X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2FSpecialUpload.php;h=acbba9239bc4c09a5fd135f78d8a9e6212c211fd;hb=b6927811dce29c610aa5c07ca981df8699a518c4;hp=5f69dc2c5265956cc7755c2e431d5a3e9dce7868;hpb=13c17d0cc9cc901c74469ece3c7646f830ca9623;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
index 5f69dc2c52..acbba9239b 100644
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@@ -4,8 +4,6 @@ function wfSpecialUpload()
 {
 	global $wgUser, $wgOut, $wpUpload, $wpReUpload, $action;
 	global $wgDisableUploads;
-	$wpUpload   = $_REQUEST["wpUpload"];
-	$wpReUpload = $_REQUEST["wpReUpload"];
 	
 	$fields = array( "wpUploadFile", "wpUploadDescription" );
 	wfCleanFormFields( $fields );
@@ -41,23 +39,15 @@ function processUpload()
 	global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize;
 	global $wgSavedFile, $wgUploadOldVersion, $wpUploadOldVersion;
 	global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ;
-	$wpUploadAffirm       = $_REQUEST["wpUploadAffirm"];
-	$wpUploadFile         = $_REQUEST["wpUploadFile"];
-	$wpUploadDescription  = $_REQUEST["wpUploadDescription"];
-	$wpIgnoreWarning      = $_REQUEST["wpIgnoreWarning"];
-	$wpUploadSaveName     = $_REQUEST["wpUploadSaveName"];
-	$wpUploadTempName     = $_REQUEST["wpUploadTempName"];
-	$wpUploadSize         = $_REQUEST["wpUploadSize"];
-	$wpUploadOldVersion   = $_REQUEST["wpUploadOldVersion"];
-	$wpUploadCopyStatus   = $_REQUEST["wpUploadCopyStatus"];
-	$wpUploadSource       = $_REQUEST["wpUploadSource"];
+	global $wgCheckFileExtensions, $wgStrictFileExtensions;
+	global $wgFileExtensions, $wgFileBlacklist;
 
-	if ( $wgUseCopyrightUpload )
-	  {
-	    $wpUploadAffirm = 1 ;
-	    if ( trim ( $wpUploadCopyStatus ) == "" || trim ( $wpUploadSource ) == "" )
-		 $wpUploadAffirm = 0 ;
-	  }
+	if ( $wgUseCopyrightUpload ) {
+		$wpUploadAffirm = 1;
+		if ( trim ( $wpUploadCopyStatus ) == "" || trim ( $wpUploadSource ) == "" ) {
+			$wpUploadAffirm = 0;
+		}
+	}
 
 	if ( 1 != $wpUploadAffirm ) {
 		mainUploadForm( WfMsg( "noaffirmation" ) );
@@ -93,15 +83,23 @@ function processUpload()
 		$nt = Title::newFromText( $basename );
 		$wpUploadSaveName = $nt->getDBkey();
 
+		/* Don't allow users to override the blacklist */
+		if( checkFileExtension( $ext, $wgFileBlacklist ) ||
+			($wgStrictFileExtensions && !checkFileExtension( $ext, $wgFileExtensions ) ) ) {
+			return uploadError( wfMsg( "badfiletype", $ext ) );
+		}
+		
 		saveUploadedFile();
 		if ( ( ! $wpIgnoreWarning ) &&
 		  ( 0 != strcmp( ucfirst( $basename ), $wpUploadSaveName ) ) ) {
 			return uploadWarning( wfMsg( "badfilename", $wpUploadSaveName ) );
 		}
-		$extensions = array( "png", "jpg", "jpeg", "ogg" ); 
-		if ( ( ! $wpIgnoreWarning ) &&
-		  ( ! in_array( strtolower( $ext ), $extensions ) ) ) {
-			return uploadWarning( wfMsg( "badfiletype", $ext ) );
+	    
+		if ( $wgCheckFileExtensions ) {
+			if ( ( ! $wpIgnoreWarning ) &&
+				 ( ! checkFileExtension( $ext, $wgFileExtensions ) ) ) {
+				return uploadWarning( wfMsg( "badfiletype", $ext ) );
+			}
 		}
 		if ( ( ! $wpIgnoreWarning ) && ( $wpUploadSize > 150000 ) ) {
 			return uploadWarning( WfMsg( "largefile" ) );
@@ -125,6 +123,10 @@ function processUpload()
 	$wgOut->returnToMain( false );
 }
 
+function checkFileExtension( $ext, $list ) {
+	return in_array( strtolower( $ext ), $list );
+}
+
 function saveUploadedFile()
 {
 	global $wpUploadSaveName, $wpUploadTempName;
@@ -156,7 +158,6 @@ function unsaveUploadedFile()
 {
 	global $wpSessionKey, $wpUploadOldVersion;
 	global $wgUploadDirectory, $wgOut, $wsUploadFiles;
-	$wpSessionKey       = $_REQUEST["wpSessionKey"];
 	
 	$wgSavedFile = $wsUploadFiles[$wpSessionKey];
 	$wgUploadOldVersion = $wpUploadOldVersion;
@@ -177,6 +178,14 @@ function unsaveUploadedFile()
 	}
 }
 
+function uploadError( $error )
+{
+	global $wgOut;
+	$sub = wfMsg( "uploadwarning" );
+	$wgOut->addHTML( "<h2>{$sub}</h2>\n" );
+	$wgOut->addHTML( "<h4><font color=red>{$error}</font></h4>\n" );
+}
+
 function uploadWarning( $warning )
 {
 	global $wgOut, $wgUser, $wgLang, $wgUploadDirectory;
@@ -186,7 +195,6 @@ function uploadWarning( $warning )
 	global $wgSavedFile, $wgUploadOldVersion;
 	global $wpSessionKey, $wpUploadOldVersion, $wsUploadFiles;
 	global $wgUseCopyrightUpload , $wpUploadCopyStatus , $wpUploadSource ;
-	$wpSessionKey       = $_REQUEST["wpSessionKey"];
 
 	# wgSavedFile is stored in the session not the form, for security
 	$wpSessionKey = mt_rand( 0, 0x7fffffff );
@@ -239,14 +247,6 @@ function mainUploadForm( $msg )
 	global $wpUploadDescription, $wpIgnoreWarning;
 	global $wgUseCopyrightUpload , $wpUploadSource , $wpUploadCopyStatus ;
 
-	$wpUpload            = $_REQUEST["wpUpload"];
-	$wpUploadAffirm      = $_REQUEST["wpUploadAffirm"];
-	$wpUploadFile        = $_REQUEST["wpUploadFile"];
-	$wpUploadDescription = $_REQUEST["wpUploadDescription"];
-	$wpIgnoreWarning     = $_REQUEST["wpIgnoreWarning"];
-	$wpUploadSource      = $_REQUEST["wpUploadSource"];
-	$wpUploadCopyStatus  = $_REQUEST["wpUploadCopyStatus"];
-
 	if ( "" != $msg ) {
 		$sub = wfMsg( "uploaderror" );
 		$wgOut->addHTML( "<h2>{$sub}</h2>\n" .