source: trunk/www.guidonia.net/wp/wp-content/plugins/webtv/includes/upload.php@ 44

Last change on this file since 44 was 44, checked in by luciano, 14 years ago
File size: 6.9 KB
Line 
1<?php
2
3// Load up Wordpress
4//
5$wp_load = realpath("../../../../wp-load.php");
6if(!file_exists($wp_load)) {
7 $wp_config = realpath("../../../../wp-config.php");
8 if (!file_exists($wp_config)) {
9 exit("Can't find wp-config.php or wp-load.php");
10 } else {
11 require_once($wp_config);
12 require_once('../../../../wp-includes/pluggable.php');
13 }
14} else {
15 require_once($wp_load);
16}
17
18global $wpdb, $wp_rewrite;
19
20if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
21 $_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
22elseif ( empty($_COOKIE[AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
23 $_COOKIE[AUTH_COOKIE] = $_REQUEST['auth_cookie'];
24
25
26$user_id = wp_validate_auth_cookie();
27if ($user_id) set_current_user($user_id);
28$nonce=$_REQUEST['_wpnonce'];
29if ( !is_user_logged_in() || !current_user_can('edit_posts') || !wp_verify_nonce($nonce, 'webtv-upload')) {
30 //header("HTTP/1.1 500 Internal Server Error"); // This will trigger an uploadError event in SWFUpload
31 echo "No tiene permisos para acceder a este contenido.";
32 exit(0);
33}
34$post_id = (int)trim($_REQUEST['id']);
35
36if ($post_id < 0) {
37 echo "Bad ID on POST.";
38 exit(0);
39}
40
41
42// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
43 $POST_MAX_SIZE = ini_get('post_max_size');
44 $unit = strtoupper(substr($POST_MAX_SIZE, -1));
45 $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
46
47 if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
48 //header("HTTP/1.1 500 Internal Server Error"); // This will trigger an uploadError event in SWFUpload
49 HandleError("POST exceeded maximum allowed size.",$post_id);
50 exit(0);
51 }
52
53
54// Settings
55 $save_path = ABSPATH . get_option('upload_path') . '/'; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
56 $upload_name = "Filedata";
57 $max_file_size_in_bytes = 2147483647; // 2GB in bytes
58 $extension_whitelist = array("mp4", "m4v", "mov", "flv", "qt", "mpg", "mpeg", "3gp", "avi", "wmv", "f4v"); // Allowed file extensions
59 $valid_chars_regex = '.A-Z0-9_!@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
60
61// Other variables
62 $MAX_FILENAME_LENGTH = 260;
63 $file_name = "";
64 $file_extension = "";
65 $uploadErrors = array(
66 0=>"There is no error, the file uploaded with success",
67 1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
68 2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
69 3=>"The uploaded file was only partially uploaded",
70 4=>"No file was uploaded",
71 6=>"Missing a temporary folder"
72 );
73
74
75// Validate the upload
76 if (!isset($_FILES[$upload_name])) {
77 HandleError("No upload found in \$_FILES for " . $upload_name);
78 exit(0);
79 } else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) {
80 HandleError($uploadErrors[$_FILES[$upload_name]["error"]],$post_id);
81 exit(0);
82 } else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) {
83 HandleError("Upload failed is_uploaded_file test.",$post_id);
84 exit(0);
85 } else if (!isset($_FILES[$upload_name]['name'])) {
86 HandleError("File has no name.",$post_id);
87 exit(0);
88 }
89
90// Validate the file size (Warning: the largest files supported by this code is 2GB)
91 $file_size = @filesize($_FILES[$upload_name]["tmp_name"]);
92 if (!$file_size || $file_size > $max_file_size_in_bytes) {
93 HandleError("File exceeds the maximum allowed size",$post_id);
94 exit(0);
95 }
96
97 if ($file_size <= 0) {
98 HandleError("File size outside allowed lower bound",$post_id);
99 exit(0);
100 }
101
102
103// Validate file name (for our purposes we'll just remove invalid characters)
104 $file_name = 'webtv_' . preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', "-", basename($_FILES[$upload_name]['name']));
105 if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
106 HandleError("Invalid file name",$post_id);
107 exit(0);
108 }
109
110
111// Validate that we won't over-write an existing file
112 if (file_exists($save_path . $file_name)) {
113 HandleError("File with this name already exists",$post_id);
114 exit(0);
115 }
116
117// Validate file extension
118 $path_info = pathinfo($_FILES[$upload_name]['name']);
119 $file_extension = $path_info["extension"];
120 $is_valid_extension = false;
121 foreach ($extension_whitelist as $extension) {
122 if (strcasecmp($file_extension, $extension) == 0) {
123 $is_valid_extension = true;
124 break;
125 }
126 }
127 if (!$is_valid_extension) {
128 HandleError("Invalid file extension",$post_id);
129 exit(0);
130 }
131
132// Validate file contents (extension and mime-type can't be trusted)
133 /*
134 Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
135 See the comments on this page: http://us2.php.net/fileinfo
136
137 Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
138 which describes how a PHP script can be embedded within a GIF image file.
139
140 Therefore, no sample code will be provided here. Research the issue, decide how much security is
141 needed, and implement a solution that meets the needs.
142 */
143
144
145// Process the file
146 /*
147 At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
148 could be done such as creating an entry in a database or generating a thumbnail.
149
150 Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
151 been saved.
152 */
153 if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) {
154 HandleError("File could not be saved.",$post_id);
155 exit(0);
156 }
157 if (!chmod($save_path.$file_name, 0666)) {
158 HandleError("Downloaded file, but we can't change file permissions",$post_id);
159 exit(0);
160 }
161
162 add_post_meta($post_id, '_webtv_upload_status', 'uploaded', true) or
163 update_post_meta($post_id, '_webtv_upload_status', 'uploaded');
164 $filedetails = array();
165 $filedetails['local_file'] = $file_name;
166 $filedetails['full_path'] = $save_path.$file_name;
167 $filedetails['size'] = $file_size;
168 $filedetails['content_type'] = webtv_content_type($save_path.$file_name);
169 add_post_meta($post_id, '_webtv_file_details', $filedetails, true) or
170 update_post_meta($post_id, '_webtv_file_details', $filedetails);
171 echo "sucess";
172 exit(1);
173
174
175/* Handles the error output. This error message will be sent to the uploadSuccess event handler. The event handler
176will have to check for any error messages and react as needed. */
177function HandleError($message,$post_id) {
178 //header("HTTP/1.1 500 Internal Server Error");
179 add_post_meta($post_id,'_webtv_upload_status','error',true) or
180 update_post_meta($post_id, '_webtv_upload_status', 'error');
181 add_post_meta($post_id, '_webtv_upload_status_msg', $message, true) or
182 update_post_meta($post_id, '_webtv_upload_status_msg', $message);
183 echo $message;
184}
185?>
Note: See TracBrowser for help on using the repository browser.