Issues in Attachments.php (release-2.1) - Issues in release-2.1 - SimpleMachines/SMF2.1 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1014)

Sources/Attachments.php (1 issue)

Labels

Bug 1
Severity

Minor 1
Jon Stovell 1
<?php

/**
 * This file contains handling attachments.
 *
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines https://www.simplemachines.org
 * @copyright 2022 Simple Machines and individual contributors
 * @license https://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.1.2
 */

if (!defined('SMF'))
	die('No direct access...');

/**
 * Class Attachments
 *
 * This class handles adding/deleting attachments
 */
class Attachments
{
	/**
	 * @var int $_msg The ID of the message this attachment is associated with
	 */
	protected $_msg = 0;

	/**
	 * @var int|null $_board The ID of the board this attachment's post is in or null if it's not set
	 */
	protected $_board = null;

	/**
	 * @var string|bool $_attachmentUploadDir An array of info about attachment upload directories or false
	 */
	protected $_attachmentUploadDir = false;

	/**
	 * @var string $_attchDir The path to the current attachment directory
	 */
	protected $_attchDir = '';

	/**
	 * @var int $_currentAttachmentUploadDir ID of the current attachment directory
	 */
	protected $_currentAttachmentUploadDir;

	/**
	 * @var bool $_canPostAttachment Whether or not an attachment can be posted
	 */
	protected $_canPostAttachment;

	/**
	 * @var array $_generalErrors An array of information about any errors that occurred
	 */
	protected $_generalErrors = array();

	/**
	 * @var mixed $_initialError Not used?
	 */
	protected $_initialError;

	/**
	 * @var array $_attachments Not used?
	 */
	protected $_attachments = array();

	/**
	 * @var array $_attachResults An array of information about the results of each file
	 */
	protected $_attachResults = array();

	/**
	 * @var array $_attachSuccess An array of information about successful attachments
	 */
	protected $_attachSuccess = array();

	/**
	 * @var array $_response An array of response information. @used-by \sendResponse() when adding attachments
	 */
	protected $_response = array(
		'error' => true,
		'data' => array(),
		'extra' => '',
	);

	/**
	 * @var array $_subActions An array of all valid sub-actions
	 */
	protected $_subActions = array(
		'add',
		'delete',
	);

	/**
	 * @var string|bool $_sa The current sub-action, or false if there isn't one
	 */
	protected $_sa = false;

	/**
	 * Attachments constructor.
	 *
	 * Sets up some initial information - the message ID, board, current attachment upload dir, etc.
	 */
	public function __construct()
	{
		global $modSettings, $context;

		$this->_msg = (int) !empty($_REQUEST['msg']) ? $_REQUEST['msg'] : 0;
		$this->_board = (int) !empty($_REQUEST['board']) ? $_REQUEST['board'] : null;

		$this->_currentAttachmentUploadDir = $modSettings['currentAttachmentUploadDir'];

		$this->_attachmentUploadDir = $modSettings['attachmentUploadDir'];

		$this->_attchDir = $context['attach_dir'] = $this->_attachmentUploadDir[$modSettings['currentAttachmentUploadDir']];

		$this->_canPostAttachment = $context['can_post_attachment'] = !empty($modSettings['attachmentEnable']) && $modSettings['attachmentEnable'] == 1 && (allowedTo('post_attachment', $this->_board) || ($modSettings['postmod_active'] && allowedTo('post_unapproved_attachments', $this->_board)));
	}

	/**
	 * Handles calling the appropriate function based on the sub-action
	 */
	public function call()
	{
		global $smcFunc, $sourcedir;

		require_once($sourcedir . '/Subs-Attachments.php');

		// Need this. For reasons...
		loadLanguage('Post');

		$this->_sa = !empty($_REQUEST['sa']) ? $smcFunc['htmlspecialchars']($smcFunc['htmltrim']($_REQUEST['sa'])) : false;

		if ($this->_canPostAttachment && $this->_sa && in_array($this->_sa, $this->_subActions))
			$this->{$this->_sa}();

		// Just send a generic message.
		else
			$this->setResponse(array(
				'text' => $this->_sa == 'add' ? 'attach_error_title' : 'attached_file_deleted_error',
				'type' => 'error',
				'data' => false,
			));

		// Back to the future, oh, to the browser!
		$this->sendResponse();
	}

	/**
	 * Handles deleting the attachment
	 */
	public function delete()
	{
		global $sourcedir;

		// Need this, don't ask why just nod your head.
		require_once($sourcedir . '/ManageAttachments.php');

		$attachID = !empty($_REQUEST['attach']) && is_numeric($_REQUEST['attach']) ? (int) $_REQUEST['attach'] : 0;

		// Need something to work with.
		if (!$attachID || (!empty($_SESSION['already_attached']) && !isset($_SESSION['already_attached'][$attachID])))
			return $this->setResponse(array(
				'text' => 'attached_file_deleted_error',
				'type' => 'error',
				'data' => false,
			));

		// Lets pass some params and see what happens :P
		$affectedMessage = removeAttachments(array('id_attach' => $attachID), '', true, true);

		// Gotta also remove the attachment from the session var.
		unset($_SESSION['already_attached'][$attachID]);

		// $affectedMessage returns an empty array array(0) which php treats as non empty... awesome...
		$this->setResponse(array(
			'text' => !empty($affectedMessage) ? 'attached_file_deleted' : 'attached_file_deleted_error',
			'type' => !empty($affectedMessage) ? 'info' : 'warning',
			'data' => $affectedMessage,
		));
	}

	/**
	 * Handles adding an attachment
	 */
	public function add()
	{
		// You gotta be able to post attachments.
		if (!$this->_canPostAttachment)
			return $this->setResponse(array(
				'text' => 'attached_file_cannot',
				'type' => 'error',
				'data' => false,
			));

		// Process them at once!
		$this->processAttachments();

		// The attachments was created and moved the the right folder, time to update the DB.
		if (!empty($_SESSION['temp_attachments']))
			$this->createAttach();

		// Set the response.
		$this->setResponse();
	}

	/**
	 * Moves an attachment to the proper directory and set the relevant data into $_SESSION['temp_attachments']
	 */
	protected function processAttachments()
	{
		global $context, $modSettings, $smcFunc, $user_info, $txt;

		if (!isset($_FILES['attachment']['name']))
			$_FILES['attachment']['tmp_name'] = array();

		// If there are attachments, calculate the total size and how many.
		$context['attachments']['total_size'] = 0;
		$context['attachments']['quantity'] = 0;

		// If this isn't a new post, check the current attachments.
		if (isset($_REQUEST['msg']))
		{
			$context['attachments']['quantity'] = count($context['current_attachments']);
			foreach ($context['current_attachments'] as $attachment)
				$context['attachments']['total_size'] += $attachment['size'];
		}

		// A bit of house keeping first.
		if (!empty($_SESSION['temp_attachments']) && count($_SESSION['temp_attachments']) == 1)
			unset($_SESSION['temp_attachments']);

		// Our infamous SESSION var, we are gonna have soo much fun with it!
		if (!isset($_SESSION['temp_attachments']))
			$_SESSION['temp_attachments'] = array();

		// Make sure we're uploading to the right place.
		if (!empty($modSettings['automanage_attachments']))
			automanage_attachments_check_directory();

		// Is the attachments folder actually there?
		if (!empty($context['dir_creation_error']))
			$this->_generalErrors[] = $context['dir_creation_error'];

		// The current attach folder ha some issues...
		elseif (!is_dir($this->_attchDir))
		{
			$this->_generalErrors[] = 'attach_folder_warning';
			log_error(sprintf($txt['attach_folder_admin_warning'], $this->_attchDir), 'critical');
		}

		// If this isn't a new post, check the current attachments.
		if (empty($this->_generalErrors) && $this->_msg)
		{
			$context['attachments'] = array();
			$request = $smcFunc['db_query']('', '
				SELECT COUNT(*), SUM(size)
				FROM {db_prefix}attachments
				WHERE id_msg = {int:id_msg}
					AND attachment_type = {int:attachment_type}',
				array(
					'id_msg' => (int) $this->_msg,
					'attachment_type' => 0,
				)
			);
			list ($context['attachments']['quantity'], $context['attachments']['total_size']) = $smcFunc['db_fetch_row']($request);
			$smcFunc['db_free_result']($request);
		}

		else
			$context['attachments'] = array(
				'quantity' => 0,
				'total_size' => 0,
			);

		// Check for other general errors here.

		// If we have an initial error, delete the files.
		if (!empty($this->_generalErrors))
		{
			// And delete the files 'cos they ain't going nowhere.
			foreach ($_FILES['attachment']['tmp_name'] as $n => $dummy)
				if (file_exists($_FILES['attachment']['tmp_name'][$n]))
					unlink($_FILES['attachment']['tmp_name'][$n]);

			$_FILES['attachment']['tmp_name'] = array();

			// No point in going further with this.
			return;
		}

		// Loop through $_FILES['attachment'] array and move each file to the current attachments folder.
		foreach ($_FILES['attachment']['tmp_name'] as $n => $dummy)
		{
			if ($_FILES['attachment']['name'][$n] == '')
				continue;

			// First, let's first check for PHP upload errors.
			$errors = array();
			if (!empty($_FILES['attachment']['error'][$n]))
			{
				if ($_FILES['attachment']['error'][$n] == 2)
					$errors[] = array('file_too_big', array($modSettings['attachmentSizeLimit']));

				else
					log_error($_FILES['attachment']['name'][$n] . ': ' . $txt['php_upload_error_' . $_FILES['attachment']['error'][$n]]);

				// Log this one, because...
				if ($_FILES['attachment']['error'][$n] == 6)
					log_error($_FILES['attachment']['name'][$n] . ': ' . $txt['php_upload_error_6'], 'critical');

				// Weird, no errors were cached, still fill out a generic one.
				if (empty($errors))
					$errors[] = 'attach_php_error';
			}

			// Try to move and rename the file before doing any more checks on it.
			$attachID = 'post_tmp_' . $user_info['id'] . '_' . md5(mt_rand());
			$destName = $this->_attchDir . '/' . $attachID;

			// No errors, YAY!
			if (empty($errors))
			{
				// The reported MIME type of the attachment might not be reliable.
				$detected_mime_type = get_mime_type($_FILES['attachment']['tmp_name'][$n], true);
				$detected_mime_type = get_mime_type($_FILES['attachment']['tmp_name'][$n], /** @scrutinizer ignore-type */ true);
				if ($detected_mime_type !== false)
					$_FILES['attachment']['type'][$n] = $detected_mime_type;

				$_SESSION['temp_attachments'][$attachID] = array(
					'name' => $smcFunc['htmlspecialchars'](basename($_FILES['attachment']['name'][$n])),
					'tmp_name' => $destName,
					'size' => $_FILES['attachment']['size'][$n],
					'type' => $_FILES['attachment']['type'][$n],
					'id_folder' => $modSettings['currentAttachmentUploadDir'],
					'errors' => array(),
				);

				// Move the file to the attachments folder with a temp name for now.
				if (@move_uploaded_file($_FILES['attachment']['tmp_name'][$n], $destName))
					smf_chmod($destName, 0644);

				// This is madness!!
				else
				{
					// File couldn't be moved.
					$_SESSION['temp_attachments'][$attachID]['errors'][] = 'attach_timeout';
					if (file_exists($_FILES['attachment']['tmp_name'][$n]))
						unlink($_FILES['attachment']['tmp_name'][$n]);
				}
			}

			// Fill up a nice array with some data from the file and the errors encountered so far.
			else
			{
				$_SESSION['temp_attachments'][$attachID] = array(
					'name' => $smcFunc['htmlspecialchars'](basename($_FILES['attachment']['name'][$n])),
					'tmp_name' => $destName,
					'errors' => $errors,
				);

				if (file_exists($_FILES['attachment']['tmp_name'][$n]))
					unlink($_FILES['attachment']['tmp_name'][$n]);
			}

			// If there's no errors to this point. We still do need to apply some additional checks before we are finished.
			if (empty($_SESSION['temp_attachments'][$attachID]['errors']))
				attachmentChecks($attachID);
		}

		// Mod authors, finally a hook to hang an alternate attachment upload system upon
		// Upload to the current attachment folder with the file name $attachID or 'post_tmp_' . $user_info['id'] . '_' . md5(mt_rand())
		// Populate $_SESSION['temp_attachments'][$attachID] with the following:
		//   name => The file name
		//   tmp_name => Path to the temp file ($this->_attchDir . '/' . $attachID).
		//   size => File size (required).
		//   type => MIME type (optional if not available on upload).
		//   id_folder => $modSettings['currentAttachmentUploadDir']
		//   errors => An array of errors (use the index of the $txt variable for that error).
		// Template changes can be done using "integrate_upload_template".
		call_integration_hook('integrate_attachment_upload', array());
	}

	/**
	 * Actually attaches the file
	 */
	protected function createAttach()
	{
		global $txt, $user_info, $modSettings;

		// Create an empty session var to keep track of all the files we attached.
		if (!isset($_SESSION['already_attached']))
			$_SESSION['already_attached'] = array();

		foreach ($_SESSION['temp_attachments'] as $attachID => $attachment)
		{
			$attachmentOptions = array(
				'post' => $this->_msg,
				'poster' => $user_info['id'],
				'name' => $attachment['name'],
				'tmp_name' => $attachment['tmp_name'],
				'size' => isset($attachment['size']) ? $attachment['size'] : 0,
				'mime_type' => isset($attachment['type']) ? $attachment['type'] : '',
				'id_folder' => isset($attachment['id_folder']) ? $attachment['id_folder'] : $modSettings['currentAttachmentUploadDir'],
				'approved' => !$modSettings['postmod_active'] || allowedTo('post_attachment'),
				'errors' => array(),
			);

			if (empty($attachment['errors']))
			{
				if (createAttachment($attachmentOptions))
				{
					// Avoid JS getting confused.
					$attachmentOptions['attachID'] = $attachmentOptions['id'];
					unset($attachmentOptions['id']);

					$_SESSION['already_attached'][$attachmentOptions['attachID']] = $attachmentOptions['attachID'];

					if (!empty($attachmentOptions['thumb']))
						$_SESSION['already_attached'][$attachmentOptions['thumb']] = $attachmentOptions['thumb'];

					if ($this->_msg)
						assignAttachments($_SESSION['already_attached'], $this->_msg);
				}
			}
			else
			{
				// Sort out the errors for display and delete any associated files.
				$log_these = array('attachments_no_create', 'attachments_no_write', 'attach_timeout', 'ran_out_of_space', 'cant_access_upload_path', 'attach_0_byte_file');

				foreach ($attachment['errors'] as $error)
				{
					$attachmentOptions['errors'][] = sprintf($txt['attach_warning'], $attachment['name']);

					if (!is_array($error))
					{
						$attachmentOptions['errors'][] = $txt[$error];
						if (in_array($error, $log_these))
							log_error($attachment['name'] . ': ' . $txt[$error], 'critical');
					}
					else
						$attachmentOptions['errors'][] = vsprintf($txt[$error[0]], (array) $error[1]);
				}
				if (file_exists($attachment['tmp_name']))
					unlink($attachment['tmp_name']);
			}

			// You don't need to know.
			unset($attachmentOptions['tmp_name']);
			unset($attachmentOptions['destination']);

			// Regardless of errors, pass the results.
			$this->_attachResults[] = $attachmentOptions;
		}

		// Temp save this on the db.
		if (!empty($_SESSION['already_attached']))
			$this->_attachSuccess = $_SESSION['already_attached'];

		unset($_SESSION['temp_attachments']);

		// Allow user to see previews for all of this post's attachments, even if the post hasn't been submitted yet.
		if (!isset($_SESSION['attachments_can_preview']))
			$_SESSION['attachments_can_preview'] = array();
		if (!empty($_SESSION['already_attached']))
			$_SESSION['attachments_can_preview'] += array_fill_keys(array_keys($_SESSION['already_attached']), true);
	}

	/**
	 * Sets up the response information
	 *
	 * @param array $data Data for the response if we're not adding an attachment
	 */
	protected function setResponse($data = array())
	{
		global $txt;

		// Some default values in case something is missed or neglected :P
		$this->_response = array(
			'text' => 'attach_php_error',
			'type' => 'error',
			'data' => false,
		);

		// Adding needs some VIP treatment.
		if ($this->_sa == 'add')
		{
			// Is there any generic errors? made some sense out of them!
			if ($this->_generalErrors)
				foreach ($this->_generalErrors as $k => $v)
					$this->_generalErrors[$k] = (is_array($v) ? vsprintf($txt[$v[0]], (array) $v[1]) : $txt[$v]);

			// Gotta urlencode the filename.
			if ($this->_attachResults)
				foreach ($this->_attachResults as $k => $v)
					$this->_attachResults[$k]['name'] = urlencode($this->_attachResults[$k]['name']);

			$this->_response = array(
				'files' => $this->_attachResults ? $this->_attachResults : false,
				'generalErrors' => $this->_generalErrors ? $this->_generalErrors : false,
			);
		}

		// Rest of us mere mortals gets no special treatment...
		elseif (!empty($data))
			if (!empty($data['text']) && !empty($txt[$data['text']]))
				$this->_response['text'] = $txt[$data['text']];
	}

	/**
	 * Sends the response data
	 */
	protected function sendResponse()
	{
		global $smcFunc, $modSettings, $context;

		ob_end_clean();

		if (!empty($modSettings['enableCompressedOutput']))
			@ob_start('ob_gzhandler');
		else
			ob_start();

		// Set the header.
		header('content-type: application/json; charset=' . $context['character_set'] . '');

		echo $smcFunc['json_encode']($this->_response ? $this->_response : array());

		// Done.
		obExit(false);
		die;
	}
}

?>
SimpleMachines / SMF2.1

Issues (1014)

Sources/Attachments.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like
