mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-03 08:41:39 +09:00
Kijin Sung
parent
880ae97e31
commit
70108f858d
9 changed files with 86 additions and 25 deletions
|
|
@ -7,6 +7,11 @@ namespace Rhymix\Framework\Filters;
|
|||
*/
|
||||
class FileContentFilter
|
||||
{
|
||||
/**
|
||||
* Fileinfo instance cache
|
||||
*/
|
||||
protected static $_finfo = null;
|
||||
|
||||
/**
|
||||
* Generic checker
|
||||
*
|
||||
|
|
@ -28,8 +33,9 @@ class FileContentFilter
|
|||
return false;
|
||||
}
|
||||
|
||||
// Get the extension.
|
||||
// Get the extension and MIME type.
|
||||
$ext = $filename ? strtolower(substr(strrchr($filename, '.'), 1)) : '';
|
||||
$mime_type = self::_getMimetype($file, true);
|
||||
|
||||
// Check the first 4KB of the file for possible XML content.
|
||||
$fp = fopen($file, 'rb');
|
||||
|
|
@ -43,6 +49,20 @@ class FileContentFilter
|
|||
return false;
|
||||
}
|
||||
|
||||
// Check other image files.
|
||||
if (in_array($ext, array('jpg', 'jpeg', 'png', 'gif')) && $mime_type !== false && $mime_type !== 'image')
|
||||
{
|
||||
fclose($fp);
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check audio and video files.
|
||||
if (preg_match('/(wm[va]|mpe?g|avi|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/', $file) && $mime_type !== false && $mime_type !== 'audio' && $mime_type !== 'video')
|
||||
{
|
||||
fclose($fp);
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check XML files.
|
||||
if (($ext === 'xml' || $is_xml) && !self::_checkXML($fp, 0, $filesize))
|
||||
{
|
||||
|
|
@ -149,4 +169,29 @@ class FileContentFilter
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempt to detect the MIME type of a file.
|
||||
*
|
||||
* @param string $file Path of file to check
|
||||
* @param bool $trim_subtype Whether to remove the subtype from the return value
|
||||
* @return string|false
|
||||
*/
|
||||
protected static function _getMimetype($file, $trim_subtype = false)
|
||||
{
|
||||
if (!class_exists('finfo'))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
if (!self::$_finfo)
|
||||
{
|
||||
self::$_finfo = new \finfo(FILEINFO_MIME_TYPE);
|
||||
}
|
||||
$mime_type = self::$_finfo->file($file);
|
||||
if ($trim_subtype)
|
||||
{
|
||||
$mime_type = strstr($mime_type, '/', true);
|
||||
}
|
||||
return $mime_type;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -868,7 +868,7 @@ function removeSrcHack($match)
|
|||
* @param string $file Taget file path
|
||||
* @return bool
|
||||
*/
|
||||
function checkUploadedFile($file)
|
||||
function checkUploadedFile($file, $filename = null)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -440,7 +440,7 @@ class commentController extends comment
|
|||
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
|
|
@ -803,7 +803,7 @@ class commentController extends comment
|
|||
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
|
|
|
|||
|
|
@ -287,12 +287,12 @@ class commentItem extends BaseObject
|
|||
return;
|
||||
}
|
||||
|
||||
if(strncasecmp('http://', $url, 7) !== 0)
|
||||
if(!preg_match('@^[a-z]+://@i', $url))
|
||||
{
|
||||
$url = "http://" . $url;
|
||||
$url = 'http://' . $url;
|
||||
}
|
||||
|
||||
return htmlspecialchars($url, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($url, false);
|
||||
}
|
||||
|
||||
function getMemberSrl()
|
||||
|
|
@ -302,17 +302,17 @@ class commentItem extends BaseObject
|
|||
|
||||
function getUserID()
|
||||
{
|
||||
return htmlspecialchars($this->get('user_id'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($this->get('user_id'), false);
|
||||
}
|
||||
|
||||
function getUserName()
|
||||
{
|
||||
return htmlspecialchars($this->get('user_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($this->get('user_name'), false);
|
||||
}
|
||||
|
||||
function getNickName()
|
||||
{
|
||||
return htmlspecialchars($this->get('nick_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($this->get('nick_name'), false);
|
||||
}
|
||||
|
||||
function getVote()
|
||||
|
|
|
|||
|
|
@ -387,7 +387,7 @@ class documentController extends document
|
|||
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
|
|
@ -517,7 +517,10 @@ class documentController extends document
|
|||
}
|
||||
|
||||
// Remove iframe and script if not a top adminisrator in the session.
|
||||
if($logged_info->is_admin != 'Y') $obj->content = removeHackTag($obj->content);
|
||||
if($logged_info->is_admin != 'Y')
|
||||
{
|
||||
$obj->content = removeHackTag($obj->content);
|
||||
}
|
||||
|
||||
// An error appears if both log-in info and user name don't exist.
|
||||
if(!$logged_info->member_srl && !$obj->nick_name) return new BaseObject(-1, 'msg_invalid_request');
|
||||
|
|
@ -692,7 +695,7 @@ class documentController extends document
|
|||
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
$obj->homepage = escape($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
|
|
|
|||
|
|
@ -438,7 +438,7 @@ class documentItem extends BaseObject
|
|||
$url = 'http://' . $url;
|
||||
}
|
||||
|
||||
return $url;
|
||||
return escape($url, false);
|
||||
}
|
||||
|
||||
function getMemberSrl()
|
||||
|
|
|
|||
|
|
@ -136,18 +136,25 @@ class fileController extends file
|
|||
|
||||
// Save the file
|
||||
$output = $this->insertFile($file_info, $module_srl, $upload_target_srl);
|
||||
if($output->error != '0')
|
||||
{
|
||||
throw new Rhymix\Framework\Exception($output->message);
|
||||
}
|
||||
|
||||
// Create the response
|
||||
Context::setResponseMethod('JSON');
|
||||
$this->add('file_srl', $output->get('file_srl'));
|
||||
$this->add('file_size', $output->get('file_size'));
|
||||
$this->add('direct_download', $output->get('direct_download'));
|
||||
$this->add('source_filename', $output->get('source_filename'));
|
||||
$this->add('upload_target_srl', $output->get('upload_target_srl'));
|
||||
$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
|
||||
|
||||
if($output->error != '0')
|
||||
if ($output->get('direct_download') === 'Y')
|
||||
{
|
||||
throw new Rhymix\Framework\Exception($output->message);
|
||||
$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->add('download_url', $oFileModel->getDownloadUrl($output->get('file_srl'), $output->get('sid'), $module_srl));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1291,13 +1298,14 @@ class fileController extends file
|
|||
// 2: 년월일 단위로 정리
|
||||
if ($folder_structure == 2)
|
||||
{
|
||||
return sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
|
||||
return sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
|
||||
}
|
||||
|
||||
// 1 or 0: module_srl 및 업로드 대상 번호에 따라 3자리씩 끊어서 정리
|
||||
else
|
||||
{
|
||||
return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, getNumberingPath($upload_target_srl, 3));
|
||||
$components = $upload_target_srl ? getNumberingPath($upload_target_srl, 3) : '';
|
||||
return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, $components);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1163,7 +1163,9 @@ class moduleController extends module
|
|||
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
||||
FileHandler::makeDir($path);
|
||||
|
||||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $ext);
|
||||
$random = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
|
||||
$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
if(!@move_uploaded_file($tmp, $save_filename))
|
||||
|
|
@ -1171,7 +1173,7 @@ class moduleController extends module
|
|||
return false;
|
||||
}
|
||||
|
||||
$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
|
||||
$args->fileextension = $ext;
|
||||
$args->filename = $save_filename;
|
||||
$args->filesize = $vars->addfile['size'];
|
||||
}
|
||||
|
|
@ -1197,7 +1199,10 @@ class moduleController extends module
|
|||
$oModuleModel = getModel('module');
|
||||
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
||||
FileHandler::makeDir($path);
|
||||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $vars->ext);
|
||||
|
||||
$random = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||
$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
|
||||
$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
// upload
|
||||
|
|
@ -1212,7 +1217,7 @@ class moduleController extends module
|
|||
$args->member_srl = $vars->member_srl;
|
||||
$args->comment = $vars->comment;
|
||||
$args->filename = $save_filename;
|
||||
$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
|
||||
$args->fileextension = $ext;
|
||||
$args->filesize = $vars->addfile['size'];
|
||||
|
||||
$output = executeQuery('module.insertModuleFileBox', $args);
|
||||
|
|
|
|||
|
|
@ -2393,7 +2393,7 @@ class moduleModel extends module
|
|||
|
||||
function getModuleFileBoxPath($module_filebox_srl)
|
||||
{
|
||||
return sprintf("./files/attach/filebox/%s",getNumberingPath($module_filebox_srl,3));
|
||||
return getController('file')->getStoragePath('filebox', 0, $module_filebox_srl);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue