dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security fix: wpReUpload
[lhc/web/wiklou.git] / includes / SpecialUpload.php
1 <?
2
3 function wfSpecialUpload()
4 {
5 global $wgUser, $wgOut, $wpUpload, $wpReUpload, $action;
6
7 $fields = array( "wpUploadFile", "wpUploadDescription" );
8 wfCleanFormFields( $fields );
9
10 if ( ( 0 == $wgUser->getID() )
11 or $wgUser->isBlocked() ) {
12 $wgOut->errorpage( "uploadnologin", "uploadnologintext" );
13 return;
14 }
15 if ( wfReadOnly() ) {
16 $wgOut->readOnlyPage();
17 return;
18 }
19 if ( isset( $wpReUpload) ) {
20 unsaveUploadedFile();
21 mainUploadForm( "" );
22 } else if ( "submit" == $action || isset( $wpUpload ) ) {
23 processUpload();
24 } else {
25 mainUploadForm( "" );
26 }
27 }
28
29 function processUpload()
30 {
31 global $wgUser, $wgOut, $wgLang, $wpUploadAffirm, $wpUploadFile;
32 global $wpUploadDescription, $wpIgnoreWarning;
33 global $HTTP_POST_FILES, $wgUploadDirectory;
34 global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize;
35 global $wgSavedFile, $wgUploadOldVersion, $wpUploadOldVersion;
36 global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ;
37
38 if ( $wgUseCopyrightUpload )
39 {
40 $wpUploadAffirm = 1 ;
41 if ( trim ( $wpUploadCopyStatus ) == "" || trim ( $wpUploadSource ) == "" )
42 $wpUploadAffirm = 0 ;
43 }
44
45 if ( 1 != $wpUploadAffirm ) {
46 mainUploadForm( WfMsg( "noaffirmation" ) );
47 return;
48 }
49 if ( ! $wpUploadTempName ) {
50 $wpUploadTempName = $HTTP_POST_FILES['wpUploadFile']['tmp_name'];
51 }
52 if ( ! $wpUploadSize ) {
53 $wpUploadSize = $HTTP_POST_FILES['wpUploadFile']['size'];
54 }
55 $prev = error_reporting( E_ALL & ~( E_NOTICE | E_WARNING ) );
56 $oname = wfCleanQueryVar( $HTTP_POST_FILES['wpUploadFile']['name'] );
57 if ( $wpUploadSaveName != "" ) $wpUploadSaveName = wfCleanQueryVar( $wpUploadSaveName );
58 error_reporting( $prev );
59
60 if ( "" != $oname ) {
61 $basename = strrchr( $oname, "/" );
62 if ( false === $basename ) { $basename = $oname; }
63 else ( $basename = substr( $basename, 1 ) );
64
65 $ext = strrchr( $basename, "." );
66 if ( false === $ext ) { $ext = ""; }
67 else { $ext = substr( $ext, 1 ); }
68
69 if ( "" == $ext ) { $xl = 0; } else { $xl = strlen( $ext ) + 1; }
70 $partname = substr( $basename, 0, strlen( $basename ) - $xl );
71
72 if ( strlen( $partname ) < 3 ) {
73 mainUploadForm( WfMsg( "minlength" ) );
74 return;
75 }
76 $nt = Title::newFromText( $basename );
77 $wpUploadSaveName = $nt->getDBkey();
78
79 saveUploadedFile();
80 if ( ( ! $wpIgnoreWarning ) &&
81 ( 0 != strcmp( ucfirst( $basename ), $wpUploadSaveName ) ) ) {
82 $warn = str_replace( "$1", $wpUploadSaveName,
83 wfMsg( "badfilename" ) );
84 return uploadWarning( $warn );
85 }
86 $extensions = array( "png", "jpg", "jpeg", "ogg" );
87 if ( ( ! $wpIgnoreWarning ) &&
88 ( ! in_array( strtolower( $ext ), $extensions ) ) ) {
89 $warn = str_replace( "$1", $ext, wfMsg( "badfiletype" ) );
90 return uploadWarning( $warn );
91 }
92 if ( ( ! $wpIgnoreWarning ) && ( $wpUploadSize > 150000 ) ) {
93 return uploadWarning( WfMsg( "largefile" ) );
94 }
95 }
96 if ( isset( $wpUploadOldVersion ) ) {
97 $wgUploadOldVersion = $wpUploadOldVersion;
98 }
99 wfRecordUpload( $wpUploadSaveName, $wgUploadOldVersion,
100 $wpUploadSize, $wpUploadDescription );
101
102 $sk = $wgUser->getSkin();
103 $ilink = $sk->makeMediaLink( $wpUploadSaveName, wfImageUrl(
104 $wpUploadSaveName ) );
105 $dname = $wgLang->getNsText( Namespace::getImage() ) . ":{$wpUploadSaveName}";
106 $dlink = $sk->makeKnownLink( $dname, $dname );
107
108 $wgOut->addHTML( "<h2>" . wfMsg( "successfulupload" ) . "</h2>\n" );
109 $text = str_replace( "$1", $ilink, wfMsg( "fileuploaded" ) );
110 $text = str_replace( "$2", $dlink, $text );
111 $wgOut->addHTML( "<p>{$text}\n" );
112 $wgOut->returnToMain( false );
113 }
114
115 function saveUploadedFile()
116 {
117 global $wpUploadSaveName, $wpUploadTempName;
118 global $wgSavedFile, $wgUploadOldVersion;
119 global $wgUploadDirectory, $wgOut;
120
121 $dest = wfImageDir( $wpUploadSaveName );
122 $archive = wfImageArchiveDir( $wpUploadSaveName );
123 $wgSavedFile = "{$dest}/{$wpUploadSaveName}";
124
125 if ( is_file( $wgSavedFile ) ) {
126 $wgUploadOldVersion = gmdate( "YmdHis" ) . "!{$wpUploadSaveName}";
127
128 if ( ! rename( $wgSavedFile, "${archive}/{$wgUploadOldVersion}" ) ) {
129 $wgOut->fileRenameError( $wgSavedFile,
130 "${archive}/{$wgUploadOldVersion}" );
131 return;
132 }
133 } else {
134 $wgUploadOldVersion = "";
135 }
136 if ( ! move_uploaded_file( $wpUploadTempName, $wgSavedFile ) ) {
137 $wgOut->fileCopyError( $wpUploadTempName, $wgSavedFile );
138 }
139 chmod( $wgSavedFile, 0644 );
140 }
141
142 function unsaveUploadedFile()
143 {
144 global $wpSessionKey, $wpUploadOldVersion;
145 global $wgUploadDirectory, $wgOut, $wsUploadFiles;
146
147 $wgSavedFile = $wsUploadFiles[$wpSessionKey];
148 $wgUploadOldVersion = $wpUploadOldVersion;
149
150 if ( ! @unlink( $wgSavedFile ) ) {
151 $wgOut->fileDeleteError( $wgSavedFile );
152 return;
153 }
154 if ( "" != $wgUploadOldVersion ) {
155 $hash = md5( substr( $wgUploadOldVersion, 15 ) );
156 $archive = "{$wgUploadDirectory}/archive/" . $hash{0} .
157 "/" . substr( $hash, 0, 2 );
158
159 if ( ! rename( "{$archive}/{$wgUploadOldVersion}", $wgSavedFile ) ) {
160 $wgOut->fileRenameError( "{$archive}/{$wgUploadOldVersion}",
161 $wgSavedFile );
162 }
163 }
164 }
165
166 function uploadWarning( $warning )
167 {
168 global $wgOut, $wgUser, $wgLang, $wgUploadDirectory;
169 global $wpUpload, $wpReUpload, $wpUploadAffirm, $wpUploadFile;
170 global $wpUploadDescription, $wpIgnoreWarning;
171 global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize;
172 global $wgSavedFile, $wgUploadOldVersion;
173 global $wpSessionKey, $wpUploadOldVersion, $wsUploadFiles;
174
175 # wgSavedFile is stored in the session not the form, for security
176 $wpSessionKey = mt_rand( 0, 0x7fffffff );
177 $wsUploadFiles[$wpSessionKey] = $wgSavedFile;
178
179 $sub = wfMsg( "uploadwarning" );
180 $wgOut->addHTML( "<h2>{$sub}</h2>\n" );
181 $wgOut->addHTML( "<h4><font color=red>{$warning}</font></h4>\n" );
182
183 $save = wfMsg( "savefile" );
184 $reupload = wfMsg( "reupload" );
185 $iw = wfMsg( "ignorewarning" );
186 $reup = wfMsg( "reuploaddesc" );
187 $action = wfLocalUrlE( $wgLang->specialPage( "Upload" ),
188 "action=submit" );
189
190 $wgOut->addHTML( "
191 <form id=\"uploadwarning\" method=\"post\" enctype=\"multipart/form-data\"
192 action=\"{$action}\">
193 <input type=hidden name=\"wpUploadAffirm\" value=\"1\">
194 <input type=hidden name=\"wpIgnoreWarning\" value=\"1\">
195 <input type=hidden name=\"wpUploadDescription\" value=\"" . htmlspecialchars( $wpUploadDescription ) . "\">
196 <input type=hidden name=\"wpUploadSaveName\" value=\"" . htmlspecialchars( $wpUploadSaveName ) . "\">
197 <input type=hidden name=\"wpUploadTempName\" value=\"" . htmlspecialchars( $wpUploadTempName ) . "\">
198 <input type=hidden name=\"wpUploadSize\" value=\"" . htmlspecialchars( $wpUploadSize ) . "\">
199 <input type=hidden name=\"wpSessionKey\" value=\"" . htmlspecialchars( $wpSessionKey ) . "\">
200 <input type=hidden name=\"wpUploadOldVersion\" value=\"" . htmlspecialchars( $wgUploadOldVersion) . "\">
201 <table border=0><tr>
202 <tr><td align=right>
203 <input tabindex=2 type=submit name=\"wpUpload\" value=\"{$save}\">
204 </td><td align=left>{$iw}</td></tr>
205 <tr><td align=right>
206 <input tabindex=2 type=submit name=\"wpReUpload\" value=\"{$reupload}\">
207 </td><td align=left>{$reup}</td></tr></table></form>\n" );
208 }
209
210 function mainUploadForm( $msg )
211 {
212 global $wgOut, $wgUser, $wgLang, $wgUploadDirectory;
213 global $wpUpload, $wpUploadAffirm, $wpUploadFile;
214 global $wpUploadDescription, $wpIgnoreWarning;
215 global $wgUseCopyrightUpload , $wpUploadSource , $wpUploadCopyStatus ;
216
217 if ( "" != $msg ) {
218 $sub = wfMsg( "uploaderror" );
219 $wgOut->addHTML( "<h2>{$sub}</h2>\n" .
220 "<h4><font color=red>{$msg}</font></h4>\n" );
221 } else {
222 $sub = wfMsg( "uploadfile" );
223 $wgOut->addHTML( "<h2>{$sub}</h2>\n" );
224 }
225 $wgOut->addHTML( "<p>" . wfMsg( "uploadtext" ) );
226 $sk = $wgUser->getSkin();
227
228 $fn = wfMsg( "filename" );
229 $fd = wfMsg( "filedesc" );
230 $ulb = wfMsg( "uploadbtn" );
231
232 $clink = $sk->makeKnownLink( wfMsg( "copyrightpage" ),
233 wfMsg( "copyrightpagename" ) );
234 $ca = str_replace( "$1", $clink, wfMsg( "affirmation" ) );
235 $iw = wfMsg( "ignorewarning" );
236
237 $action = wfLocalUrl( $wgLang->specialPage( "Upload" ) );
238
239 $source = "
240 <td align=right>
241 <input tabindex=3 type=checkbox name=\"wpUploadAffirm\" value=\"1\" id=\"wpUploadAffirm\">
242 </td><td align=left><label for=\"wpUploadAffirm\">{$ca}</label></td>
243 " ;
244 if ( $wgUseCopyrightUpload )
245 {
246 $source = "
247 <td align=right nowrap>" . wfMsg ( "filestatus" ) . ":</td>
248 <td><input tabindex=3 type=text name=\"wpUploadCopyStatus\" value=\"" .
249 htmlspecialchars($wpUploadCopyStatus). "\" size=40></td>
250 </tr><tr>
251 <td align=right>". wfMsg ( "filesource" ) . ":</td>
252 <td><input tabindex=4 type=text name=\"wpUploadSource\" value=\"" .
253 htmlspecialchars($wpUploadSource). "\" size=40></td>
254 " ;
255 }
256
257 $wgOut->addHTML( "
258 <form id=\"upload\" method=\"post\" enctype=\"multipart/form-data\"
259 action=\"{$action}\">
260 <table border=0><tr>
261 <td align=right>{$fn}:</td><td align=left>
262 <input tabindex=1 type=file name=\"wpUploadFile\" value=\""
263 . htmlspecialchars( $wpUploadFile ) . "\" size=40>
264 </td></tr><tr>
265 <td align=right>{$fd}:</td><td align=left>
266 <input tabindex=2 type=text name=\"wpUploadDescription\" value=\""
267 . htmlspecialchars( $wpUploadDescription ) . "\" size=40>
268 </td></tr><tr>
269 {$source}
270 </tr>
271 <tr><td>&nbsp;</td><td align=left>
272 <input tabindex=5 type=submit name=\"wpUpload\" value=\"{$ulb}\">
273 </td></tr></table></form>\n" );
274 }
275
276 ?>
Wiklou, le Wiki du Wiklou