Issues in elFinderVolumeS3.class.php (2.x) - Issues in 2.x - Studio-42/elFinder - Measure and Improve Code Quality continuously with Scrutinizer

Issues (661)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

php/elFinderVolumeS3.class.php (2 issues)

Labels

Severity

nao-pon 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @file
 * 
 * elFinder driver for Amazon S3 (SOAP) filesystem.
 *
 * @author Dmitry (dio) Levashov,
 * @author Alexey Sukhotin
 * */
class elFinderVolumeS3 extends elFinderVolumeDriver {
	protected $driverId = 's3s';
	
	protected $s3;
	
	public function __construct() {
		$opts = array(
			'accesskey'          => '',
			'secretkey'          => '',
			'bucket'          => '',
			'tmpPath' => '',
		);
		$this->options = array_merge($this->options, $opts); 
		$this->options['mimeDetect'] = 'internal';

	}
	
	
	protected function init() {
		if (!$this->options['accesskey'] 
		||  !$this->options['secretkey'] 
		||  !$this->options['bucket']) {
			return $this->setError('Required options undefined.');
		}
		
		$this->s3 = new S3SoapClient($this->options['accesskey'], $this->options['secretkey']);
		
		$this->root = $this->options['path'];
		
		$this->rootName = 's3';
		
		return true;
	}
	
	protected function configure() {
		parent::configure();
		if (!empty($this->options['tmpPath'])) {
			if ((is_dir($this->options['tmpPath']) || @mkdir($this->options['tmpPath'])) && is_writable($this->options['tmpPath'])) {
				$this->tmpPath = $this->options['tmpPath'];
			}
		}
		$this->mimeDetect = 'internal';
	}
	
	/**
	 * Return parent directory path
	 *
	 * @param  string  $path  file path
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _dirname($path) {
	
		$newpath =  preg_replace("/\/$/", "", $path);
		$dn = substr($path, 0, strrpos($newpath, '/')) ;
		
		if (substr($dn, 0, 1) != '/') {
		 $dn = "/$dn";
		}
		
		return $dn;
	}

	/**
	 * Return file name
	 *
	 * @param  string  $path  file path
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _basename($path) {
		return basename($path);
	}

	
	
	/**
	 * Join dir name and file name and return full path.
	 * Some drivers (db) use int as path - so we give to concat path to driver itself
	 *
	 * @param  string  $dir   dir path
	 * @param  string  $name  file name
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
		protected function _joinPath($dir, $name) {
		return $dir.DIRECTORY_SEPARATOR.$name;
	}
	
	/**
	 * Return normalized path, this works the same as os.path.normpath() in Python
	 *
	 * @param  string  $path  path
	 * @return string
	 * @author Troex Nevelin
	 **/
	protected function _normpath($path) {
		$tmp =  preg_replace("/^\//", "", $path);
		$tmp =  preg_replace("/\/\//", "/", $tmp);
		$tmp =  preg_replace("/\/$/", "", $tmp);
		return $tmp;
	}

	/**
	 * Return file path related to root dir
	 *
	 * @param  string  $path  file path
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _relpath($path) {
	
		
		$newpath = $path;
		
		
		if (substr($path, 0, 1) != '/') {
			$newpath = "/$newpath";
		}
		
		$newpath =  preg_replace("/\/$/", "", $newpath);
	
		$ret = ($newpath == $this->root) ? '' : substr($newpath, strlen($this->root)+1);
		
		return $ret;
	}
	
	/**
	 * Convert path related to root dir into real path
	 *
	 * @param  string  $path  file path
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _abspath($path) {
		return $path == $this->separator ? $this->root : $this->root.$this->separator.$path;
	}
	
	/**
	 * Return fake path started from root dir
	 *
	 * @param  string  $path  file path
	 * @return string
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _path($path) {
		return $this->rootName.($path == $this->root ? '' : $this->separator.$this->_relpath($path));
	}
	
	/**
	 * Return true if $path is children of $parent
	 *
	 * @param  string  $path    path to check
	 * @param  string  $parent  parent path
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _inpath($path, $parent) {
		return $path == $parent || strpos($path, $parent.'/') === 0;
	}

	
	/**
	 * Converting array of objects with name and value properties to
	 * array[key] = value
	 * @param  array  $metadata  source array
	 * @return array
	 * @author Alexey Sukhotin
	 **/
	protected function metaobj2array($metadata) {
		$arr = array();
		
		if (is_array($metadata)) {
			foreach ($metadata as $meta) {
				$arr[$meta->Name] = $meta->Value;
			}
		} else {
			$arr[$metadata->Name] = $metadata->Value;
		}
		return $arr;
	}
	
	/**
	 * Return stat for given path.
	 * Stat contains following fields:
	 * - (int)    size    file size in b. required
	 * - (int)    ts      file modification time in unix time. required
	 * - (string) mime    mimetype. required for folders, others - optionally
	 * - (bool)   read    read permissions. required
	 * - (bool)   write   write permissions. required
	 * - (bool)   locked  is object locked. optionally
	 * - (bool)   hidden  is object hidden. optionally
	 * - (string) alias   for symlinks - link target path relative to root path. optionally
	 * - (string) target  for symlinks - link target path. optionally
	 *
	 * If file does not exists - returns empty array or false.
	 *
	 * @param  string  $path    file path 
	 * @return array|false
	 * @author Dmitry (dio) Levashov,
	 * @author Alexey Sukhotin
	 **/
	protected function _stat($path) {
	
		$stat = array(
		 'size' => 0,
		 'ts' => time(),
		 'read' => true,
		 'write' => true,
		 'locked' => false,
		 'hidden' => false,
		 'mime' => 'directory',
		);
		
		
		if ($this->root == $path) {
			return $stat;
		}


		$np = $this->_normpath($path);
		
		try {
			$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $np , 'GetMetadata' => true, 'InlineData' => false, 'GetData' => false));
		} catch (Exception $e) {
		
		}
			
		if (!isset($obj) || ($obj->GetObjectResponse->Status->Code != 200)) {
			$np .= '/';
			try {
				$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $np , 'GetMetadata' => true, 'InlineData' => false, 'GetData' => false));
			} catch (Exception $e) {
		
			}
		}
			
		if (!(isset($obj) && $obj->GetObjectResponse->Status->Code == 200)) {
				return array();
		}
		
		$mime = '';
		
		$metadata = $this->metaobj2array($obj->GetObjectResponse->Metadata);
			
		$mime = $metadata['Content-Type'];
		
		if (!empty($mime)) {
		 $stat['mime'] = ($mime == 'binary/octet-stream') ? 'directory' : $mime;
		}
		
		if (isset($obj->GetObjectResponse->LastModified)) {
			$stat['ts'] = strtotime($obj->GetObjectResponse->LastModified);
		}
			
		try {
			$files = $this->s3->ListBucket(array('Bucket' => $this->options['bucket'], 'Prefix' => $np, 'Delimiter' => '/'))->ListBucketResponse->Contents;
		} catch (Exception $e) {
			
		}
			
		if (!is_array($files)) {
			$files = array($files);
		}
		
		foreach ($files as $file) {
			if ($file->Key == $np) {
				$stat['size'] = $file->Size;
			}
		}

		return $stat;
	}
	
	

	/***************** file stat ********************/

		
	/**
	 * Return true if path is dir and has at least one childs directory
	 *
	 * @param  string  $path  dir path
	 * @return bool
	 * @author Alexey Sukhotin
	 **/
	protected function _subdirs($path) {
		$stat = $this->_stat($path);
		
		if ($stat['mime'] == 'directory') {
		 $files = $this->_scandir($path);
		 foreach ($files as $file) {
			$fstat = $this->_stat($file);
			if ($fstat['mime'] == 'directory') {
				return true;
			}
		 }
		
		}
		
		return false;
	}
	
	/**
	 * Return object width and height
	 * Ususaly used for images, but can be realize for video etc...
	 *
	 * @param  string  $path  file path
	 * @param  string  $mime  file mime type
	 * @return string|false
	 * @author Dmitry (dio) Levashov
	 * @author Naoki Sawada
	 **/
	protected function _dimensions($path, $mime) {

		$ret = false;
		if ($imgsize = $this->getImageSize($path, $mime)) {
			$ret = $imgsize['dimensions'];
		}
		return $ret;
	}
	
	/******************** file/dir content *********************/

	/**
	 * Return files list in directory
	 *
	 * @param  string  $path  dir path
	 * @return array
	 * @author Dmitry (dio) Levashov,
	 * @author Alexey Sukhotin
	 **/
	protected function _scandir($path) {
		
		$s3path = preg_replace("/^\//", "", $path) . '/';
		
		$files = $this->s3->ListBucket(array('Bucket' => $this->options['bucket'], 'delimiter' => '/', 'Prefix' => $s3path))->ListBucketResponse->Contents;
	
		$finalfiles = array();
		
		foreach ($files as $file) {
			if (preg_match("|^" . $s3path . "[^/]*/?$|", $file->Key)) {
				$fname = preg_replace("/\/$/", "", $file->Key);
				$fname = $file->Key;
				
				if ($fname != preg_replace("/\/$/", "", $s3path)) {
					
				}
				
				$finalfiles[] = $fname;
			}
		}
		
		sort($finalfiles);
		return $finalfiles;
	}

	/**
	 * Open file and return file pointer
	 *
	 * @param  string  $path  file path
	 * @param  string  $mode open mode
	 * @return resource|false
	 * @author Dmitry (dio) Levashov,
	 * @author Alexey Sukhotin
	 **/
	protected function _fopen($path, $mode="rb") {
	
		$tn = $this->getTempFile($path);
	
		$fp = $this->tmbPath
			? @fopen($tn, 'w+')
			: @tmpfile();
		

		if ($fp) {

			try {
				$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $this->_normpath($path) , 'GetMetadata' => true, 'InlineData' => true, 'GetData' => true));
			}	catch (Exception $e) {
		
			}
				
			$mime = '';
		
			$metadata = $this->metaobj2array($obj->GetObjectResponse->Metadata);

			fwrite($fp, $obj->GetObjectResponse->Data);
			rewind($fp);
			return $fp;
		}
		
		return false;
	}
	
	/**
	 * Close opened file
	 * 
	 * @param  resource  $fp    file pointer
	 * @param  string    $path  file path
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _fclose($fp, $path='') {
		@fclose($fp);
		if ($path) {
			@unlink($this->getTempFile($path));
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
		}
	}
	
	/********************  file/dir manipulations *************************/
	
	/**
	 * Create dir and return created dir path or false on failed
	 *
	 * @param  string  $path  parent dir path
	 * @param string  $name  new directory name
	 * @return string|bool
	 * @author Dmitry (dio) Levashov,
	 * @author Alexey Sukhotin
	 **/
	protected function _mkdir($path, $name) {
		
		$newkey = $this->_normpath($path);
		$newkey = preg_replace("/\/$/", "", $newkey);
		$newkey = "$newkey/$name/";

		try {
			$obj = $this->s3->PutObjectInline(array('Bucket' => $this->options['bucket'], 'Key' => $newkey , 'ContentLength' => 0, 'Data' => ''));
		} catch (Exception $e) {
		
		}
		
		if (isset($obj)) {
			return "$path/$name";
		}
		
		return false;
	}
	
	/**
	 * Create file and return it's path or false on failed
	 *
	 * @param  string  $path  parent dir path
	 * @param string  $name  new file name
	 * @return string|bool
	 * @author Dmitry (dio) Levashov,
	 * @author Alexey Sukhotin
	 **/
	 protected function _mkfile($path, $name) {
		$newkey = $this->_normpath($path);
		$newkey = preg_replace("/\/$/", "", $newkey);
		$newkey = "$newkey/$name";

		try {
			$obj = $this->s3->PutObjectInline(array('Bucket' => $this->options['bucket'], 'Key' => $newkey , 'ContentLength' => 0, 'Data' => '', 'Metadata' => array(array('Name' => 'Content-Type', 'Value' => 'text/plain'))));
		} catch (Exception $e) {
		
		}
		
		if (isset($obj)) {
			return "$path/$name";
		}
		
		return false;

	 }
	
	/**
	 * Create symlink
	 *
	 * @param  string  $source     file to link to
	 * @param  string  $targetDir  folder to create link in
	 * @param  string  $name       symlink name
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	 protected function _symlink($source, $targetDir, $name) {
		return false;
	 }

	/**
	 * Copy file into another file (only inside one volume)
	 *
	 * @param  string  $source  source file path
	 * @param  string  $targetDir  target dir path
	 * @param  string  $name    file name
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	 protected function _copy($source, $targetDir, $name) {
		return false;
	 }
	
	/**
	 * Move file into another parent dir.
	 * Return new file path or false.
	 *
	 * @param  string  $source  source file path
	 * @param  string  $targetDir  target dir path
	 * @param  string  $name    file name
	 * @return string|bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _move($source, $targetDir, $name) {
		return false;
	}
	
	/**
	 * Remove file
	 *
	 * @param  string  $path  file path
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _unlink($path) {
		
		$newkey = $this->_normpath($path);
		$newkey = preg_replace("/\/$/", "", $newkey);

		try {
			$obj = $this->s3->DeleteObject(array('Bucket' => $this->options['bucket'], 'Key' => $newkey));
		} catch (Exception $e) {
		
		}
		
		/*$fp = fopen('/tmp/eltest.txt','a+');
		
		fwrite($fp, 'key='.$newkey);*/
		
		if (is_object($obj)) {
			//fwrite($fp, 'obj='.var_export($obj,true));
			
			if (isset($obj->DeleteObjectResponse->Code)) {
				$rc = $obj->DeleteObjectResponse->Code;
				
				if (substr($rc, 0, 1) == '2') {
					return true;
				}
			}
		}

			
		//fclose($fp);
		
		return false;
	}

	/**
	 * Remove dir
	 *
	 * @param  string  $path  dir path
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _rmdir($path) {
		return $this->_unlink($path . '/');
	}

	/**
	 * Create new file and write into it from file pointer.
	 * Return new file path or false on error.
	 *
	 * @param  resource $fp file pointer
	 * @param  string $dir target dir path
	 * @param  string $name file name
	 * @param  array $stat
	 * @return bool|string
	 * @author Dmitry (dio) Levashov
	 */
	protected function _save($fp, $dir, $name, $stat) {
		return false;
	}
	
	/**
	 * Get file contents
	 *
	 * @param  string  $path  file path
	 * @return string|false
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _getContents($path) {
		return false;
	}
	
	/**
	 * Write a string to a file
	 *
	 * @param  string  $path     file path
	 * @param  string  $content  new file content
	 * @return bool
	 * @author Dmitry (dio) Levashov
	 **/
	protected function _filePutContents($path, $content) {
		return false;
	}

	/**
	 * Extract files from archive
	 *
	 * @param  string  $path file path
	 * @param  array   $arc  archiver options
	 * @return bool
	 * @author Dmitry (dio) Levashov, 
	 * @author Alexey Sukhotin
	 **/
	 protected function _extract($path, $arc) {
		return false;
	 }

	/**
	 * Create archive and return its path
	 *
	 * @param  string  $dir    target dir
	 * @param  array   $files  files names list
	 * @param  string  $name   archive name
	 * @param  array   $arc    archiver options
	 * @return string|bool
	 * @author Dmitry (dio) Levashov, 
	 * @author Alexey Sukhotin
	 **/
	protected function _archive($dir, $files, $name, $arc) {
		return false;
	}

	/**
	 * Detect available archivers
	 *
	 * @return void
	 * @author Dmitry (dio) Levashov, 
	 * @author Alexey Sukhotin
	 **/
	protected function _checkArchivers() {
		
	}

	/**
	 * chmod implementation
	 *
	 * @param string $path
	 * @param string $mode
	 * @return bool
	 */
	protected function _chmod($path, $mode) {
		return false;
	}

}

/**
 * SoapClient extension with Amazon S3 WSDL and request signing support
 *
 * @author Alexey Sukhotin
 **/
class S3SoapClient extends SoapClient {

	private $accesskey = ''; 
	private $secretkey = '';
	public $client = NULL;
	

	public function __construct($key = '', $secret = '') {
		$this->accesskey = $key;
		$this->secretkey = $secret;
		parent::__construct('http://s3.amazonaws.com/doc/2006-03-01/AmazonS3.wsdl');
	}


	/**
	 * Method call wrapper which adding S3 signature and default arguments to all S3 operations
	 *
	 * @param string $method
	 * @param string $arguments
	 * @return mixed
	 *
	 * @author Alexey Sukhotin
	 */
	public function __call($method, $arguments) {
		
		/* Getting list of S3 web service functions which requires signing */
		$funcs = $this->__getFunctions();
		
		$funcnames  = array();
		
		foreach ($funcs as $func) {
			preg_match("/\S+\s+([^\)]+)\(/", $func, $m);
	
			if (isset($m[1])) {
				$funcnames[] = $m[1];
			}
		}
		
		/* adding signature to arguments */
		if (in_array("{$method}", $funcnames)) {
		
			if (is_array($arguments[0])) {
				$arguments[0] = array_merge($arguments[0], $this->sign("{$method}"));
			} else {
				$arguments[0] = $this->sign("{$method}");
			}

		}
		
		/*$fp = fopen('/tmp/s3debug.txt', 'a+');
		fwrite($fp, 'method='."{$method}". ' timestamp='.date('Y-m-d H:i:s').' args='.var_export($arguments,true) . "\n");
		fclose($fp);*/
		return parent::__call($method, $arguments);
	}

	/**
	 * Generating signature and timestamp for specified S3 operation
	 *
	 * @param  string  $operation    S3 operation name
	 * @return array
	 * @author Alexey Sukhotin
	 **/
	protected function sign($operation) {
	
		$params = array(
			'AWSAccessKeyId' => $this->accesskey,
			'Timestamp' => gmdate('Y-m-d\TH:i:s.000\Z'),
		);

		$sign_str = 'AmazonS3' . $operation . $params['Timestamp'];
		
		$params['Signature'] = base64_encode(hash_hmac('sha1', $sign_str, $this->secretkey, TRUE));
		
		return $params;
	}
	
}



1		<?php
2
3		/**
4		* @file
5		*
6		* elFinder driver for Amazon S3 (SOAP) filesystem.
7		*
8		* @author Dmitry (dio) Levashov,
9		* @author Alexey Sukhotin
10		* */
11		class elFinderVolumeS3 extends elFinderVolumeDriver {
12		protected $driverId = 's3s';
13
14		protected $s3;
15
16		public function __construct() {
17		$opts = array(
18		'accesskey' => '',
19		'secretkey' => '',
20		'bucket' => '',
21		'tmpPath' => '',
22		);
23		$this->options = array_merge($this->options, $opts);
24		$this->options['mimeDetect'] = 'internal';
25
26		}
27
28
29		protected function init() {
30		if (!$this->options['accesskey']
31		\|\| !$this->options['secretkey']
32		\|\| !$this->options['bucket']) {
33		return $this->setError('Required options undefined.');
34		}
35
36		$this->s3 = new S3SoapClient($this->options['accesskey'], $this->options['secretkey']);
37
38		$this->root = $this->options['path'];
39
40		$this->rootName = 's3';
41
42		return true;
43		}
44
45		protected function configure() {
46		parent::configure();
47	View Code Duplication	if (!empty($this->options['tmpPath'])) {
48		if ((is_dir($this->options['tmpPath']) \|\| @mkdir($this->options['tmpPath'])) && is_writable($this->options['tmpPath'])) {
49		$this->tmpPath = $this->options['tmpPath'];
50		}
51		}
52		$this->mimeDetect = 'internal';
53		}
54
55		/**
56		* Return parent directory path
57		*
58		* @param string $path file path
59		* @return string
60		* @author Dmitry (dio) Levashov
61		**/
62		protected function _dirname($path) {
63
64		$newpath = preg_replace("/\/$/", "", $path);
65		$dn = substr($path, 0, strrpos($newpath, '/')) ;
66
67		if (substr($dn, 0, 1) != '/') {
68		$dn = "/$dn";
69		}
70
71		return $dn;
72		}
73
74		/**
75		* Return file name
76		*
77		* @param string $path file path
78		* @return string
79		* @author Dmitry (dio) Levashov
80		**/
81		protected function _basename($path) {
82		return basename($path);
83		}
84
85
86
87		/**
88		* Join dir name and file name and return full path.
89		* Some drivers (db) use int as path - so we give to concat path to driver itself
90		*
91		* @param string $dir dir path
92		* @param string $name file name
93		* @return string
94		* @author Dmitry (dio) Levashov
95		**/
96		protected function _joinPath($dir, $name) {
97		return $dir.DIRECTORY_SEPARATOR.$name;
98		}
99
100		/**
101		* Return normalized path, this works the same as os.path.normpath() in Python
102		*
103		* @param string $path path
104		* @return string
105		* @author Troex Nevelin
106		**/
107		protected function _normpath($path) {
108		$tmp = preg_replace("/^\//", "", $path);
109		$tmp = preg_replace("/\/\//", "/", $tmp);
110		$tmp = preg_replace("/\/$/", "", $tmp);
111		return $tmp;
112		}
113
114		/**
115		* Return file path related to root dir
116		*
117		* @param string $path file path
118		* @return string
119		* @author Dmitry (dio) Levashov
120		**/
121		protected function _relpath($path) {
122
123
124		$newpath = $path;
125
126
127		if (substr($path, 0, 1) != '/') {
128		$newpath = "/$newpath";
129		}
130
131		$newpath = preg_replace("/\/$/", "", $newpath);
132
133		$ret = ($newpath == $this->root) ? '' : substr($newpath, strlen($this->root)+1);
134
135		return $ret;
136		}
137
138		/**
139		* Convert path related to root dir into real path
140		*
141		* @param string $path file path
142		* @return string
143		* @author Dmitry (dio) Levashov
144		**/
145		protected function _abspath($path) {
146		return $path == $this->separator ? $this->root : $this->root.$this->separator.$path;
147		}
148
149		/**
150		* Return fake path started from root dir
151		*
152		* @param string $path file path
153		* @return string
154		* @author Dmitry (dio) Levashov
155		**/
156		protected function _path($path) {
157		return $this->rootName.($path == $this->root ? '' : $this->separator.$this->_relpath($path));
158		}
159
160		/**
161		* Return true if $path is children of $parent
162		*
163		* @param string $path path to check
164		* @param string $parent parent path
165		* @return bool
166		* @author Dmitry (dio) Levashov
167		**/
168		protected function _inpath($path, $parent) {
169		return $path == $parent \|\| strpos($path, $parent.'/') === 0;
170		}
171
172
173		/**
174		* Converting array of objects with name and value properties to
175		* array[key] = value
176		* @param array $metadata source array
177		* @return array
178		* @author Alexey Sukhotin
179		**/
180		protected function metaobj2array($metadata) {
181		$arr = array();
182
183		if (is_array($metadata)) {
184		foreach ($metadata as $meta) {
185		$arr[$meta->Name] = $meta->Value;
186		}
187		} else {
188		$arr[$metadata->Name] = $metadata->Value;
189		}
190		return $arr;
191		}
192
193		/**
194		* Return stat for given path.
195		* Stat contains following fields:
196		* - (int) size file size in b. required
197		* - (int) ts file modification time in unix time. required
198		* - (string) mime mimetype. required for folders, others - optionally
199		* - (bool) read read permissions. required
200		* - (bool) write write permissions. required
201		* - (bool) locked is object locked. optionally
202		* - (bool) hidden is object hidden. optionally
203		* - (string) alias for symlinks - link target path relative to root path. optionally
204		* - (string) target for symlinks - link target path. optionally
205		*
206		* If file does not exists - returns empty array or false.
207		*
208		* @param string $path file path
209		* @return array\|false
210		* @author Dmitry (dio) Levashov,
211		* @author Alexey Sukhotin
212		**/
213		protected function _stat($path) {
214
215		$stat = array(
216		'size' => 0,
217		'ts' => time(),
218		'read' => true,
219		'write' => true,
220		'locked' => false,
221		'hidden' => false,
222		'mime' => 'directory',
223		);
224
225
226		if ($this->root == $path) {
227		return $stat;
228		}
229
230
231		$np = $this->_normpath($path);
232
233		try {
234		$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $np , 'GetMetadata' => true, 'InlineData' => false, 'GetData' => false));
235		} catch (Exception $e) {
236
237		}
238
239		if (!isset($obj) \|\| ($obj->GetObjectResponse->Status->Code != 200)) {
240		$np .= '/';
241		try {
242		$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $np , 'GetMetadata' => true, 'InlineData' => false, 'GetData' => false));
243		} catch (Exception $e) {
244
245		}
246		}
247
248		if (!(isset($obj) && $obj->GetObjectResponse->Status->Code == 200)) {
249		return array();
250		}
251
252		$mime = '';
253
254		$metadata = $this->metaobj2array($obj->GetObjectResponse->Metadata);
255
256		$mime = $metadata['Content-Type'];
257
258		if (!empty($mime)) {
259		$stat['mime'] = ($mime == 'binary/octet-stream') ? 'directory' : $mime;
260		}
261
262		if (isset($obj->GetObjectResponse->LastModified)) {
263		$stat['ts'] = strtotime($obj->GetObjectResponse->LastModified);
264		}
265
266		try {
267		$files = $this->s3->ListBucket(array('Bucket' => $this->options['bucket'], 'Prefix' => $np, 'Delimiter' => '/'))->ListBucketResponse->Contents;
268		} catch (Exception $e) {
269
270		}
271
272		if (!is_array($files)) {
273		$files = array($files);
274		}
275
276		foreach ($files as $file) {
277		if ($file->Key == $np) {
278		$stat['size'] = $file->Size;
279		}
280		}
281
282		return $stat;
283		}
284
285
286
287		/*************** file stat ******************/
288
289
290		/**
291		* Return true if path is dir and has at least one childs directory
292		*
293		* @param string $path dir path
294		* @return bool
295		* @author Alexey Sukhotin
296		**/
297		protected function _subdirs($path) {
298		$stat = $this->_stat($path);
299
300		if ($stat['mime'] == 'directory') {
301		$files = $this->_scandir($path);
302		foreach ($files as $file) {
303		$fstat = $this->_stat($file);
304		if ($fstat['mime'] == 'directory') {
305		return true;
306		}
307		}
308
309		}
310
311		return false;
312		}
313
314		/**
315		* Return object width and height
316		* Ususaly used for images, but can be realize for video etc...
317		*
318		* @param string $path file path
319		* @param string $mime file mime type
320		* @return string\|false
321		* @author Dmitry (dio) Levashov
322		* @author Naoki Sawada
323		**/
324	View Code Duplication	protected function _dimensions($path, $mime) {
		0 ignored issues – show Duplication introduced 2015-11-21 02:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
325		$ret = false;
326		if ($imgsize = $this->getImageSize($path, $mime)) {
327		$ret = $imgsize['dimensions'];
328		}
329		return $ret;
330		}
331
332		/****************** file/dir content *******************/
333
334		/**
335		* Return files list in directory
336		*
337		* @param string $path dir path
338		* @return array
339		* @author Dmitry (dio) Levashov,
340		* @author Alexey Sukhotin
341		**/
342		protected function _scandir($path) {
343
344		$s3path = preg_replace("/^\//", "", $path) . '/';
345
346		$files = $this->s3->ListBucket(array('Bucket' => $this->options['bucket'], 'delimiter' => '/', 'Prefix' => $s3path))->ListBucketResponse->Contents;
347
348		$finalfiles = array();
349
350		foreach ($files as $file) {
351		if (preg_match("\|^" . $s3path . "[^/]*/?$\|", $file->Key)) {
352		$fname = preg_replace("/\/$/", "", $file->Key);
353		$fname = $file->Key;
354
355		if ($fname != preg_replace("/\/$/", "", $s3path)) {
356
357		}
358
359		$finalfiles[] = $fname;
360		}
361		}
362
363		sort($finalfiles);
364		return $finalfiles;
365		}
366
367		/**
368		* Open file and return file pointer
369		*
370		* @param string $path file path
371		* @param string $mode open mode
372		* @return resource\|false
373		* @author Dmitry (dio) Levashov,
374		* @author Alexey Sukhotin
375		**/
376		protected function _fopen($path, $mode="rb") {
377
378		$tn = $this->getTempFile($path);
379
380		$fp = $this->tmbPath
381		? @fopen($tn, 'w+')
382		: @tmpfile();
383
384
385		if ($fp) {
386
387		try {
388		$obj = $this->s3->GetObject(array('Bucket' => $this->options['bucket'], 'Key' => $this->_normpath($path) , 'GetMetadata' => true, 'InlineData' => true, 'GetData' => true));
389		} catch (Exception $e) {
390
391		}
392
393		$mime = '';
394
395		$metadata = $this->metaobj2array($obj->GetObjectResponse->Metadata);
396
397		fwrite($fp, $obj->GetObjectResponse->Data);
398		rewind($fp);
399		return $fp;
400		}
401
402		return false;
403		}
404
405		/**
406		* Close opened file
407		*
408		* @param resource $fp file pointer
409		* @param string $path file path
410		* @return bool
411		* @author Dmitry (dio) Levashov
412		**/
413		protected function _fclose($fp, $path='') {
414		@fclose($fp);
415		if ($path) {
416		@unlink($this->getTempFile($path));
		0 ignored issues – show Security Best Practice introduced 2015-11-21 02:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
417		}
418		}
419
420		/****************** file/dir manipulations ***********************/
421
422		/**
423		* Create dir and return created dir path or false on failed
424		*
425		* @param string $path parent dir path
426		* @param string $name new directory name
427		* @return string\|bool
428		* @author Dmitry (dio) Levashov,
429		* @author Alexey Sukhotin
430		**/
431		protected function _mkdir($path, $name) {
432
433		$newkey = $this->_normpath($path);
434		$newkey = preg_replace("/\/$/", "", $newkey);
435		$newkey = "$newkey/$name/";
436
437		try {
438		$obj = $this->s3->PutObjectInline(array('Bucket' => $this->options['bucket'], 'Key' => $newkey , 'ContentLength' => 0, 'Data' => ''));
439		} catch (Exception $e) {
440
441		}
442
443		if (isset($obj)) {
444		return "$path/$name";
445		}
446
447		return false;
448		}
449
450		/**
451		* Create file and return it's path or false on failed
452		*
453		* @param string $path parent dir path
454		* @param string $name new file name
455		* @return string\|bool
456		* @author Dmitry (dio) Levashov,
457		* @author Alexey Sukhotin
458		**/
459		protected function _mkfile($path, $name) {
460		$newkey = $this->_normpath($path);
461		$newkey = preg_replace("/\/$/", "", $newkey);
462		$newkey = "$newkey/$name";
463
464		try {
465		$obj = $this->s3->PutObjectInline(array('Bucket' => $this->options['bucket'], 'Key' => $newkey , 'ContentLength' => 0, 'Data' => '', 'Metadata' => array(array('Name' => 'Content-Type', 'Value' => 'text/plain'))));
466		} catch (Exception $e) {
467
468		}
469
470		if (isset($obj)) {
471		return "$path/$name";
472		}
473
474		return false;
475
476		}
477
478		/**
479		* Create symlink
480		*
481		* @param string $source file to link to
482		* @param string $targetDir folder to create link in
483		* @param string $name symlink name
484		* @return bool
485		* @author Dmitry (dio) Levashov
486		**/
487		protected function _symlink($source, $targetDir, $name) {
488		return false;
489		}
490
491		/**
492		* Copy file into another file (only inside one volume)
493		*
494		* @param string $source source file path
495		* @param string $targetDir target dir path
496		* @param string $name file name
497		* @return bool
498		* @author Dmitry (dio) Levashov
499		**/
500		protected function _copy($source, $targetDir, $name) {
501		return false;
502		}
503
504		/**
505		* Move file into another parent dir.
506		* Return new file path or false.
507		*
508		* @param string $source source file path
509		* @param string $targetDir target dir path
510		* @param string $name file name
511		* @return string\|bool
512		* @author Dmitry (dio) Levashov
513		**/
514		protected function _move($source, $targetDir, $name) {
515		return false;
516		}
517
518		/**
519		* Remove file
520		*
521		* @param string $path file path
522		* @return bool
523		* @author Dmitry (dio) Levashov
524		**/
525		protected function _unlink($path) {
526
527		$newkey = $this->_normpath($path);
528		$newkey = preg_replace("/\/$/", "", $newkey);
529
530		try {
531		$obj = $this->s3->DeleteObject(array('Bucket' => $this->options['bucket'], 'Key' => $newkey));
532		} catch (Exception $e) {
533
534		}
535
536		/*$fp = fopen('/tmp/eltest.txt','a+');
537
538		fwrite($fp, 'key='.$newkey);*/
539
540		if (is_object($obj)) {
541		//fwrite($fp, 'obj='.var_export($obj,true));
542
543		if (isset($obj->DeleteObjectResponse->Code)) {
544		$rc = $obj->DeleteObjectResponse->Code;
545
546		if (substr($rc, 0, 1) == '2') {
547		return true;
548		}
549		}
550		}
551
552
553		//fclose($fp);
554
555		return false;
556		}
557
558		/**
559		* Remove dir
560		*
561		* @param string $path dir path
562		* @return bool
563		* @author Dmitry (dio) Levashov
564		**/
565		protected function _rmdir($path) {
566		return $this->_unlink($path . '/');
567		}
568
569		/**
570		* Create new file and write into it from file pointer.
571		* Return new file path or false on error.
572		*
573		* @param resource $fp file pointer
574		* @param string $dir target dir path
575		* @param string $name file name
576		* @param array $stat
577		* @return bool\|string
578		* @author Dmitry (dio) Levashov
579		*/
580		protected function _save($fp, $dir, $name, $stat) {
581		return false;
582		}
583
584		/**
585		* Get file contents
586		*
587		* @param string $path file path
588		* @return string\|false
589		* @author Dmitry (dio) Levashov
590		**/
591		protected function _getContents($path) {
592		return false;
593		}
594
595		/**
596		* Write a string to a file
597		*
598		* @param string $path file path
599		* @param string $content new file content
600		* @return bool
601		* @author Dmitry (dio) Levashov
602		**/
603		protected function _filePutContents($path, $content) {
604		return false;
605		}
606
607		/**
608		* Extract files from archive
609		*
610		* @param string $path file path
611		* @param array $arc archiver options
612		* @return bool
613		* @author Dmitry (dio) Levashov,
614		* @author Alexey Sukhotin
615		**/
616		protected function _extract($path, $arc) {
617		return false;
618		}
619
620		/**
621		* Create archive and return its path
622		*
623		* @param string $dir target dir
624		* @param array $files files names list
625		* @param string $name archive name
626		* @param array $arc archiver options
627		* @return string\|bool
628		* @author Dmitry (dio) Levashov,
629		* @author Alexey Sukhotin
630		**/
631		protected function _archive($dir, $files, $name, $arc) {
632		return false;
633		}
634
635		/**
636		* Detect available archivers
637		*
638		* @return void
639		* @author Dmitry (dio) Levashov,
640		* @author Alexey Sukhotin
641		**/
642		protected function _checkArchivers() {
643
644		}
645
646		/**
647		* chmod implementation
648		*
649		* @param string $path
650		* @param string $mode
651		* @return bool
652		*/
653		protected function _chmod($path, $mode) {
654		return false;
655		}
656
657		}
658
659		/**
660		* SoapClient extension with Amazon S3 WSDL and request signing support
661		*
662		* @author Alexey Sukhotin
663		**/
664		class S3SoapClient extends SoapClient {
665
666		private $accesskey = '';
667		private $secretkey = '';
668		public $client = NULL;
669
670
671		public function __construct($key = '', $secret = '') {
672		$this->accesskey = $key;
673		$this->secretkey = $secret;
674		parent::__construct('http://s3.amazonaws.com/doc/2006-03-01/AmazonS3.wsdl');
675		}
676
677
678		/**
679		* Method call wrapper which adding S3 signature and default arguments to all S3 operations
680		*
681		* @param string $method
682		* @param string $arguments
683		* @return mixed
684		*
685		* @author Alexey Sukhotin
686		*/
687		public function __call($method, $arguments) {
688
689		/* Getting list of S3 web service functions which requires signing */
690		$funcs = $this->__getFunctions();
691
692		$funcnames = array();
693
694		foreach ($funcs as $func) {
695		preg_match("/\S+\s+([^\)]+)\(/", $func, $m);
696
697		if (isset($m[1])) {
698		$funcnames[] = $m[1];
699		}
700		}
701
702		/* adding signature to arguments */
703		if (in_array("{$method}", $funcnames)) {
704
705		if (is_array($arguments[0])) {
706		$arguments[0] = array_merge($arguments[0], $this->sign("{$method}"));
707		} else {
708		$arguments[0] = $this->sign("{$method}");
709		}
710
711		}
712
713		/*$fp = fopen('/tmp/s3debug.txt', 'a+');
714		fwrite($fp, 'method='."{$method}". ' timestamp='.date('Y-m-d H:i:s').' args='.var_export($arguments,true) . "\n");
715		fclose($fp);*/
716		return parent::__call($method, $arguments);
717		}
718
719		/**
720		* Generating signature and timestamp for specified S3 operation
721		*
722		* @param string $operation S3 operation name
723		* @return array
724		* @author Alexey Sukhotin
725		**/
726		protected function sign($operation) {
727
728		$params = array(
729		'AWSAccessKeyId' => $this->accesskey,
730		'Timestamp' => gmdate('Y-m-d\TH:i:s.000\Z'),
731		);
732
733		$sign_str = 'AmazonS3' . $operation . $params['Timestamp'];
734
735		$params['Signature'] = base64_encode(hash_hmac('sha1', $sign_str, $this->secretkey, TRUE));
736
737		return $params;
738		}
739
740		}
741
742

Studio-42 / elFinder

Issues (661)

Security Analysis not enabled

php/elFinderVolumeS3.class.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like