mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-07 10:41:40 +09:00
Kijin Sung
parent
880ae97e31
commit
70108f858d
9 changed files with 86 additions and 25 deletions
|
|
@ -7,6 +7,11 @@ namespace Rhymix\Framework\Filters;
|
||||||
*/
|
*/
|
||||||
class FileContentFilter
|
class FileContentFilter
|
||||||
{
|
{
|
||||||
|
/**
|
||||||
|
* Fileinfo instance cache
|
||||||
|
*/
|
||||||
|
protected static $_finfo = null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generic checker
|
* Generic checker
|
||||||
*
|
*
|
||||||
|
|
@ -28,8 +33,9 @@ class FileContentFilter
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the extension.
|
// Get the extension and MIME type.
|
||||||
$ext = $filename ? strtolower(substr(strrchr($filename, '.'), 1)) : '';
|
$ext = $filename ? strtolower(substr(strrchr($filename, '.'), 1)) : '';
|
||||||
|
$mime_type = self::_getMimetype($file, true);
|
||||||
|
|
||||||
// Check the first 4KB of the file for possible XML content.
|
// Check the first 4KB of the file for possible XML content.
|
||||||
$fp = fopen($file, 'rb');
|
$fp = fopen($file, 'rb');
|
||||||
|
|
@ -43,6 +49,20 @@ class FileContentFilter
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check other image files.
|
||||||
|
if (in_array($ext, array('jpg', 'jpeg', 'png', 'gif')) && $mime_type !== false && $mime_type !== 'image')
|
||||||
|
{
|
||||||
|
fclose($fp);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check audio and video files.
|
||||||
|
if (preg_match('/(wm[va]|mpe?g|avi|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/', $file) && $mime_type !== false && $mime_type !== 'audio' && $mime_type !== 'video')
|
||||||
|
{
|
||||||
|
fclose($fp);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// Check XML files.
|
// Check XML files.
|
||||||
if (($ext === 'xml' || $is_xml) && !self::_checkXML($fp, 0, $filesize))
|
if (($ext === 'xml' || $is_xml) && !self::_checkXML($fp, 0, $filesize))
|
||||||
{
|
{
|
||||||
|
|
@ -149,4 +169,29 @@ class FileContentFilter
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Attempt to detect the MIME type of a file.
|
||||||
|
*
|
||||||
|
* @param string $file Path of file to check
|
||||||
|
* @param bool $trim_subtype Whether to remove the subtype from the return value
|
||||||
|
* @return string|false
|
||||||
|
*/
|
||||||
|
protected static function _getMimetype($file, $trim_subtype = false)
|
||||||
|
{
|
||||||
|
if (!class_exists('finfo'))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (!self::$_finfo)
|
||||||
|
{
|
||||||
|
self::$_finfo = new \finfo(FILEINFO_MIME_TYPE);
|
||||||
|
}
|
||||||
|
$mime_type = self::$_finfo->file($file);
|
||||||
|
if ($trim_subtype)
|
||||||
|
{
|
||||||
|
$mime_type = strstr($mime_type, '/', true);
|
||||||
|
}
|
||||||
|
return $mime_type;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -868,7 +868,7 @@ function removeSrcHack($match)
|
||||||
* @param string $file Taget file path
|
* @param string $file Taget file path
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
function checkUploadedFile($file)
|
function checkUploadedFile($file, $filename = null)
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -440,7 +440,7 @@ class commentController extends comment
|
||||||
|
|
||||||
if($obj->homepage)
|
if($obj->homepage)
|
||||||
{
|
{
|
||||||
$obj->homepage = removeHackTag($obj->homepage);
|
$obj->homepage = escape($obj->homepage);
|
||||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||||
{
|
{
|
||||||
$obj->homepage = 'http://'.$obj->homepage;
|
$obj->homepage = 'http://'.$obj->homepage;
|
||||||
|
|
@ -803,7 +803,7 @@ class commentController extends comment
|
||||||
|
|
||||||
if($obj->homepage)
|
if($obj->homepage)
|
||||||
{
|
{
|
||||||
$obj->homepage = removeHackTag($obj->homepage);
|
$obj->homepage = escape($obj->homepage);
|
||||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||||
{
|
{
|
||||||
$obj->homepage = 'http://'.$obj->homepage;
|
$obj->homepage = 'http://'.$obj->homepage;
|
||||||
|
|
|
||||||
|
|
@ -287,12 +287,12 @@ class commentItem extends BaseObject
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(strncasecmp('http://', $url, 7) !== 0)
|
if(!preg_match('@^[a-z]+://@i', $url))
|
||||||
{
|
{
|
||||||
$url = "http://" . $url;
|
$url = 'http://' . $url;
|
||||||
}
|
}
|
||||||
|
|
||||||
return htmlspecialchars($url, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
return escape($url, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getMemberSrl()
|
function getMemberSrl()
|
||||||
|
|
@ -302,17 +302,17 @@ class commentItem extends BaseObject
|
||||||
|
|
||||||
function getUserID()
|
function getUserID()
|
||||||
{
|
{
|
||||||
return htmlspecialchars($this->get('user_id'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
return escape($this->get('user_id'), false);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getUserName()
|
function getUserName()
|
||||||
{
|
{
|
||||||
return htmlspecialchars($this->get('user_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
return escape($this->get('user_name'), false);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getNickName()
|
function getNickName()
|
||||||
{
|
{
|
||||||
return htmlspecialchars($this->get('nick_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
return escape($this->get('nick_name'), false);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getVote()
|
function getVote()
|
||||||
|
|
|
||||||
|
|
@ -387,7 +387,7 @@ class documentController extends document
|
||||||
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
||||||
if($obj->homepage)
|
if($obj->homepage)
|
||||||
{
|
{
|
||||||
$obj->homepage = removeHackTag($obj->homepage);
|
$obj->homepage = escape($obj->homepage);
|
||||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||||
{
|
{
|
||||||
$obj->homepage = 'http://'.$obj->homepage;
|
$obj->homepage = 'http://'.$obj->homepage;
|
||||||
|
|
@ -517,7 +517,10 @@ class documentController extends document
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove iframe and script if not a top adminisrator in the session.
|
// Remove iframe and script if not a top adminisrator in the session.
|
||||||
if($logged_info->is_admin != 'Y') $obj->content = removeHackTag($obj->content);
|
if($logged_info->is_admin != 'Y')
|
||||||
|
{
|
||||||
|
$obj->content = removeHackTag($obj->content);
|
||||||
|
}
|
||||||
|
|
||||||
// An error appears if both log-in info and user name don't exist.
|
// An error appears if both log-in info and user name don't exist.
|
||||||
if(!$logged_info->member_srl && !$obj->nick_name) return new BaseObject(-1, 'msg_invalid_request');
|
if(!$logged_info->member_srl && !$obj->nick_name) return new BaseObject(-1, 'msg_invalid_request');
|
||||||
|
|
@ -692,7 +695,7 @@ class documentController extends document
|
||||||
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
|
||||||
if($obj->homepage)
|
if($obj->homepage)
|
||||||
{
|
{
|
||||||
$obj->homepage = removeHackTag($obj->homepage);
|
$obj->homepage = escape($obj->homepage);
|
||||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||||
{
|
{
|
||||||
$obj->homepage = 'http://'.$obj->homepage;
|
$obj->homepage = 'http://'.$obj->homepage;
|
||||||
|
|
|
||||||
|
|
@ -438,7 +438,7 @@ class documentItem extends BaseObject
|
||||||
$url = 'http://' . $url;
|
$url = 'http://' . $url;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $url;
|
return escape($url, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
function getMemberSrl()
|
function getMemberSrl()
|
||||||
|
|
|
||||||
|
|
@ -136,18 +136,25 @@ class fileController extends file
|
||||||
|
|
||||||
// Save the file
|
// Save the file
|
||||||
$output = $this->insertFile($file_info, $module_srl, $upload_target_srl);
|
$output = $this->insertFile($file_info, $module_srl, $upload_target_srl);
|
||||||
|
if($output->error != '0')
|
||||||
|
{
|
||||||
|
throw new Rhymix\Framework\Exception($output->message);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create the response
|
||||||
Context::setResponseMethod('JSON');
|
Context::setResponseMethod('JSON');
|
||||||
$this->add('file_srl', $output->get('file_srl'));
|
$this->add('file_srl', $output->get('file_srl'));
|
||||||
$this->add('file_size', $output->get('file_size'));
|
$this->add('file_size', $output->get('file_size'));
|
||||||
$this->add('direct_download', $output->get('direct_download'));
|
$this->add('direct_download', $output->get('direct_download'));
|
||||||
$this->add('source_filename', $output->get('source_filename'));
|
$this->add('source_filename', $output->get('source_filename'));
|
||||||
$this->add('upload_target_srl', $output->get('upload_target_srl'));
|
$this->add('upload_target_srl', $output->get('upload_target_srl'));
|
||||||
$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
|
if ($output->get('direct_download') === 'Y')
|
||||||
|
|
||||||
if($output->error != '0')
|
|
||||||
{
|
{
|
||||||
throw new Rhymix\Framework\Exception($output->message);
|
$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$this->add('download_url', $oFileModel->getDownloadUrl($output->get('file_srl'), $output->get('sid'), $module_srl));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1291,13 +1298,14 @@ class fileController extends file
|
||||||
// 2: 년월일 단위로 정리
|
// 2: 년월일 단위로 정리
|
||||||
if ($folder_structure == 2)
|
if ($folder_structure == 2)
|
||||||
{
|
{
|
||||||
return sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
|
return sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
|
||||||
}
|
}
|
||||||
|
|
||||||
// 1 or 0: module_srl 및 업로드 대상 번호에 따라 3자리씩 끊어서 정리
|
// 1 or 0: module_srl 및 업로드 대상 번호에 따라 3자리씩 끊어서 정리
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, getNumberingPath($upload_target_srl, 3));
|
$components = $upload_target_srl ? getNumberingPath($upload_target_srl, 3) : '';
|
||||||
|
return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, $components);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1163,7 +1163,9 @@ class moduleController extends module
|
||||||
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
||||||
FileHandler::makeDir($path);
|
FileHandler::makeDir($path);
|
||||||
|
|
||||||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $ext);
|
$random = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||||
|
$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
|
||||||
|
$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
|
||||||
$tmp = $vars->addfile['tmp_name'];
|
$tmp = $vars->addfile['tmp_name'];
|
||||||
|
|
||||||
if(!@move_uploaded_file($tmp, $save_filename))
|
if(!@move_uploaded_file($tmp, $save_filename))
|
||||||
|
|
@ -1171,7 +1173,7 @@ class moduleController extends module
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
|
$args->fileextension = $ext;
|
||||||
$args->filename = $save_filename;
|
$args->filename = $save_filename;
|
||||||
$args->filesize = $vars->addfile['size'];
|
$args->filesize = $vars->addfile['size'];
|
||||||
}
|
}
|
||||||
|
|
@ -1197,7 +1199,10 @@ class moduleController extends module
|
||||||
$oModuleModel = getModel('module');
|
$oModuleModel = getModel('module');
|
||||||
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
|
||||||
FileHandler::makeDir($path);
|
FileHandler::makeDir($path);
|
||||||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $vars->ext);
|
|
||||||
|
$random = Rhymix\Framework\Security::getRandom(32, 'hex');
|
||||||
|
$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
|
||||||
|
$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
|
||||||
$tmp = $vars->addfile['tmp_name'];
|
$tmp = $vars->addfile['tmp_name'];
|
||||||
|
|
||||||
// upload
|
// upload
|
||||||
|
|
@ -1212,7 +1217,7 @@ class moduleController extends module
|
||||||
$args->member_srl = $vars->member_srl;
|
$args->member_srl = $vars->member_srl;
|
||||||
$args->comment = $vars->comment;
|
$args->comment = $vars->comment;
|
||||||
$args->filename = $save_filename;
|
$args->filename = $save_filename;
|
||||||
$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
|
$args->fileextension = $ext;
|
||||||
$args->filesize = $vars->addfile['size'];
|
$args->filesize = $vars->addfile['size'];
|
||||||
|
|
||||||
$output = executeQuery('module.insertModuleFileBox', $args);
|
$output = executeQuery('module.insertModuleFileBox', $args);
|
||||||
|
|
|
||||||
|
|
@ -2393,7 +2393,7 @@ class moduleModel extends module
|
||||||
|
|
||||||
function getModuleFileBoxPath($module_filebox_srl)
|
function getModuleFileBoxPath($module_filebox_srl)
|
||||||
{
|
{
|
||||||
return sprintf("./files/attach/filebox/%s",getNumberingPath($module_filebox_srl,3));
|
return getController('file')->getStoragePath('filebox', 0, $module_filebox_srl);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue