |
| 50 | SYSTEM_ROOT.'/files/'.$datanode_id); |
| 51 | |
| 52 | # Removed for now, need complete rewrite |
| 53 | |
| 54 | # if ($_POST['gallery']) { |
| 55 | # $node_params['template_id']=DEF_GALLERY_TEMPLATE; |
| 56 | # $image=TMP."/".$_FILES['data_file']['name']."/".$file; |
| 57 | # $image_name=$file; |
| 58 | # $width=NODE_IMAGE_WIDTH; |
| 59 | # |
| 60 | # if (stristr($image_name,".jpg") || |
| 61 | # stristr($image_name,".jpeg") ){ |
| 62 | # |
| 63 | # /// XXX UTILZ_DIR is not set. remove? |
| 64 | # $cmd=UTILZ_DIR."/jpegtopnm $image |".UTILZ_DIR."/pnmscale -width=$width | ".UTILZ_DIR."ppmquant 256 |".UTILZ_DIR."ppmtogif >".SYSTEM_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif"; |
| 65 | # } |
| 66 | # elseif (stristr($image_name,".gif")) { |
| 67 | # $cmd=UTILZ_DIR."/gifsicle --resize ".$width."x_ $image > ".SYSTE_ROOT.SYSTEM_IMAGES.'/nodes/'.substr($datanode_id,0,1)."/".substr($datanode_id,1,1)."/".$datanode_id.".gif"; |
| 68 | # } |
| 69 | # if ($cmd) { |
| 70 | # shell_exec($cmd); |
| 71 | # } |
| 72 | # // XXX WTF |
| 73 | # echo $cmd; |
| 74 | # } |
| 75 | } |
| 76 | } |
| 77 | closedir($handle); |
| 78 | die(); |
| 79 | } |
| 80 | |
| 81 | else { |
| 82 | copy($_FILES['data_file']['tmp_name'], |
| 83 | FILE_DIR.$_SESSION['user_id'].'/'.$node['node_id'].".$suffix"); |
| 84 | symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node['node_id'].".$suffix", |
| 85 | FILE_DIR.'/'.$node['node_id']); |
| 86 | } |
| 87 | */ |
| 88 | } |
| 89 | ?> |