@@ 49-1360 (lines=1312) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | else |
|
692 | { |
|
693 | return $new_filename; |
|
694 | } |
|
695 | } |
|
696 | ||
697 | // -------------------------------------------------------------------- |
|
698 | ||
699 | /** |
|
700 | * Set Maximum File Size |
|
701 | * |
|
702 | * @param int $n |
|
703 | * @return CI_Upload |
|
704 | */ |
|
705 | public function set_max_filesize($n) |
|
706 | { |
|
707 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
708 | return $this; |
|
709 | } |
|
710 | ||
711 | // -------------------------------------------------------------------- |
|
712 | ||
713 | /** |
|
714 | * Set Maximum File Size |
|
715 | * |
|
716 | * An internal alias to set_max_filesize() to help with configuration |
|
717 | * as initialize() will look for a set_<property_name>() method ... |
|
718 | * |
|
719 | * @param int $n |
|
720 | * @return CI_Upload |
|
721 | */ |
|
722 | protected function set_max_size($n) |
|
723 | { |
|
724 | return $this->set_max_filesize($n); |
|
725 | } |
|
726 | ||
727 | // -------------------------------------------------------------------- |
|
728 | ||
729 | /** |
|
730 | * Set Maximum File Name Length |
|
731 | * |
|
732 | * @param int $n |
|
733 | * @return CI_Upload |
|
734 | * |
|
735 | * @codeCoverageIgnore |
|
736 | */ |
|
737 | public function set_max_filename($n) |
|
738 | { |
|
739 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
740 | return $this; |
|
741 | } |
|
742 | ||
743 | // -------------------------------------------------------------------- |
|
744 | ||
745 | /** |
|
746 | * Set Maximum Image Width |
|
747 | * |
|
748 | * @param int $n |
|
749 | * @return CI_Upload |
|
750 | */ |
|
751 | public function set_max_width($n) |
|
752 | { |
|
753 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
754 | return $this; |
|
755 | } |
|
756 | ||
757 | // -------------------------------------------------------------------- |
|
758 | ||
759 | /** |
|
760 | * Set Maximum Image Height |
|
761 | * |
|
762 | * @param int $n |
|
763 | * @return CI_Upload |
|
764 | */ |
|
765 | public function set_max_height($n) |
|
766 | { |
|
767 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
768 | return $this; |
|
769 | } |
|
770 | ||
771 | // -------------------------------------------------------------------- |
|
772 | ||
773 | /** |
|
774 | * Set minimum image width |
|
775 | * |
|
776 | * @param int $n |
|
777 | * @return CI_Upload |
|
778 | * |
|
779 | * @codeCoverageIgnore |
|
780 | */ |
|
781 | public function set_min_width($n) |
|
782 | { |
|
783 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
784 | return $this; |
|
785 | } |
|
786 | ||
787 | // -------------------------------------------------------------------- |
|
788 | ||
789 | /** |
|
790 | * Set minimum image height |
|
791 | * |
|
792 | * @param int $n |
|
793 | * @return CI_Upload |
|
794 | * |
|
795 | * @codeCoverageIgnore |
|
796 | */ |
|
797 | public function set_min_height($n) |
|
798 | { |
|
799 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
800 | return $this; |
|
801 | } |
|
802 | ||
803 | // -------------------------------------------------------------------- |
|
804 | ||
805 | /** |
|
806 | * Set Allowed File Types |
|
807 | * |
|
808 | * @param mixed $types |
|
809 | * @return CI_Upload |
|
810 | */ |
|
811 | public function set_allowed_types($types) |
|
812 | { |
|
813 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
814 | ? $types |
|
815 | : explode('|', $types); |
|
816 | return $this; |
|
817 | } |
|
818 | ||
819 | // -------------------------------------------------------------------- |
|
820 | ||
821 | /** |
|
822 | * Set Image Properties |
|
823 | * |
|
824 | * Uses GD to determine the width/height/type of image |
|
825 | * |
|
826 | * @param string $path |
|
827 | * @return CI_Upload |
|
828 | */ |
|
829 | public function set_image_properties($path = '') |
|
830 | { |
|
831 | if ($this->is_image() && function_exists('getimagesize')) |
|
832 | { |
|
833 | if (FALSE !== ($D = @getimagesize($path))) |
|
834 | { |
|
835 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
836 | ||
837 | $this->image_width = $D[0]; |
|
838 | $this->image_height = $D[1]; |
|
839 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
840 | $this->image_size_str = $D[3]; // string containing height and width |
|
841 | } |
|
842 | } |
|
843 | ||
844 | return $this; |
|
845 | } |
|
846 | ||
847 | // -------------------------------------------------------------------- |
|
848 | ||
849 | /** |
|
850 | * Set XSS Clean |
|
851 | * |
|
852 | * Enables the XSS flag so that the file that was uploaded |
|
853 | * will be run through the XSS filter. |
|
854 | * |
|
855 | * @param bool $flag |
|
856 | * @return CI_Upload |
|
857 | * |
|
858 | * @codeCoverageIgnore |
|
859 | */ |
|
860 | public function set_xss_clean($flag = FALSE) |
|
861 | { |
|
862 | $this->xss_clean = ($flag === TRUE); |
|
863 | return $this; |
|
864 | } |
|
865 | ||
866 | // -------------------------------------------------------------------- |
|
867 | ||
868 | /** |
|
869 | * Validate the image |
|
870 | * |
|
871 | * @return bool |
|
872 | * |
|
873 | * @codeCoverageIgnore |
|
874 | */ |
|
875 | public function is_image() |
|
876 | { |
|
877 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
878 | // jpegs or pngs to the same file type. |
|
879 | ||
880 | $png_mimes = array('image/x-png'); |
|
881 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
882 | ||
883 | if (in_array($this->file_type, $png_mimes)) |
|
884 | { |
|
885 | $this->file_type = 'image/png'; |
|
886 | } |
|
887 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
888 | { |
|
889 | $this->file_type = 'image/jpeg'; |
|
890 | } |
|
891 | ||
892 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
893 | ||
894 | return in_array($this->file_type, $img_mimes, TRUE); |
|
895 | } |
|
896 | ||
897 | // -------------------------------------------------------------------- |
|
898 | ||
899 | /** |
|
900 | * Verify that the filetype is allowed |
|
901 | * |
|
902 | * @param bool $ignore_mime |
|
903 | * @return bool |
|
904 | * |
|
905 | * @codeCoverageIgnore |
|
906 | */ |
|
907 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
908 | { |
|
909 | if ($this->allowed_types === '*') |
|
910 | { |
|
911 | return TRUE; |
|
912 | } |
|
913 | ||
914 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
915 | { |
|
916 | $this->set_error('upload_no_file_types', 'debug'); |
|
917 | return FALSE; |
|
918 | } |
|
919 | ||
920 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
921 | ||
922 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
923 | { |
|
924 | return FALSE; |
|
925 | } |
|
926 | ||
927 | // Images get some additional checks |
|
928 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
929 | { |
|
930 | return FALSE; |
|
931 | } |
|
932 | ||
933 | if ($ignore_mime === TRUE) |
|
934 | { |
|
935 | return TRUE; |
|
936 | } |
|
937 | ||
938 | if (isset($this->_mimes[$ext])) |
|
939 | { |
|
940 | return is_array($this->_mimes[$ext]) |
|
941 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
942 | : ($this->_mimes[$ext] === $this->file_type); |
|
943 | } |
|
944 | ||
945 | return FALSE; |
|
946 | } |
|
947 | ||
948 | // -------------------------------------------------------------------- |
|
949 | ||
950 | /** |
|
951 | * Verify that the file is within the allowed size |
|
952 | * |
|
953 | * @return bool |
|
954 | * |
|
955 | * @codeCoverageIgnore |
|
956 | */ |
|
957 | public function is_allowed_filesize() |
|
958 | { |
|
959 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
960 | } |
|
961 | ||
962 | // -------------------------------------------------------------------- |
|
963 | ||
964 | /** |
|
965 | * Verify that the image is within the allowed width/height |
|
966 | * |
|
967 | * @return bool |
|
968 | * |
|
969 | * @codeCoverageIgnore |
|
970 | */ |
|
971 | public function is_allowed_dimensions() |
|
972 | { |
|
973 | if ( ! $this->is_image()) |
|
974 | { |
|
975 | return TRUE; |
|
976 | } |
|
977 | ||
978 | if (function_exists('getimagesize')) |
|
979 | { |
|
980 | $D = @getimagesize($this->file_temp); |
|
981 | ||
982 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
983 | { |
|
984 | return FALSE; |
|
985 | } |
|
986 | ||
987 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
988 | { |
|
989 | return FALSE; |
|
990 | } |
|
991 | ||
992 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
993 | { |
|
994 | return FALSE; |
|
995 | } |
|
996 | ||
997 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
998 | { |
|
999 | return FALSE; |
|
1000 | } |
|
1001 | } |
|
1002 | ||
1003 | return TRUE; |
|
1004 | } |
|
1005 | ||
1006 | // -------------------------------------------------------------------- |
|
1007 | ||
1008 | /** |
|
1009 | * Validate Upload Path |
|
1010 | * |
|
1011 | * Verifies that it is a valid upload path with proper permissions. |
|
1012 | * |
|
1013 | * @return bool |
|
1014 | * |
|
1015 | * @codeCoverageIgnore |
|
1016 | */ |
|
1017 | public function validate_upload_path() |
|
1018 | { |
|
1019 | if ($this->upload_path === '') |
|
1020 | { |
|
1021 | $this->set_error('upload_no_filepath', 'error'); |
|
1022 | return FALSE; |
|
1023 | } |
|
1024 | ||
1025 | if (realpath($this->upload_path) !== FALSE) |
|
1026 | { |
|
1027 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1028 | } |
|
1029 | ||
1030 | if ( ! is_dir($this->upload_path)) |
|
1031 | { |
|
1032 | $this->set_error('upload_no_filepath', 'error'); |
|
1033 | return FALSE; |
|
1034 | } |
|
1035 | ||
1036 | if ( ! is_really_writable($this->upload_path)) |
|
1037 | { |
|
1038 | $this->set_error('upload_not_writable', 'error'); |
|
1039 | return FALSE; |
|
1040 | } |
|
1041 | ||
1042 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1043 | return TRUE; |
|
1044 | } |
|
1045 | ||
1046 | // -------------------------------------------------------------------- |
|
1047 | ||
1048 | /** |
|
1049 | * Extract the file extension |
|
1050 | * |
|
1051 | * @param string $filename |
|
1052 | * @return string |
|
1053 | * |
|
1054 | * @codeCoverageIgnore |
|
1055 | */ |
|
1056 | public function get_extension($filename) |
|
1057 | { |
|
1058 | $x = explode('.', $filename); |
|
1059 | ||
1060 | if (count($x) === 1) |
|
1061 | { |
|
1062 | return ''; |
|
1063 | } |
|
1064 | ||
1065 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1066 | return '.'.$ext; |
|
1067 | } |
|
1068 | ||
1069 | // -------------------------------------------------------------------- |
|
1070 | ||
1071 | /** |
|
1072 | * Limit the File Name Length |
|
1073 | * |
|
1074 | * @param string $filename |
|
1075 | * @param int $length |
|
1076 | * @return string |
|
1077 | * |
|
1078 | * @codeCoverageIgnore |
|
1079 | */ |
|
1080 | public function limit_filename_length($filename, $length) |
|
1081 | { |
|
1082 | if (strlen($filename) < $length) |
|
1083 | { |
|
1084 | return $filename; |
|
1085 | } |
|
1086 | ||
1087 | $ext = ''; |
|
1088 | if (strpos($filename, '.') !== FALSE) |
|
1089 | { |
|
1090 | $parts = explode('.', $filename); |
|
1091 | $ext = '.'.array_pop($parts); |
|
1092 | $filename = implode('.', $parts); |
|
1093 | } |
|
1094 | ||
1095 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1096 | } |
|
1097 | ||
1098 | // -------------------------------------------------------------------- |
|
1099 | ||
1100 | /** |
|
1101 | * Runs the file through the XSS clean function |
|
1102 | * |
|
1103 | * This prevents people from embedding malicious code in their files. |
|
1104 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1105 | * but so far I haven't found that it causes trouble. |
|
1106 | * |
|
1107 | * @return string |
|
1108 | * |
|
1109 | * @codeCoverageIgnore |
|
1110 | */ |
|
1111 | public function do_xss_clean() |
|
1112 | { |
|
1113 | $file = $this->file_temp; |
|
1114 | ||
1115 | if (filesize($file) == 0) |
|
1116 | { |
|
1117 | return FALSE; |
|
1118 | } |
|
1119 | ||
1120 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1121 | { |
|
1122 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1123 | if ( ! empty($memory_limit[1])) |
|
1124 | { |
|
1125 | switch ($memory_limit[1][0]) |
|
1126 | { |
|
1127 | case 'g': |
|
1128 | case 'G': |
|
1129 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1130 | break; |
|
1131 | case 'm': |
|
1132 | case 'M': |
|
1133 | $memory_limit[0] *= 1024 * 1024; |
|
1134 | break; |
|
1135 | default: |
|
1136 | break; |
|
1137 | } |
|
1138 | } |
|
1139 | ||
1140 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1141 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1142 | } |
|
1143 | ||
1144 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1145 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1146 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1147 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1148 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1149 | // attempted XSS attack. |
|
1150 | ||
1151 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1152 | { |
|
1153 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1154 | { |
|
1155 | return FALSE; // Couldn't open the file, return FALSE |
|
1156 | } |
|
1157 | ||
1158 | $opening_bytes = fread($file, 256); |
|
1159 | fclose($file); |
|
1160 | ||
1161 | // These are known to throw IE into mime-type detection chaos |
|
1162 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1163 | // title is basically just in SVG, but we filter it anyhow |
|
1164 | ||
1165 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1166 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1167 | } |
|
1168 | ||
1169 | if (($data = @file_get_contents($file)) === FALSE) |
|
1170 | { |
|
1171 | return FALSE; |
|
1172 | } |
|
1173 | ||
1174 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1175 | } |
|
1176 | ||
1177 | // -------------------------------------------------------------------- |
|
1178 | ||
1179 | /** |
|
1180 | * Set an error message |
|
1181 | * |
|
1182 | * @param string $msg |
|
1183 | * @return CI_Upload |
|
1184 | * |
|
1185 | * @codeCoverageIgnore |
|
1186 | */ |
|
1187 | public function set_error($msg, $log_level = 'error') |
|
1188 | { |
|
1189 | $this->_CI->lang->load('upload'); |
|
1190 | ||
1191 | is_array($msg) OR $msg = array($msg); |
|
1192 | foreach ($msg as $val) |
|
1193 | { |
|
1194 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1195 | $this->error_msg[] = $msg; |
|
1196 | log_message($log_level, $msg); |
|
1197 | } |
|
1198 | ||
1199 | return $this; |
|
1200 | } |
|
1201 | ||
1202 | // -------------------------------------------------------------------- |
|
1203 | ||
1204 | /** |
|
1205 | * Display the error message |
|
1206 | * |
|
1207 | * @param string $open |
|
1208 | * @param string $close |
|
1209 | * @return string |
|
1210 | * |
|
1211 | * @codeCoverageIgnore |
|
1212 | */ |
|
1213 | public function display_errors($open = '<p>', $close = '</p>') |
|
1214 | { |
|
1215 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1216 | } |
|
1217 | ||
1218 | // -------------------------------------------------------------------- |
|
1219 | ||
1220 | /** |
|
1221 | * Prep Filename |
|
1222 | * |
|
1223 | * Prevents possible script execution from Apache's handling |
|
1224 | * of files' multiple extensions. |
|
1225 | * |
|
1226 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1227 | * |
|
1228 | * @param string $filename |
|
1229 | * @return string |
|
1230 | * |
|
1231 | * @codeCoverageIgnore |
|
1232 | */ |
|
1233 | protected function _prep_filename($filename) |
|
1234 | { |
|
1235 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1236 | { |
|
1237 | return $filename; |
|
1238 | } |
|
1239 | ||
1240 | $ext = substr($filename, $ext_pos); |
|
1241 | $filename = substr($filename, 0, $ext_pos); |
|
1242 | return str_replace('.', '_', $filename).$ext; |
|
1243 | } |
|
1244 | ||
1245 | // -------------------------------------------------------------------- |
|
1246 | ||
1247 | /** |
|
1248 | * File MIME type |
|
1249 | * |
|
1250 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1251 | * The input array is expected to be $_FILES[$field] |
|
1252 | * |
|
1253 | * @param array $file |
|
1254 | * @return void |
|
1255 | * |
|
1256 | * @codeCoverageIgnore |
|
1257 | */ |
|
1258 | protected function _file_mime_type($file) |
|
1259 | { |
|
1260 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1261 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1262 | ||
1263 | // Fileinfo extension - most reliable method |
|
1264 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1265 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1266 | { |
|
1267 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1268 | finfo_close($finfo); |
|
1269 | ||
1270 | /* According to the comments section of the PHP manual page, |
|
1271 | * it is possible that this function returns an empty string |
|
1272 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1273 | */ |
|
1274 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1275 | { |
|
1276 | $this->file_type = $matches[1]; |
|
1277 | return; |
|
1278 | } |
|
1279 | } |
|
1280 | ||
1281 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1282 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1283 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1284 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1285 | * three different functions. |
|
1286 | * |
|
1287 | * Notes: |
|
1288 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1289 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1290 | * due to security concerns, hence the function_usable() checks |
|
1291 | */ |
|
1292 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1293 | { |
|
1294 | $cmd = function_exists('escapeshellarg') |
|
1295 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1296 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1297 | ||
1298 | if (function_usable('exec')) |
|
1299 | { |
|
1300 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1301 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1302 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1303 | * value, which is only put to allow us to get the return status code. |
|
1304 | */ |
|
1305 | $mime = @exec($cmd, $mime, $return_status); |
|
1306 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1307 | { |
|
1308 | $this->file_type = $matches[1]; |
|
1309 | return; |
|
1310 | } |
|
1311 | } |
|
1312 | ||
1313 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1314 | { |
|
1315 | $mime = @shell_exec($cmd); |
|
1316 | if (strlen($mime) > 0) |
|
1317 | { |
|
1318 | $mime = explode("\n", trim($mime)); |
|
1319 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1320 | { |
|
1321 | $this->file_type = $matches[1]; |
|
1322 | return; |
|
1323 | } |
|
1324 | } |
|
1325 | } |
|
1326 | ||
1327 | if (function_usable('popen')) |
|
1328 | { |
|
1329 | $proc = @popen($cmd, 'r'); |
|
1330 | if (is_resource($proc)) |
|
1331 | { |
|
1332 | $mime = @fread($proc, 512); |
|
1333 | @pclose($proc); |
|
1334 | if ($mime !== FALSE) |
|
1335 | { |
|
1336 | $mime = explode("\n", trim($mime)); |
|
1337 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1338 | { |
|
1339 | $this->file_type = $matches[1]; |
|
1340 | return; |
|
1341 | } |
|
1342 | } |
|
1343 | } |
|
1344 | } |
|
1345 | } |
|
1346 | ||
1347 | // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1348 | if (function_exists('mime_content_type')) |
|
1349 | { |
|
1350 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1351 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1352 | { |
|
1353 | return; |
|
1354 | } |
|
1355 | } |
|
1356 | ||
1357 | $this->file_type = $file['type']; |
|
1358 | } |
|
1359 | ||
1360 | } |
|
1361 |
@@ 49-1370 (lines=1322) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | else |
|
692 | { |
|
693 | return $new_filename; |
|
694 | } |
|
695 | } |
|
696 | ||
697 | // -------------------------------------------------------------------- |
|
698 | ||
699 | /** |
|
700 | * Set Maximum File Size |
|
701 | * |
|
702 | * @param int $n |
|
703 | * @return CI_Upload |
|
704 | */ |
|
705 | public function set_max_filesize($n) |
|
706 | { |
|
707 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
708 | return $this; |
|
709 | } |
|
710 | ||
711 | // -------------------------------------------------------------------- |
|
712 | ||
713 | /** |
|
714 | * Set Maximum File Size |
|
715 | * |
|
716 | * An internal alias to set_max_filesize() to help with configuration |
|
717 | * as initialize() will look for a set_<property_name>() method ... |
|
718 | * |
|
719 | * @param int $n |
|
720 | * @return CI_Upload |
|
721 | */ |
|
722 | protected function set_max_size($n) |
|
723 | { |
|
724 | return $this->set_max_filesize($n); |
|
725 | } |
|
726 | ||
727 | // -------------------------------------------------------------------- |
|
728 | ||
729 | /** |
|
730 | * Set Maximum File Name Length |
|
731 | * |
|
732 | * @param int $n |
|
733 | * @return CI_Upload |
|
734 | * |
|
735 | * @codeCoverageIgnore |
|
736 | */ |
|
737 | public function set_max_filename($n) |
|
738 | { |
|
739 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
740 | return $this; |
|
741 | } |
|
742 | ||
743 | // -------------------------------------------------------------------- |
|
744 | ||
745 | /** |
|
746 | * Set Maximum Image Width |
|
747 | * |
|
748 | * @param int $n |
|
749 | * @return CI_Upload |
|
750 | */ |
|
751 | public function set_max_width($n) |
|
752 | { |
|
753 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
754 | return $this; |
|
755 | } |
|
756 | ||
757 | // -------------------------------------------------------------------- |
|
758 | ||
759 | /** |
|
760 | * Set Maximum Image Height |
|
761 | * |
|
762 | * @param int $n |
|
763 | * @return CI_Upload |
|
764 | */ |
|
765 | public function set_max_height($n) |
|
766 | { |
|
767 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
768 | return $this; |
|
769 | } |
|
770 | ||
771 | // -------------------------------------------------------------------- |
|
772 | ||
773 | /** |
|
774 | * Set minimum image width |
|
775 | * |
|
776 | * @param int $n |
|
777 | * @return CI_Upload |
|
778 | * |
|
779 | * @codeCoverageIgnore |
|
780 | */ |
|
781 | public function set_min_width($n) |
|
782 | { |
|
783 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
784 | return $this; |
|
785 | } |
|
786 | ||
787 | // -------------------------------------------------------------------- |
|
788 | ||
789 | /** |
|
790 | * Set minimum image height |
|
791 | * |
|
792 | * @param int $n |
|
793 | * @return CI_Upload |
|
794 | * |
|
795 | * @codeCoverageIgnore |
|
796 | */ |
|
797 | public function set_min_height($n) |
|
798 | { |
|
799 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
800 | return $this; |
|
801 | } |
|
802 | ||
803 | // -------------------------------------------------------------------- |
|
804 | ||
805 | /** |
|
806 | * Set Allowed File Types |
|
807 | * |
|
808 | * @param mixed $types |
|
809 | * @return CI_Upload |
|
810 | */ |
|
811 | public function set_allowed_types($types) |
|
812 | { |
|
813 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
814 | ? $types |
|
815 | : explode('|', $types); |
|
816 | return $this; |
|
817 | } |
|
818 | ||
819 | // -------------------------------------------------------------------- |
|
820 | ||
821 | /** |
|
822 | * Set Image Properties |
|
823 | * |
|
824 | * Uses GD to determine the width/height/type of image |
|
825 | * |
|
826 | * @param string $path |
|
827 | * @return CI_Upload |
|
828 | */ |
|
829 | public function set_image_properties($path = '') |
|
830 | { |
|
831 | if ($this->is_image() && function_exists('getimagesize')) |
|
832 | { |
|
833 | if (FALSE !== ($D = @getimagesize($path))) |
|
834 | { |
|
835 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
836 | ||
837 | $this->image_width = $D[0]; |
|
838 | $this->image_height = $D[1]; |
|
839 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
840 | $this->image_size_str = $D[3]; // string containing height and width |
|
841 | } |
|
842 | } |
|
843 | ||
844 | return $this; |
|
845 | } |
|
846 | ||
847 | // -------------------------------------------------------------------- |
|
848 | ||
849 | /** |
|
850 | * Set XSS Clean |
|
851 | * |
|
852 | * Enables the XSS flag so that the file that was uploaded |
|
853 | * will be run through the XSS filter. |
|
854 | * |
|
855 | * @param bool $flag |
|
856 | * @return CI_Upload |
|
857 | * |
|
858 | * @codeCoverageIgnore |
|
859 | */ |
|
860 | public function set_xss_clean($flag = FALSE) |
|
861 | { |
|
862 | $this->xss_clean = ($flag === TRUE); |
|
863 | return $this; |
|
864 | } |
|
865 | ||
866 | // -------------------------------------------------------------------- |
|
867 | ||
868 | /** |
|
869 | * Validate the image |
|
870 | * |
|
871 | * @return bool |
|
872 | * |
|
873 | * @codeCoverageIgnore |
|
874 | */ |
|
875 | public function is_image() |
|
876 | { |
|
877 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
878 | // jpegs or pngs to the same file type. |
|
879 | ||
880 | $png_mimes = array('image/x-png'); |
|
881 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
882 | ||
883 | if (in_array($this->file_type, $png_mimes)) |
|
884 | { |
|
885 | $this->file_type = 'image/png'; |
|
886 | } |
|
887 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
888 | { |
|
889 | $this->file_type = 'image/jpeg'; |
|
890 | } |
|
891 | ||
892 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
893 | ||
894 | return in_array($this->file_type, $img_mimes, TRUE); |
|
895 | } |
|
896 | ||
897 | // -------------------------------------------------------------------- |
|
898 | ||
899 | /** |
|
900 | * Verify that the filetype is allowed |
|
901 | * |
|
902 | * @param bool $ignore_mime |
|
903 | * @return bool |
|
904 | * |
|
905 | * @codeCoverageIgnore |
|
906 | */ |
|
907 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
908 | { |
|
909 | if ($this->allowed_types === '*') |
|
910 | { |
|
911 | return TRUE; |
|
912 | } |
|
913 | ||
914 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
915 | { |
|
916 | $this->set_error('upload_no_file_types', 'debug'); |
|
917 | return FALSE; |
|
918 | } |
|
919 | ||
920 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
921 | ||
922 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
923 | { |
|
924 | return FALSE; |
|
925 | } |
|
926 | ||
927 | // Images get some additional checks |
|
928 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
929 | { |
|
930 | return FALSE; |
|
931 | } |
|
932 | ||
933 | if ($ignore_mime === TRUE) |
|
934 | { |
|
935 | return TRUE; |
|
936 | } |
|
937 | ||
938 | if (isset($this->_mimes[$ext])) |
|
939 | { |
|
940 | return is_array($this->_mimes[$ext]) |
|
941 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
942 | : ($this->_mimes[$ext] === $this->file_type); |
|
943 | } |
|
944 | ||
945 | return FALSE; |
|
946 | } |
|
947 | ||
948 | // -------------------------------------------------------------------- |
|
949 | ||
950 | /** |
|
951 | * Verify that the file is within the allowed size |
|
952 | * |
|
953 | * @return bool |
|
954 | * |
|
955 | * @codeCoverageIgnore |
|
956 | */ |
|
957 | public function is_allowed_filesize() |
|
958 | { |
|
959 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
960 | } |
|
961 | ||
962 | // -------------------------------------------------------------------- |
|
963 | ||
964 | /** |
|
965 | * Verify that the image is within the allowed width/height |
|
966 | * |
|
967 | * @return bool |
|
968 | * |
|
969 | * @codeCoverageIgnore |
|
970 | */ |
|
971 | public function is_allowed_dimensions() |
|
972 | { |
|
973 | if ( ! $this->is_image()) |
|
974 | { |
|
975 | return TRUE; |
|
976 | } |
|
977 | ||
978 | if (function_exists('getimagesize')) |
|
979 | { |
|
980 | $D = @getimagesize($this->file_temp); |
|
981 | ||
982 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
983 | { |
|
984 | return FALSE; |
|
985 | } |
|
986 | ||
987 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
988 | { |
|
989 | return FALSE; |
|
990 | } |
|
991 | ||
992 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
993 | { |
|
994 | return FALSE; |
|
995 | } |
|
996 | ||
997 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
998 | { |
|
999 | return FALSE; |
|
1000 | } |
|
1001 | } |
|
1002 | ||
1003 | return TRUE; |
|
1004 | } |
|
1005 | ||
1006 | // -------------------------------------------------------------------- |
|
1007 | ||
1008 | /** |
|
1009 | * Validate Upload Path |
|
1010 | * |
|
1011 | * Verifies that it is a valid upload path with proper permissions. |
|
1012 | * |
|
1013 | * @return bool |
|
1014 | * |
|
1015 | * @codeCoverageIgnore |
|
1016 | */ |
|
1017 | public function validate_upload_path() |
|
1018 | { |
|
1019 | if ($this->upload_path === '') |
|
1020 | { |
|
1021 | $this->set_error('upload_no_filepath', 'error'); |
|
1022 | return FALSE; |
|
1023 | } |
|
1024 | ||
1025 | if (realpath($this->upload_path) !== FALSE) |
|
1026 | { |
|
1027 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1028 | } |
|
1029 | ||
1030 | if ( ! is_dir($this->upload_path)) |
|
1031 | { |
|
1032 | $this->set_error('upload_no_filepath', 'error'); |
|
1033 | return FALSE; |
|
1034 | } |
|
1035 | ||
1036 | if ( ! is_really_writable($this->upload_path)) |
|
1037 | { |
|
1038 | $this->set_error('upload_not_writable', 'error'); |
|
1039 | return FALSE; |
|
1040 | } |
|
1041 | ||
1042 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1043 | return TRUE; |
|
1044 | } |
|
1045 | ||
1046 | // -------------------------------------------------------------------- |
|
1047 | ||
1048 | /** |
|
1049 | * Extract the file extension |
|
1050 | * |
|
1051 | * @param string $filename |
|
1052 | * @return string |
|
1053 | * |
|
1054 | * @codeCoverageIgnore |
|
1055 | */ |
|
1056 | public function get_extension($filename) |
|
1057 | { |
|
1058 | $x = explode('.', $filename); |
|
1059 | ||
1060 | if (count($x) === 1) |
|
1061 | { |
|
1062 | return ''; |
|
1063 | } |
|
1064 | ||
1065 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1066 | return '.'.$ext; |
|
1067 | } |
|
1068 | ||
1069 | // -------------------------------------------------------------------- |
|
1070 | ||
1071 | /** |
|
1072 | * Limit the File Name Length |
|
1073 | * |
|
1074 | * @param string $filename |
|
1075 | * @param int $length |
|
1076 | * @return string |
|
1077 | * |
|
1078 | * @codeCoverageIgnore |
|
1079 | */ |
|
1080 | public function limit_filename_length($filename, $length) |
|
1081 | { |
|
1082 | if (strlen($filename) < $length) |
|
1083 | { |
|
1084 | return $filename; |
|
1085 | } |
|
1086 | ||
1087 | $ext = ''; |
|
1088 | if (strpos($filename, '.') !== FALSE) |
|
1089 | { |
|
1090 | $parts = explode('.', $filename); |
|
1091 | $ext = '.'.array_pop($parts); |
|
1092 | $filename = implode('.', $parts); |
|
1093 | } |
|
1094 | ||
1095 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1096 | } |
|
1097 | ||
1098 | // -------------------------------------------------------------------- |
|
1099 | ||
1100 | /** |
|
1101 | * Runs the file through the XSS clean function |
|
1102 | * |
|
1103 | * This prevents people from embedding malicious code in their files. |
|
1104 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1105 | * but so far I haven't found that it causes trouble. |
|
1106 | * |
|
1107 | * @return string |
|
1108 | * |
|
1109 | * @codeCoverageIgnore |
|
1110 | */ |
|
1111 | public function do_xss_clean() |
|
1112 | { |
|
1113 | $file = $this->file_temp; |
|
1114 | ||
1115 | if (filesize($file) == 0) |
|
1116 | { |
|
1117 | return FALSE; |
|
1118 | } |
|
1119 | ||
1120 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1121 | { |
|
1122 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1123 | if ( ! empty($memory_limit[1])) |
|
1124 | { |
|
1125 | switch ($memory_limit[1][0]) |
|
1126 | { |
|
1127 | case 'g': |
|
1128 | case 'G': |
|
1129 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1130 | break; |
|
1131 | case 'm': |
|
1132 | case 'M': |
|
1133 | $memory_limit[0] *= 1024 * 1024; |
|
1134 | break; |
|
1135 | default: |
|
1136 | break; |
|
1137 | } |
|
1138 | } |
|
1139 | ||
1140 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1141 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1142 | } |
|
1143 | ||
1144 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1145 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1146 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1147 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1148 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1149 | // attempted XSS attack. |
|
1150 | ||
1151 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1152 | { |
|
1153 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1154 | { |
|
1155 | return FALSE; // Couldn't open the file, return FALSE |
|
1156 | } |
|
1157 | ||
1158 | $opening_bytes = fread($file, 256); |
|
1159 | fclose($file); |
|
1160 | ||
1161 | // These are known to throw IE into mime-type detection chaos |
|
1162 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1163 | // title is basically just in SVG, but we filter it anyhow |
|
1164 | ||
1165 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1166 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1167 | } |
|
1168 | ||
1169 | if (($data = @file_get_contents($file)) === FALSE) |
|
1170 | { |
|
1171 | return FALSE; |
|
1172 | } |
|
1173 | ||
1174 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1175 | } |
|
1176 | ||
1177 | // -------------------------------------------------------------------- |
|
1178 | ||
1179 | /** |
|
1180 | * Set an error message |
|
1181 | * |
|
1182 | * @param string $msg |
|
1183 | * @return CI_Upload |
|
1184 | * |
|
1185 | * @codeCoverageIgnore |
|
1186 | */ |
|
1187 | public function set_error($msg, $log_level = 'error') |
|
1188 | { |
|
1189 | $this->_CI->lang->load('upload'); |
|
1190 | ||
1191 | is_array($msg) OR $msg = array($msg); |
|
1192 | foreach ($msg as $val) |
|
1193 | { |
|
1194 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1195 | $this->error_msg[] = $msg; |
|
1196 | log_message($log_level, $msg); |
|
1197 | } |
|
1198 | ||
1199 | return $this; |
|
1200 | } |
|
1201 | ||
1202 | // -------------------------------------------------------------------- |
|
1203 | ||
1204 | /** |
|
1205 | * Display the error message |
|
1206 | * |
|
1207 | * @param string $open |
|
1208 | * @param string $close |
|
1209 | * @return string |
|
1210 | * |
|
1211 | * @codeCoverageIgnore |
|
1212 | */ |
|
1213 | public function display_errors($open = '<p>', $close = '</p>') |
|
1214 | { |
|
1215 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1216 | } |
|
1217 | ||
1218 | // -------------------------------------------------------------------- |
|
1219 | ||
1220 | /** |
|
1221 | * Prep Filename |
|
1222 | * |
|
1223 | * Prevents possible script execution from Apache's handling |
|
1224 | * of files' multiple extensions. |
|
1225 | * |
|
1226 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1227 | * |
|
1228 | * @param string $filename |
|
1229 | * @return string |
|
1230 | * |
|
1231 | * @codeCoverageIgnore |
|
1232 | */ |
|
1233 | protected function _prep_filename($filename) |
|
1234 | { |
|
1235 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1236 | { |
|
1237 | return $filename; |
|
1238 | } |
|
1239 | ||
1240 | $ext = substr($filename, $ext_pos); |
|
1241 | $filename = substr($filename, 0, $ext_pos); |
|
1242 | return str_replace('.', '_', $filename).$ext; |
|
1243 | } |
|
1244 | ||
1245 | // -------------------------------------------------------------------- |
|
1246 | ||
1247 | /** |
|
1248 | * File MIME type |
|
1249 | * |
|
1250 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1251 | * The input array is expected to be $_FILES[$field] |
|
1252 | * |
|
1253 | * @param array $file |
|
1254 | * @return void |
|
1255 | * |
|
1256 | * @codeCoverageIgnore |
|
1257 | */ |
|
1258 | protected function _file_mime_type($file) |
|
1259 | { |
|
1260 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1261 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1262 | ||
1263 | /** |
|
1264 | * Fileinfo extension - most reliable method |
|
1265 | * |
|
1266 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1267 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1268 | * ext/fileinfo, which is otherwise enabled by default |
|
1269 | * since PHP 5.3 ... |
|
1270 | */ |
|
1271 | if (function_exists('finfo_file')) |
|
1272 | { |
|
1273 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1274 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1275 | { |
|
1276 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1277 | finfo_close($finfo); |
|
1278 | ||
1279 | /* According to the comments section of the PHP manual page, |
|
1280 | * it is possible that this function returns an empty string |
|
1281 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1282 | */ |
|
1283 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1284 | { |
|
1285 | $this->file_type = $matches[1]; |
|
1286 | return; |
|
1287 | } |
|
1288 | } |
|
1289 | } |
|
1290 | ||
1291 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1292 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1293 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1294 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1295 | * three different functions. |
|
1296 | * |
|
1297 | * Notes: |
|
1298 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1299 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1300 | * due to security concerns, hence the function_usable() checks |
|
1301 | */ |
|
1302 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1303 | { |
|
1304 | $cmd = function_exists('escapeshellarg') |
|
1305 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1306 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1307 | ||
1308 | if (function_usable('exec')) |
|
1309 | { |
|
1310 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1311 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1312 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1313 | * value, which is only put to allow us to get the return status code. |
|
1314 | */ |
|
1315 | $mime = @exec($cmd, $mime, $return_status); |
|
1316 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1317 | { |
|
1318 | $this->file_type = $matches[1]; |
|
1319 | return; |
|
1320 | } |
|
1321 | } |
|
1322 | ||
1323 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1324 | { |
|
1325 | $mime = @shell_exec($cmd); |
|
1326 | if (strlen($mime) > 0) |
|
1327 | { |
|
1328 | $mime = explode("\n", trim($mime)); |
|
1329 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1330 | { |
|
1331 | $this->file_type = $matches[1]; |
|
1332 | return; |
|
1333 | } |
|
1334 | } |
|
1335 | } |
|
1336 | ||
1337 | if (function_usable('popen')) |
|
1338 | { |
|
1339 | $proc = @popen($cmd, 'r'); |
|
1340 | if (is_resource($proc)) |
|
1341 | { |
|
1342 | $mime = @fread($proc, 512); |
|
1343 | @pclose($proc); |
|
1344 | if ($mime !== FALSE) |
|
1345 | { |
|
1346 | $mime = explode("\n", trim($mime)); |
|
1347 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1348 | { |
|
1349 | $this->file_type = $matches[1]; |
|
1350 | return; |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | } |
|
1355 | } |
|
1356 | ||
1357 | // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1358 | if (function_exists('mime_content_type')) |
|
1359 | { |
|
1360 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1361 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1362 | { |
|
1363 | return; |
|
1364 | } |
|
1365 | } |
|
1366 | ||
1367 | $this->file_type = $file['type']; |
|
1368 | } |
|
1369 | ||
1370 | } |
|
1371 |
@@ 49-1370 (lines=1322) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | else |
|
692 | { |
|
693 | return $new_filename; |
|
694 | } |
|
695 | } |
|
696 | ||
697 | // -------------------------------------------------------------------- |
|
698 | ||
699 | /** |
|
700 | * Set Maximum File Size |
|
701 | * |
|
702 | * @param int $n |
|
703 | * @return CI_Upload |
|
704 | */ |
|
705 | public function set_max_filesize($n) |
|
706 | { |
|
707 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
708 | return $this; |
|
709 | } |
|
710 | ||
711 | // -------------------------------------------------------------------- |
|
712 | ||
713 | /** |
|
714 | * Set Maximum File Size |
|
715 | * |
|
716 | * An internal alias to set_max_filesize() to help with configuration |
|
717 | * as initialize() will look for a set_<property_name>() method ... |
|
718 | * |
|
719 | * @param int $n |
|
720 | * @return CI_Upload |
|
721 | */ |
|
722 | protected function set_max_size($n) |
|
723 | { |
|
724 | return $this->set_max_filesize($n); |
|
725 | } |
|
726 | ||
727 | // -------------------------------------------------------------------- |
|
728 | ||
729 | /** |
|
730 | * Set Maximum File Name Length |
|
731 | * |
|
732 | * @param int $n |
|
733 | * @return CI_Upload |
|
734 | * |
|
735 | * @codeCoverageIgnore |
|
736 | */ |
|
737 | public function set_max_filename($n) |
|
738 | { |
|
739 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
740 | return $this; |
|
741 | } |
|
742 | ||
743 | // -------------------------------------------------------------------- |
|
744 | ||
745 | /** |
|
746 | * Set Maximum Image Width |
|
747 | * |
|
748 | * @param int $n |
|
749 | * @return CI_Upload |
|
750 | */ |
|
751 | public function set_max_width($n) |
|
752 | { |
|
753 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
754 | return $this; |
|
755 | } |
|
756 | ||
757 | // -------------------------------------------------------------------- |
|
758 | ||
759 | /** |
|
760 | * Set Maximum Image Height |
|
761 | * |
|
762 | * @param int $n |
|
763 | * @return CI_Upload |
|
764 | */ |
|
765 | public function set_max_height($n) |
|
766 | { |
|
767 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
768 | return $this; |
|
769 | } |
|
770 | ||
771 | // -------------------------------------------------------------------- |
|
772 | ||
773 | /** |
|
774 | * Set minimum image width |
|
775 | * |
|
776 | * @param int $n |
|
777 | * @return CI_Upload |
|
778 | * |
|
779 | * @codeCoverageIgnore |
|
780 | */ |
|
781 | public function set_min_width($n) |
|
782 | { |
|
783 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
784 | return $this; |
|
785 | } |
|
786 | ||
787 | // -------------------------------------------------------------------- |
|
788 | ||
789 | /** |
|
790 | * Set minimum image height |
|
791 | * |
|
792 | * @param int $n |
|
793 | * @return CI_Upload |
|
794 | * |
|
795 | * @codeCoverageIgnore |
|
796 | */ |
|
797 | public function set_min_height($n) |
|
798 | { |
|
799 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
800 | return $this; |
|
801 | } |
|
802 | ||
803 | // -------------------------------------------------------------------- |
|
804 | ||
805 | /** |
|
806 | * Set Allowed File Types |
|
807 | * |
|
808 | * @param mixed $types |
|
809 | * @return CI_Upload |
|
810 | */ |
|
811 | public function set_allowed_types($types) |
|
812 | { |
|
813 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
814 | ? $types |
|
815 | : explode('|', $types); |
|
816 | return $this; |
|
817 | } |
|
818 | ||
819 | // -------------------------------------------------------------------- |
|
820 | ||
821 | /** |
|
822 | * Set Image Properties |
|
823 | * |
|
824 | * Uses GD to determine the width/height/type of image |
|
825 | * |
|
826 | * @param string $path |
|
827 | * @return CI_Upload |
|
828 | */ |
|
829 | public function set_image_properties($path = '') |
|
830 | { |
|
831 | if ($this->is_image() && function_exists('getimagesize')) |
|
832 | { |
|
833 | if (FALSE !== ($D = @getimagesize($path))) |
|
834 | { |
|
835 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
836 | ||
837 | $this->image_width = $D[0]; |
|
838 | $this->image_height = $D[1]; |
|
839 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
840 | $this->image_size_str = $D[3]; // string containing height and width |
|
841 | } |
|
842 | } |
|
843 | ||
844 | return $this; |
|
845 | } |
|
846 | ||
847 | // -------------------------------------------------------------------- |
|
848 | ||
849 | /** |
|
850 | * Set XSS Clean |
|
851 | * |
|
852 | * Enables the XSS flag so that the file that was uploaded |
|
853 | * will be run through the XSS filter. |
|
854 | * |
|
855 | * @param bool $flag |
|
856 | * @return CI_Upload |
|
857 | * |
|
858 | * @codeCoverageIgnore |
|
859 | */ |
|
860 | public function set_xss_clean($flag = FALSE) |
|
861 | { |
|
862 | $this->xss_clean = ($flag === TRUE); |
|
863 | return $this; |
|
864 | } |
|
865 | ||
866 | // -------------------------------------------------------------------- |
|
867 | ||
868 | /** |
|
869 | * Validate the image |
|
870 | * |
|
871 | * @return bool |
|
872 | * |
|
873 | * @codeCoverageIgnore |
|
874 | */ |
|
875 | public function is_image() |
|
876 | { |
|
877 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
878 | // jpegs or pngs to the same file type. |
|
879 | ||
880 | $png_mimes = array('image/x-png'); |
|
881 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
882 | ||
883 | if (in_array($this->file_type, $png_mimes)) |
|
884 | { |
|
885 | $this->file_type = 'image/png'; |
|
886 | } |
|
887 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
888 | { |
|
889 | $this->file_type = 'image/jpeg'; |
|
890 | } |
|
891 | ||
892 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
893 | ||
894 | return in_array($this->file_type, $img_mimes, TRUE); |
|
895 | } |
|
896 | ||
897 | // -------------------------------------------------------------------- |
|
898 | ||
899 | /** |
|
900 | * Verify that the filetype is allowed |
|
901 | * |
|
902 | * @param bool $ignore_mime |
|
903 | * @return bool |
|
904 | * |
|
905 | * @codeCoverageIgnore |
|
906 | */ |
|
907 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
908 | { |
|
909 | if ($this->allowed_types === '*') |
|
910 | { |
|
911 | return TRUE; |
|
912 | } |
|
913 | ||
914 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
915 | { |
|
916 | $this->set_error('upload_no_file_types', 'debug'); |
|
917 | return FALSE; |
|
918 | } |
|
919 | ||
920 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
921 | ||
922 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
923 | { |
|
924 | return FALSE; |
|
925 | } |
|
926 | ||
927 | // Images get some additional checks |
|
928 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
929 | { |
|
930 | return FALSE; |
|
931 | } |
|
932 | ||
933 | if ($ignore_mime === TRUE) |
|
934 | { |
|
935 | return TRUE; |
|
936 | } |
|
937 | ||
938 | if (isset($this->_mimes[$ext])) |
|
939 | { |
|
940 | return is_array($this->_mimes[$ext]) |
|
941 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
942 | : ($this->_mimes[$ext] === $this->file_type); |
|
943 | } |
|
944 | ||
945 | return FALSE; |
|
946 | } |
|
947 | ||
948 | // -------------------------------------------------------------------- |
|
949 | ||
950 | /** |
|
951 | * Verify that the file is within the allowed size |
|
952 | * |
|
953 | * @return bool |
|
954 | * |
|
955 | * @codeCoverageIgnore |
|
956 | */ |
|
957 | public function is_allowed_filesize() |
|
958 | { |
|
959 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
960 | } |
|
961 | ||
962 | // -------------------------------------------------------------------- |
|
963 | ||
964 | /** |
|
965 | * Verify that the image is within the allowed width/height |
|
966 | * |
|
967 | * @return bool |
|
968 | * |
|
969 | * @codeCoverageIgnore |
|
970 | */ |
|
971 | public function is_allowed_dimensions() |
|
972 | { |
|
973 | if ( ! $this->is_image()) |
|
974 | { |
|
975 | return TRUE; |
|
976 | } |
|
977 | ||
978 | if (function_exists('getimagesize')) |
|
979 | { |
|
980 | $D = @getimagesize($this->file_temp); |
|
981 | ||
982 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
983 | { |
|
984 | return FALSE; |
|
985 | } |
|
986 | ||
987 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
988 | { |
|
989 | return FALSE; |
|
990 | } |
|
991 | ||
992 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
993 | { |
|
994 | return FALSE; |
|
995 | } |
|
996 | ||
997 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
998 | { |
|
999 | return FALSE; |
|
1000 | } |
|
1001 | } |
|
1002 | ||
1003 | return TRUE; |
|
1004 | } |
|
1005 | ||
1006 | // -------------------------------------------------------------------- |
|
1007 | ||
1008 | /** |
|
1009 | * Validate Upload Path |
|
1010 | * |
|
1011 | * Verifies that it is a valid upload path with proper permissions. |
|
1012 | * |
|
1013 | * @return bool |
|
1014 | * |
|
1015 | * @codeCoverageIgnore |
|
1016 | */ |
|
1017 | public function validate_upload_path() |
|
1018 | { |
|
1019 | if ($this->upload_path === '') |
|
1020 | { |
|
1021 | $this->set_error('upload_no_filepath', 'error'); |
|
1022 | return FALSE; |
|
1023 | } |
|
1024 | ||
1025 | if (realpath($this->upload_path) !== FALSE) |
|
1026 | { |
|
1027 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1028 | } |
|
1029 | ||
1030 | if ( ! is_dir($this->upload_path)) |
|
1031 | { |
|
1032 | $this->set_error('upload_no_filepath', 'error'); |
|
1033 | return FALSE; |
|
1034 | } |
|
1035 | ||
1036 | if ( ! is_really_writable($this->upload_path)) |
|
1037 | { |
|
1038 | $this->set_error('upload_not_writable', 'error'); |
|
1039 | return FALSE; |
|
1040 | } |
|
1041 | ||
1042 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1043 | return TRUE; |
|
1044 | } |
|
1045 | ||
1046 | // -------------------------------------------------------------------- |
|
1047 | ||
1048 | /** |
|
1049 | * Extract the file extension |
|
1050 | * |
|
1051 | * @param string $filename |
|
1052 | * @return string |
|
1053 | * |
|
1054 | * @codeCoverageIgnore |
|
1055 | */ |
|
1056 | public function get_extension($filename) |
|
1057 | { |
|
1058 | $x = explode('.', $filename); |
|
1059 | ||
1060 | if (count($x) === 1) |
|
1061 | { |
|
1062 | return ''; |
|
1063 | } |
|
1064 | ||
1065 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1066 | return '.'.$ext; |
|
1067 | } |
|
1068 | ||
1069 | // -------------------------------------------------------------------- |
|
1070 | ||
1071 | /** |
|
1072 | * Limit the File Name Length |
|
1073 | * |
|
1074 | * @param string $filename |
|
1075 | * @param int $length |
|
1076 | * @return string |
|
1077 | * |
|
1078 | * @codeCoverageIgnore |
|
1079 | */ |
|
1080 | public function limit_filename_length($filename, $length) |
|
1081 | { |
|
1082 | if (strlen($filename) < $length) |
|
1083 | { |
|
1084 | return $filename; |
|
1085 | } |
|
1086 | ||
1087 | $ext = ''; |
|
1088 | if (strpos($filename, '.') !== FALSE) |
|
1089 | { |
|
1090 | $parts = explode('.', $filename); |
|
1091 | $ext = '.'.array_pop($parts); |
|
1092 | $filename = implode('.', $parts); |
|
1093 | } |
|
1094 | ||
1095 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1096 | } |
|
1097 | ||
1098 | // -------------------------------------------------------------------- |
|
1099 | ||
1100 | /** |
|
1101 | * Runs the file through the XSS clean function |
|
1102 | * |
|
1103 | * This prevents people from embedding malicious code in their files. |
|
1104 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1105 | * but so far I haven't found that it causes trouble. |
|
1106 | * |
|
1107 | * @return string |
|
1108 | * |
|
1109 | * @codeCoverageIgnore |
|
1110 | */ |
|
1111 | public function do_xss_clean() |
|
1112 | { |
|
1113 | $file = $this->file_temp; |
|
1114 | ||
1115 | if (filesize($file) == 0) |
|
1116 | { |
|
1117 | return FALSE; |
|
1118 | } |
|
1119 | ||
1120 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1121 | { |
|
1122 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1123 | if ( ! empty($memory_limit[1])) |
|
1124 | { |
|
1125 | switch ($memory_limit[1][0]) |
|
1126 | { |
|
1127 | case 'g': |
|
1128 | case 'G': |
|
1129 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1130 | break; |
|
1131 | case 'm': |
|
1132 | case 'M': |
|
1133 | $memory_limit[0] *= 1024 * 1024; |
|
1134 | break; |
|
1135 | default: |
|
1136 | break; |
|
1137 | } |
|
1138 | } |
|
1139 | ||
1140 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1141 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1142 | } |
|
1143 | ||
1144 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1145 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1146 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1147 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1148 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1149 | // attempted XSS attack. |
|
1150 | ||
1151 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1152 | { |
|
1153 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1154 | { |
|
1155 | return FALSE; // Couldn't open the file, return FALSE |
|
1156 | } |
|
1157 | ||
1158 | $opening_bytes = fread($file, 256); |
|
1159 | fclose($file); |
|
1160 | ||
1161 | // These are known to throw IE into mime-type detection chaos |
|
1162 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1163 | // title is basically just in SVG, but we filter it anyhow |
|
1164 | ||
1165 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1166 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1167 | } |
|
1168 | ||
1169 | if (($data = @file_get_contents($file)) === FALSE) |
|
1170 | { |
|
1171 | return FALSE; |
|
1172 | } |
|
1173 | ||
1174 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1175 | } |
|
1176 | ||
1177 | // -------------------------------------------------------------------- |
|
1178 | ||
1179 | /** |
|
1180 | * Set an error message |
|
1181 | * |
|
1182 | * @param string $msg |
|
1183 | * @return CI_Upload |
|
1184 | * |
|
1185 | * @codeCoverageIgnore |
|
1186 | */ |
|
1187 | public function set_error($msg, $log_level = 'error') |
|
1188 | { |
|
1189 | $this->_CI->lang->load('upload'); |
|
1190 | ||
1191 | is_array($msg) OR $msg = array($msg); |
|
1192 | foreach ($msg as $val) |
|
1193 | { |
|
1194 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1195 | $this->error_msg[] = $msg; |
|
1196 | log_message($log_level, $msg); |
|
1197 | } |
|
1198 | ||
1199 | return $this; |
|
1200 | } |
|
1201 | ||
1202 | // -------------------------------------------------------------------- |
|
1203 | ||
1204 | /** |
|
1205 | * Display the error message |
|
1206 | * |
|
1207 | * @param string $open |
|
1208 | * @param string $close |
|
1209 | * @return string |
|
1210 | * |
|
1211 | * @codeCoverageIgnore |
|
1212 | */ |
|
1213 | public function display_errors($open = '<p>', $close = '</p>') |
|
1214 | { |
|
1215 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1216 | } |
|
1217 | ||
1218 | // -------------------------------------------------------------------- |
|
1219 | ||
1220 | /** |
|
1221 | * Prep Filename |
|
1222 | * |
|
1223 | * Prevents possible script execution from Apache's handling |
|
1224 | * of files' multiple extensions. |
|
1225 | * |
|
1226 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1227 | * |
|
1228 | * @param string $filename |
|
1229 | * @return string |
|
1230 | * |
|
1231 | * @codeCoverageIgnore |
|
1232 | */ |
|
1233 | protected function _prep_filename($filename) |
|
1234 | { |
|
1235 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1236 | { |
|
1237 | return $filename; |
|
1238 | } |
|
1239 | ||
1240 | $ext = substr($filename, $ext_pos); |
|
1241 | $filename = substr($filename, 0, $ext_pos); |
|
1242 | return str_replace('.', '_', $filename).$ext; |
|
1243 | } |
|
1244 | ||
1245 | // -------------------------------------------------------------------- |
|
1246 | ||
1247 | /** |
|
1248 | * File MIME type |
|
1249 | * |
|
1250 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1251 | * The input array is expected to be $_FILES[$field] |
|
1252 | * |
|
1253 | * @param array $file |
|
1254 | * @return void |
|
1255 | * |
|
1256 | * @codeCoverageIgnore |
|
1257 | */ |
|
1258 | protected function _file_mime_type($file) |
|
1259 | { |
|
1260 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1261 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1262 | ||
1263 | /** |
|
1264 | * Fileinfo extension - most reliable method |
|
1265 | * |
|
1266 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1267 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1268 | * ext/fileinfo, which is otherwise enabled by default |
|
1269 | * since PHP 5.3 ... |
|
1270 | */ |
|
1271 | if (function_exists('finfo_file')) |
|
1272 | { |
|
1273 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1274 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1275 | { |
|
1276 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1277 | finfo_close($finfo); |
|
1278 | ||
1279 | /* According to the comments section of the PHP manual page, |
|
1280 | * it is possible that this function returns an empty string |
|
1281 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1282 | */ |
|
1283 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1284 | { |
|
1285 | $this->file_type = $matches[1]; |
|
1286 | return; |
|
1287 | } |
|
1288 | } |
|
1289 | } |
|
1290 | ||
1291 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1292 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1293 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1294 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1295 | * three different functions. |
|
1296 | * |
|
1297 | * Notes: |
|
1298 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1299 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1300 | * due to security concerns, hence the function_usable() checks |
|
1301 | */ |
|
1302 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1303 | { |
|
1304 | $cmd = function_exists('escapeshellarg') |
|
1305 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1306 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1307 | ||
1308 | if (function_usable('exec')) |
|
1309 | { |
|
1310 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1311 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1312 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1313 | * value, which is only put to allow us to get the return status code. |
|
1314 | */ |
|
1315 | $mime = @exec($cmd, $mime, $return_status); |
|
1316 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1317 | { |
|
1318 | $this->file_type = $matches[1]; |
|
1319 | return; |
|
1320 | } |
|
1321 | } |
|
1322 | ||
1323 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1324 | { |
|
1325 | $mime = @shell_exec($cmd); |
|
1326 | if (strlen($mime) > 0) |
|
1327 | { |
|
1328 | $mime = explode("\n", trim($mime)); |
|
1329 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1330 | { |
|
1331 | $this->file_type = $matches[1]; |
|
1332 | return; |
|
1333 | } |
|
1334 | } |
|
1335 | } |
|
1336 | ||
1337 | if (function_usable('popen')) |
|
1338 | { |
|
1339 | $proc = @popen($cmd, 'r'); |
|
1340 | if (is_resource($proc)) |
|
1341 | { |
|
1342 | $mime = @fread($proc, 512); |
|
1343 | @pclose($proc); |
|
1344 | if ($mime !== FALSE) |
|
1345 | { |
|
1346 | $mime = explode("\n", trim($mime)); |
|
1347 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1348 | { |
|
1349 | $this->file_type = $matches[1]; |
|
1350 | return; |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | } |
|
1355 | } |
|
1356 | ||
1357 | // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1358 | if (function_exists('mime_content_type')) |
|
1359 | { |
|
1360 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1361 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1362 | { |
|
1363 | return; |
|
1364 | } |
|
1365 | } |
|
1366 | ||
1367 | $this->file_type = $file['type']; |
|
1368 | } |
|
1369 | ||
1370 | } |
|
1371 |
@@ 49-1370 (lines=1322) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | else |
|
692 | { |
|
693 | return $new_filename; |
|
694 | } |
|
695 | } |
|
696 | ||
697 | // -------------------------------------------------------------------- |
|
698 | ||
699 | /** |
|
700 | * Set Maximum File Size |
|
701 | * |
|
702 | * @param int $n |
|
703 | * @return CI_Upload |
|
704 | */ |
|
705 | public function set_max_filesize($n) |
|
706 | { |
|
707 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
708 | return $this; |
|
709 | } |
|
710 | ||
711 | // -------------------------------------------------------------------- |
|
712 | ||
713 | /** |
|
714 | * Set Maximum File Size |
|
715 | * |
|
716 | * An internal alias to set_max_filesize() to help with configuration |
|
717 | * as initialize() will look for a set_<property_name>() method ... |
|
718 | * |
|
719 | * @param int $n |
|
720 | * @return CI_Upload |
|
721 | */ |
|
722 | protected function set_max_size($n) |
|
723 | { |
|
724 | return $this->set_max_filesize($n); |
|
725 | } |
|
726 | ||
727 | // -------------------------------------------------------------------- |
|
728 | ||
729 | /** |
|
730 | * Set Maximum File Name Length |
|
731 | * |
|
732 | * @param int $n |
|
733 | * @return CI_Upload |
|
734 | * |
|
735 | * @codeCoverageIgnore |
|
736 | */ |
|
737 | public function set_max_filename($n) |
|
738 | { |
|
739 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
740 | return $this; |
|
741 | } |
|
742 | ||
743 | // -------------------------------------------------------------------- |
|
744 | ||
745 | /** |
|
746 | * Set Maximum Image Width |
|
747 | * |
|
748 | * @param int $n |
|
749 | * @return CI_Upload |
|
750 | */ |
|
751 | public function set_max_width($n) |
|
752 | { |
|
753 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
754 | return $this; |
|
755 | } |
|
756 | ||
757 | // -------------------------------------------------------------------- |
|
758 | ||
759 | /** |
|
760 | * Set Maximum Image Height |
|
761 | * |
|
762 | * @param int $n |
|
763 | * @return CI_Upload |
|
764 | */ |
|
765 | public function set_max_height($n) |
|
766 | { |
|
767 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
768 | return $this; |
|
769 | } |
|
770 | ||
771 | // -------------------------------------------------------------------- |
|
772 | ||
773 | /** |
|
774 | * Set minimum image width |
|
775 | * |
|
776 | * @param int $n |
|
777 | * @return CI_Upload |
|
778 | * |
|
779 | * @codeCoverageIgnore |
|
780 | */ |
|
781 | public function set_min_width($n) |
|
782 | { |
|
783 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
784 | return $this; |
|
785 | } |
|
786 | ||
787 | // -------------------------------------------------------------------- |
|
788 | ||
789 | /** |
|
790 | * Set minimum image height |
|
791 | * |
|
792 | * @param int $n |
|
793 | * @return CI_Upload |
|
794 | * |
|
795 | * @codeCoverageIgnore |
|
796 | */ |
|
797 | public function set_min_height($n) |
|
798 | { |
|
799 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
800 | return $this; |
|
801 | } |
|
802 | ||
803 | // -------------------------------------------------------------------- |
|
804 | ||
805 | /** |
|
806 | * Set Allowed File Types |
|
807 | * |
|
808 | * @param mixed $types |
|
809 | * @return CI_Upload |
|
810 | */ |
|
811 | public function set_allowed_types($types) |
|
812 | { |
|
813 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
814 | ? $types |
|
815 | : explode('|', $types); |
|
816 | return $this; |
|
817 | } |
|
818 | ||
819 | // -------------------------------------------------------------------- |
|
820 | ||
821 | /** |
|
822 | * Set Image Properties |
|
823 | * |
|
824 | * Uses GD to determine the width/height/type of image |
|
825 | * |
|
826 | * @param string $path |
|
827 | * @return CI_Upload |
|
828 | */ |
|
829 | public function set_image_properties($path = '') |
|
830 | { |
|
831 | if ($this->is_image() && function_exists('getimagesize')) |
|
832 | { |
|
833 | if (FALSE !== ($D = @getimagesize($path))) |
|
834 | { |
|
835 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
836 | ||
837 | $this->image_width = $D[0]; |
|
838 | $this->image_height = $D[1]; |
|
839 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
840 | $this->image_size_str = $D[3]; // string containing height and width |
|
841 | } |
|
842 | } |
|
843 | ||
844 | return $this; |
|
845 | } |
|
846 | ||
847 | // -------------------------------------------------------------------- |
|
848 | ||
849 | /** |
|
850 | * Set XSS Clean |
|
851 | * |
|
852 | * Enables the XSS flag so that the file that was uploaded |
|
853 | * will be run through the XSS filter. |
|
854 | * |
|
855 | * @param bool $flag |
|
856 | * @return CI_Upload |
|
857 | * |
|
858 | * @codeCoverageIgnore |
|
859 | */ |
|
860 | public function set_xss_clean($flag = FALSE) |
|
861 | { |
|
862 | $this->xss_clean = ($flag === TRUE); |
|
863 | return $this; |
|
864 | } |
|
865 | ||
866 | // -------------------------------------------------------------------- |
|
867 | ||
868 | /** |
|
869 | * Validate the image |
|
870 | * |
|
871 | * @return bool |
|
872 | * |
|
873 | * @codeCoverageIgnore |
|
874 | */ |
|
875 | public function is_image() |
|
876 | { |
|
877 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
878 | // jpegs or pngs to the same file type. |
|
879 | ||
880 | $png_mimes = array('image/x-png'); |
|
881 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
882 | ||
883 | if (in_array($this->file_type, $png_mimes)) |
|
884 | { |
|
885 | $this->file_type = 'image/png'; |
|
886 | } |
|
887 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
888 | { |
|
889 | $this->file_type = 'image/jpeg'; |
|
890 | } |
|
891 | ||
892 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
893 | ||
894 | return in_array($this->file_type, $img_mimes, TRUE); |
|
895 | } |
|
896 | ||
897 | // -------------------------------------------------------------------- |
|
898 | ||
899 | /** |
|
900 | * Verify that the filetype is allowed |
|
901 | * |
|
902 | * @param bool $ignore_mime |
|
903 | * @return bool |
|
904 | * |
|
905 | * @codeCoverageIgnore |
|
906 | */ |
|
907 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
908 | { |
|
909 | if ($this->allowed_types === '*') |
|
910 | { |
|
911 | return TRUE; |
|
912 | } |
|
913 | ||
914 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
915 | { |
|
916 | $this->set_error('upload_no_file_types', 'debug'); |
|
917 | return FALSE; |
|
918 | } |
|
919 | ||
920 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
921 | ||
922 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
923 | { |
|
924 | return FALSE; |
|
925 | } |
|
926 | ||
927 | // Images get some additional checks |
|
928 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
929 | { |
|
930 | return FALSE; |
|
931 | } |
|
932 | ||
933 | if ($ignore_mime === TRUE) |
|
934 | { |
|
935 | return TRUE; |
|
936 | } |
|
937 | ||
938 | if (isset($this->_mimes[$ext])) |
|
939 | { |
|
940 | return is_array($this->_mimes[$ext]) |
|
941 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
942 | : ($this->_mimes[$ext] === $this->file_type); |
|
943 | } |
|
944 | ||
945 | return FALSE; |
|
946 | } |
|
947 | ||
948 | // -------------------------------------------------------------------- |
|
949 | ||
950 | /** |
|
951 | * Verify that the file is within the allowed size |
|
952 | * |
|
953 | * @return bool |
|
954 | * |
|
955 | * @codeCoverageIgnore |
|
956 | */ |
|
957 | public function is_allowed_filesize() |
|
958 | { |
|
959 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
960 | } |
|
961 | ||
962 | // -------------------------------------------------------------------- |
|
963 | ||
964 | /** |
|
965 | * Verify that the image is within the allowed width/height |
|
966 | * |
|
967 | * @return bool |
|
968 | * |
|
969 | * @codeCoverageIgnore |
|
970 | */ |
|
971 | public function is_allowed_dimensions() |
|
972 | { |
|
973 | if ( ! $this->is_image()) |
|
974 | { |
|
975 | return TRUE; |
|
976 | } |
|
977 | ||
978 | if (function_exists('getimagesize')) |
|
979 | { |
|
980 | $D = @getimagesize($this->file_temp); |
|
981 | ||
982 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
983 | { |
|
984 | return FALSE; |
|
985 | } |
|
986 | ||
987 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
988 | { |
|
989 | return FALSE; |
|
990 | } |
|
991 | ||
992 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
993 | { |
|
994 | return FALSE; |
|
995 | } |
|
996 | ||
997 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
998 | { |
|
999 | return FALSE; |
|
1000 | } |
|
1001 | } |
|
1002 | ||
1003 | return TRUE; |
|
1004 | } |
|
1005 | ||
1006 | // -------------------------------------------------------------------- |
|
1007 | ||
1008 | /** |
|
1009 | * Validate Upload Path |
|
1010 | * |
|
1011 | * Verifies that it is a valid upload path with proper permissions. |
|
1012 | * |
|
1013 | * @return bool |
|
1014 | * |
|
1015 | * @codeCoverageIgnore |
|
1016 | */ |
|
1017 | public function validate_upload_path() |
|
1018 | { |
|
1019 | if ($this->upload_path === '') |
|
1020 | { |
|
1021 | $this->set_error('upload_no_filepath', 'error'); |
|
1022 | return FALSE; |
|
1023 | } |
|
1024 | ||
1025 | if (realpath($this->upload_path) !== FALSE) |
|
1026 | { |
|
1027 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1028 | } |
|
1029 | ||
1030 | if ( ! is_dir($this->upload_path)) |
|
1031 | { |
|
1032 | $this->set_error('upload_no_filepath', 'error'); |
|
1033 | return FALSE; |
|
1034 | } |
|
1035 | ||
1036 | if ( ! is_really_writable($this->upload_path)) |
|
1037 | { |
|
1038 | $this->set_error('upload_not_writable', 'error'); |
|
1039 | return FALSE; |
|
1040 | } |
|
1041 | ||
1042 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1043 | return TRUE; |
|
1044 | } |
|
1045 | ||
1046 | // -------------------------------------------------------------------- |
|
1047 | ||
1048 | /** |
|
1049 | * Extract the file extension |
|
1050 | * |
|
1051 | * @param string $filename |
|
1052 | * @return string |
|
1053 | * |
|
1054 | * @codeCoverageIgnore |
|
1055 | */ |
|
1056 | public function get_extension($filename) |
|
1057 | { |
|
1058 | $x = explode('.', $filename); |
|
1059 | ||
1060 | if (count($x) === 1) |
|
1061 | { |
|
1062 | return ''; |
|
1063 | } |
|
1064 | ||
1065 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1066 | return '.'.$ext; |
|
1067 | } |
|
1068 | ||
1069 | // -------------------------------------------------------------------- |
|
1070 | ||
1071 | /** |
|
1072 | * Limit the File Name Length |
|
1073 | * |
|
1074 | * @param string $filename |
|
1075 | * @param int $length |
|
1076 | * @return string |
|
1077 | * |
|
1078 | * @codeCoverageIgnore |
|
1079 | */ |
|
1080 | public function limit_filename_length($filename, $length) |
|
1081 | { |
|
1082 | if (strlen($filename) < $length) |
|
1083 | { |
|
1084 | return $filename; |
|
1085 | } |
|
1086 | ||
1087 | $ext = ''; |
|
1088 | if (strpos($filename, '.') !== FALSE) |
|
1089 | { |
|
1090 | $parts = explode('.', $filename); |
|
1091 | $ext = '.'.array_pop($parts); |
|
1092 | $filename = implode('.', $parts); |
|
1093 | } |
|
1094 | ||
1095 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1096 | } |
|
1097 | ||
1098 | // -------------------------------------------------------------------- |
|
1099 | ||
1100 | /** |
|
1101 | * Runs the file through the XSS clean function |
|
1102 | * |
|
1103 | * This prevents people from embedding malicious code in their files. |
|
1104 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1105 | * but so far I haven't found that it causes trouble. |
|
1106 | * |
|
1107 | * @return string |
|
1108 | * |
|
1109 | * @codeCoverageIgnore |
|
1110 | */ |
|
1111 | public function do_xss_clean() |
|
1112 | { |
|
1113 | $file = $this->file_temp; |
|
1114 | ||
1115 | if (filesize($file) == 0) |
|
1116 | { |
|
1117 | return FALSE; |
|
1118 | } |
|
1119 | ||
1120 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1121 | { |
|
1122 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1123 | if ( ! empty($memory_limit[1])) |
|
1124 | { |
|
1125 | switch ($memory_limit[1][0]) |
|
1126 | { |
|
1127 | case 'g': |
|
1128 | case 'G': |
|
1129 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1130 | break; |
|
1131 | case 'm': |
|
1132 | case 'M': |
|
1133 | $memory_limit[0] *= 1024 * 1024; |
|
1134 | break; |
|
1135 | default: |
|
1136 | break; |
|
1137 | } |
|
1138 | } |
|
1139 | ||
1140 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1141 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1142 | } |
|
1143 | ||
1144 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1145 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1146 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1147 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1148 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1149 | // attempted XSS attack. |
|
1150 | ||
1151 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1152 | { |
|
1153 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1154 | { |
|
1155 | return FALSE; // Couldn't open the file, return FALSE |
|
1156 | } |
|
1157 | ||
1158 | $opening_bytes = fread($file, 256); |
|
1159 | fclose($file); |
|
1160 | ||
1161 | // These are known to throw IE into mime-type detection chaos |
|
1162 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1163 | // title is basically just in SVG, but we filter it anyhow |
|
1164 | ||
1165 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1166 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1167 | } |
|
1168 | ||
1169 | if (($data = @file_get_contents($file)) === FALSE) |
|
1170 | { |
|
1171 | return FALSE; |
|
1172 | } |
|
1173 | ||
1174 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1175 | } |
|
1176 | ||
1177 | // -------------------------------------------------------------------- |
|
1178 | ||
1179 | /** |
|
1180 | * Set an error message |
|
1181 | * |
|
1182 | * @param string $msg |
|
1183 | * @return CI_Upload |
|
1184 | * |
|
1185 | * @codeCoverageIgnore |
|
1186 | */ |
|
1187 | public function set_error($msg, $log_level = 'error') |
|
1188 | { |
|
1189 | $this->_CI->lang->load('upload'); |
|
1190 | ||
1191 | is_array($msg) OR $msg = array($msg); |
|
1192 | foreach ($msg as $val) |
|
1193 | { |
|
1194 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1195 | $this->error_msg[] = $msg; |
|
1196 | log_message($log_level, $msg); |
|
1197 | } |
|
1198 | ||
1199 | return $this; |
|
1200 | } |
|
1201 | ||
1202 | // -------------------------------------------------------------------- |
|
1203 | ||
1204 | /** |
|
1205 | * Display the error message |
|
1206 | * |
|
1207 | * @param string $open |
|
1208 | * @param string $close |
|
1209 | * @return string |
|
1210 | * |
|
1211 | * @codeCoverageIgnore |
|
1212 | */ |
|
1213 | public function display_errors($open = '<p>', $close = '</p>') |
|
1214 | { |
|
1215 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1216 | } |
|
1217 | ||
1218 | // -------------------------------------------------------------------- |
|
1219 | ||
1220 | /** |
|
1221 | * Prep Filename |
|
1222 | * |
|
1223 | * Prevents possible script execution from Apache's handling |
|
1224 | * of files' multiple extensions. |
|
1225 | * |
|
1226 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1227 | * |
|
1228 | * @param string $filename |
|
1229 | * @return string |
|
1230 | * |
|
1231 | * @codeCoverageIgnore |
|
1232 | */ |
|
1233 | protected function _prep_filename($filename) |
|
1234 | { |
|
1235 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1236 | { |
|
1237 | return $filename; |
|
1238 | } |
|
1239 | ||
1240 | $ext = substr($filename, $ext_pos); |
|
1241 | $filename = substr($filename, 0, $ext_pos); |
|
1242 | return str_replace('.', '_', $filename).$ext; |
|
1243 | } |
|
1244 | ||
1245 | // -------------------------------------------------------------------- |
|
1246 | ||
1247 | /** |
|
1248 | * File MIME type |
|
1249 | * |
|
1250 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1251 | * The input array is expected to be $_FILES[$field] |
|
1252 | * |
|
1253 | * @param array $file |
|
1254 | * @return void |
|
1255 | * |
|
1256 | * @codeCoverageIgnore |
|
1257 | */ |
|
1258 | protected function _file_mime_type($file) |
|
1259 | { |
|
1260 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1261 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1262 | ||
1263 | /** |
|
1264 | * Fileinfo extension - most reliable method |
|
1265 | * |
|
1266 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1267 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1268 | * ext/fileinfo, which is otherwise enabled by default |
|
1269 | * since PHP 5.3 ... |
|
1270 | */ |
|
1271 | if (function_exists('finfo_file')) |
|
1272 | { |
|
1273 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1274 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1275 | { |
|
1276 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1277 | finfo_close($finfo); |
|
1278 | ||
1279 | /* According to the comments section of the PHP manual page, |
|
1280 | * it is possible that this function returns an empty string |
|
1281 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1282 | */ |
|
1283 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1284 | { |
|
1285 | $this->file_type = $matches[1]; |
|
1286 | return; |
|
1287 | } |
|
1288 | } |
|
1289 | } |
|
1290 | ||
1291 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1292 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1293 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1294 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1295 | * three different functions. |
|
1296 | * |
|
1297 | * Notes: |
|
1298 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1299 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1300 | * due to security concerns, hence the function_usable() checks |
|
1301 | */ |
|
1302 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1303 | { |
|
1304 | $cmd = function_exists('escapeshellarg') |
|
1305 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1306 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1307 | ||
1308 | if (function_usable('exec')) |
|
1309 | { |
|
1310 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1311 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1312 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1313 | * value, which is only put to allow us to get the return status code. |
|
1314 | */ |
|
1315 | $mime = @exec($cmd, $mime, $return_status); |
|
1316 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1317 | { |
|
1318 | $this->file_type = $matches[1]; |
|
1319 | return; |
|
1320 | } |
|
1321 | } |
|
1322 | ||
1323 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1324 | { |
|
1325 | $mime = @shell_exec($cmd); |
|
1326 | if (strlen($mime) > 0) |
|
1327 | { |
|
1328 | $mime = explode("\n", trim($mime)); |
|
1329 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1330 | { |
|
1331 | $this->file_type = $matches[1]; |
|
1332 | return; |
|
1333 | } |
|
1334 | } |
|
1335 | } |
|
1336 | ||
1337 | if (function_usable('popen')) |
|
1338 | { |
|
1339 | $proc = @popen($cmd, 'r'); |
|
1340 | if (is_resource($proc)) |
|
1341 | { |
|
1342 | $mime = @fread($proc, 512); |
|
1343 | @pclose($proc); |
|
1344 | if ($mime !== FALSE) |
|
1345 | { |
|
1346 | $mime = explode("\n", trim($mime)); |
|
1347 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1348 | { |
|
1349 | $this->file_type = $matches[1]; |
|
1350 | return; |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | } |
|
1355 | } |
|
1356 | ||
1357 | // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1358 | if (function_exists('mime_content_type')) |
|
1359 | { |
|
1360 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1361 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1362 | { |
|
1363 | return; |
|
1364 | } |
|
1365 | } |
|
1366 | ||
1367 | $this->file_type = $file['type']; |
|
1368 | } |
|
1369 | ||
1370 | } |
|
1371 |
@@ 49-1370 (lines=1322) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | else |
|
692 | { |
|
693 | return $new_filename; |
|
694 | } |
|
695 | } |
|
696 | ||
697 | // -------------------------------------------------------------------- |
|
698 | ||
699 | /** |
|
700 | * Set Maximum File Size |
|
701 | * |
|
702 | * @param int $n |
|
703 | * @return CI_Upload |
|
704 | */ |
|
705 | public function set_max_filesize($n) |
|
706 | { |
|
707 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
708 | return $this; |
|
709 | } |
|
710 | ||
711 | // -------------------------------------------------------------------- |
|
712 | ||
713 | /** |
|
714 | * Set Maximum File Size |
|
715 | * |
|
716 | * An internal alias to set_max_filesize() to help with configuration |
|
717 | * as initialize() will look for a set_<property_name>() method ... |
|
718 | * |
|
719 | * @param int $n |
|
720 | * @return CI_Upload |
|
721 | */ |
|
722 | protected function set_max_size($n) |
|
723 | { |
|
724 | return $this->set_max_filesize($n); |
|
725 | } |
|
726 | ||
727 | // -------------------------------------------------------------------- |
|
728 | ||
729 | /** |
|
730 | * Set Maximum File Name Length |
|
731 | * |
|
732 | * @param int $n |
|
733 | * @return CI_Upload |
|
734 | * |
|
735 | * @codeCoverageIgnore |
|
736 | */ |
|
737 | public function set_max_filename($n) |
|
738 | { |
|
739 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
740 | return $this; |
|
741 | } |
|
742 | ||
743 | // -------------------------------------------------------------------- |
|
744 | ||
745 | /** |
|
746 | * Set Maximum Image Width |
|
747 | * |
|
748 | * @param int $n |
|
749 | * @return CI_Upload |
|
750 | */ |
|
751 | public function set_max_width($n) |
|
752 | { |
|
753 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
754 | return $this; |
|
755 | } |
|
756 | ||
757 | // -------------------------------------------------------------------- |
|
758 | ||
759 | /** |
|
760 | * Set Maximum Image Height |
|
761 | * |
|
762 | * @param int $n |
|
763 | * @return CI_Upload |
|
764 | */ |
|
765 | public function set_max_height($n) |
|
766 | { |
|
767 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
768 | return $this; |
|
769 | } |
|
770 | ||
771 | // -------------------------------------------------------------------- |
|
772 | ||
773 | /** |
|
774 | * Set minimum image width |
|
775 | * |
|
776 | * @param int $n |
|
777 | * @return CI_Upload |
|
778 | * |
|
779 | * @codeCoverageIgnore |
|
780 | */ |
|
781 | public function set_min_width($n) |
|
782 | { |
|
783 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
784 | return $this; |
|
785 | } |
|
786 | ||
787 | // -------------------------------------------------------------------- |
|
788 | ||
789 | /** |
|
790 | * Set minimum image height |
|
791 | * |
|
792 | * @param int $n |
|
793 | * @return CI_Upload |
|
794 | * |
|
795 | * @codeCoverageIgnore |
|
796 | */ |
|
797 | public function set_min_height($n) |
|
798 | { |
|
799 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
800 | return $this; |
|
801 | } |
|
802 | ||
803 | // -------------------------------------------------------------------- |
|
804 | ||
805 | /** |
|
806 | * Set Allowed File Types |
|
807 | * |
|
808 | * @param mixed $types |
|
809 | * @return CI_Upload |
|
810 | */ |
|
811 | public function set_allowed_types($types) |
|
812 | { |
|
813 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
814 | ? $types |
|
815 | : explode('|', $types); |
|
816 | return $this; |
|
817 | } |
|
818 | ||
819 | // -------------------------------------------------------------------- |
|
820 | ||
821 | /** |
|
822 | * Set Image Properties |
|
823 | * |
|
824 | * Uses GD to determine the width/height/type of image |
|
825 | * |
|
826 | * @param string $path |
|
827 | * @return CI_Upload |
|
828 | */ |
|
829 | public function set_image_properties($path = '') |
|
830 | { |
|
831 | if ($this->is_image() && function_exists('getimagesize')) |
|
832 | { |
|
833 | if (FALSE !== ($D = @getimagesize($path))) |
|
834 | { |
|
835 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
836 | ||
837 | $this->image_width = $D[0]; |
|
838 | $this->image_height = $D[1]; |
|
839 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
840 | $this->image_size_str = $D[3]; // string containing height and width |
|
841 | } |
|
842 | } |
|
843 | ||
844 | return $this; |
|
845 | } |
|
846 | ||
847 | // -------------------------------------------------------------------- |
|
848 | ||
849 | /** |
|
850 | * Set XSS Clean |
|
851 | * |
|
852 | * Enables the XSS flag so that the file that was uploaded |
|
853 | * will be run through the XSS filter. |
|
854 | * |
|
855 | * @param bool $flag |
|
856 | * @return CI_Upload |
|
857 | * |
|
858 | * @codeCoverageIgnore |
|
859 | */ |
|
860 | public function set_xss_clean($flag = FALSE) |
|
861 | { |
|
862 | $this->xss_clean = ($flag === TRUE); |
|
863 | return $this; |
|
864 | } |
|
865 | ||
866 | // -------------------------------------------------------------------- |
|
867 | ||
868 | /** |
|
869 | * Validate the image |
|
870 | * |
|
871 | * @return bool |
|
872 | * |
|
873 | * @codeCoverageIgnore |
|
874 | */ |
|
875 | public function is_image() |
|
876 | { |
|
877 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
878 | // jpegs or pngs to the same file type. |
|
879 | ||
880 | $png_mimes = array('image/x-png'); |
|
881 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
882 | ||
883 | if (in_array($this->file_type, $png_mimes)) |
|
884 | { |
|
885 | $this->file_type = 'image/png'; |
|
886 | } |
|
887 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
888 | { |
|
889 | $this->file_type = 'image/jpeg'; |
|
890 | } |
|
891 | ||
892 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
893 | ||
894 | return in_array($this->file_type, $img_mimes, TRUE); |
|
895 | } |
|
896 | ||
897 | // -------------------------------------------------------------------- |
|
898 | ||
899 | /** |
|
900 | * Verify that the filetype is allowed |
|
901 | * |
|
902 | * @param bool $ignore_mime |
|
903 | * @return bool |
|
904 | * |
|
905 | * @codeCoverageIgnore |
|
906 | */ |
|
907 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
908 | { |
|
909 | if ($this->allowed_types === '*') |
|
910 | { |
|
911 | return TRUE; |
|
912 | } |
|
913 | ||
914 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
915 | { |
|
916 | $this->set_error('upload_no_file_types', 'debug'); |
|
917 | return FALSE; |
|
918 | } |
|
919 | ||
920 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
921 | ||
922 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
923 | { |
|
924 | return FALSE; |
|
925 | } |
|
926 | ||
927 | // Images get some additional checks |
|
928 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
929 | { |
|
930 | return FALSE; |
|
931 | } |
|
932 | ||
933 | if ($ignore_mime === TRUE) |
|
934 | { |
|
935 | return TRUE; |
|
936 | } |
|
937 | ||
938 | if (isset($this->_mimes[$ext])) |
|
939 | { |
|
940 | return is_array($this->_mimes[$ext]) |
|
941 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
942 | : ($this->_mimes[$ext] === $this->file_type); |
|
943 | } |
|
944 | ||
945 | return FALSE; |
|
946 | } |
|
947 | ||
948 | // -------------------------------------------------------------------- |
|
949 | ||
950 | /** |
|
951 | * Verify that the file is within the allowed size |
|
952 | * |
|
953 | * @return bool |
|
954 | * |
|
955 | * @codeCoverageIgnore |
|
956 | */ |
|
957 | public function is_allowed_filesize() |
|
958 | { |
|
959 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
960 | } |
|
961 | ||
962 | // -------------------------------------------------------------------- |
|
963 | ||
964 | /** |
|
965 | * Verify that the image is within the allowed width/height |
|
966 | * |
|
967 | * @return bool |
|
968 | * |
|
969 | * @codeCoverageIgnore |
|
970 | */ |
|
971 | public function is_allowed_dimensions() |
|
972 | { |
|
973 | if ( ! $this->is_image()) |
|
974 | { |
|
975 | return TRUE; |
|
976 | } |
|
977 | ||
978 | if (function_exists('getimagesize')) |
|
979 | { |
|
980 | $D = @getimagesize($this->file_temp); |
|
981 | ||
982 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
983 | { |
|
984 | return FALSE; |
|
985 | } |
|
986 | ||
987 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
988 | { |
|
989 | return FALSE; |
|
990 | } |
|
991 | ||
992 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
993 | { |
|
994 | return FALSE; |
|
995 | } |
|
996 | ||
997 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
998 | { |
|
999 | return FALSE; |
|
1000 | } |
|
1001 | } |
|
1002 | ||
1003 | return TRUE; |
|
1004 | } |
|
1005 | ||
1006 | // -------------------------------------------------------------------- |
|
1007 | ||
1008 | /** |
|
1009 | * Validate Upload Path |
|
1010 | * |
|
1011 | * Verifies that it is a valid upload path with proper permissions. |
|
1012 | * |
|
1013 | * @return bool |
|
1014 | * |
|
1015 | * @codeCoverageIgnore |
|
1016 | */ |
|
1017 | public function validate_upload_path() |
|
1018 | { |
|
1019 | if ($this->upload_path === '') |
|
1020 | { |
|
1021 | $this->set_error('upload_no_filepath', 'error'); |
|
1022 | return FALSE; |
|
1023 | } |
|
1024 | ||
1025 | if (realpath($this->upload_path) !== FALSE) |
|
1026 | { |
|
1027 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1028 | } |
|
1029 | ||
1030 | if ( ! is_dir($this->upload_path)) |
|
1031 | { |
|
1032 | $this->set_error('upload_no_filepath', 'error'); |
|
1033 | return FALSE; |
|
1034 | } |
|
1035 | ||
1036 | if ( ! is_really_writable($this->upload_path)) |
|
1037 | { |
|
1038 | $this->set_error('upload_not_writable', 'error'); |
|
1039 | return FALSE; |
|
1040 | } |
|
1041 | ||
1042 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1043 | return TRUE; |
|
1044 | } |
|
1045 | ||
1046 | // -------------------------------------------------------------------- |
|
1047 | ||
1048 | /** |
|
1049 | * Extract the file extension |
|
1050 | * |
|
1051 | * @param string $filename |
|
1052 | * @return string |
|
1053 | * |
|
1054 | * @codeCoverageIgnore |
|
1055 | */ |
|
1056 | public function get_extension($filename) |
|
1057 | { |
|
1058 | $x = explode('.', $filename); |
|
1059 | ||
1060 | if (count($x) === 1) |
|
1061 | { |
|
1062 | return ''; |
|
1063 | } |
|
1064 | ||
1065 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1066 | return '.'.$ext; |
|
1067 | } |
|
1068 | ||
1069 | // -------------------------------------------------------------------- |
|
1070 | ||
1071 | /** |
|
1072 | * Limit the File Name Length |
|
1073 | * |
|
1074 | * @param string $filename |
|
1075 | * @param int $length |
|
1076 | * @return string |
|
1077 | * |
|
1078 | * @codeCoverageIgnore |
|
1079 | */ |
|
1080 | public function limit_filename_length($filename, $length) |
|
1081 | { |
|
1082 | if (strlen($filename) < $length) |
|
1083 | { |
|
1084 | return $filename; |
|
1085 | } |
|
1086 | ||
1087 | $ext = ''; |
|
1088 | if (strpos($filename, '.') !== FALSE) |
|
1089 | { |
|
1090 | $parts = explode('.', $filename); |
|
1091 | $ext = '.'.array_pop($parts); |
|
1092 | $filename = implode('.', $parts); |
|
1093 | } |
|
1094 | ||
1095 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1096 | } |
|
1097 | ||
1098 | // -------------------------------------------------------------------- |
|
1099 | ||
1100 | /** |
|
1101 | * Runs the file through the XSS clean function |
|
1102 | * |
|
1103 | * This prevents people from embedding malicious code in their files. |
|
1104 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1105 | * but so far I haven't found that it causes trouble. |
|
1106 | * |
|
1107 | * @return string |
|
1108 | * |
|
1109 | * @codeCoverageIgnore |
|
1110 | */ |
|
1111 | public function do_xss_clean() |
|
1112 | { |
|
1113 | $file = $this->file_temp; |
|
1114 | ||
1115 | if (filesize($file) == 0) |
|
1116 | { |
|
1117 | return FALSE; |
|
1118 | } |
|
1119 | ||
1120 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1121 | { |
|
1122 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1123 | if ( ! empty($memory_limit[1])) |
|
1124 | { |
|
1125 | switch ($memory_limit[1][0]) |
|
1126 | { |
|
1127 | case 'g': |
|
1128 | case 'G': |
|
1129 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1130 | break; |
|
1131 | case 'm': |
|
1132 | case 'M': |
|
1133 | $memory_limit[0] *= 1024 * 1024; |
|
1134 | break; |
|
1135 | default: |
|
1136 | break; |
|
1137 | } |
|
1138 | } |
|
1139 | ||
1140 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1141 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1142 | } |
|
1143 | ||
1144 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1145 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1146 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1147 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1148 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1149 | // attempted XSS attack. |
|
1150 | ||
1151 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1152 | { |
|
1153 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1154 | { |
|
1155 | return FALSE; // Couldn't open the file, return FALSE |
|
1156 | } |
|
1157 | ||
1158 | $opening_bytes = fread($file, 256); |
|
1159 | fclose($file); |
|
1160 | ||
1161 | // These are known to throw IE into mime-type detection chaos |
|
1162 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1163 | // title is basically just in SVG, but we filter it anyhow |
|
1164 | ||
1165 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1166 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1167 | } |
|
1168 | ||
1169 | if (($data = @file_get_contents($file)) === FALSE) |
|
1170 | { |
|
1171 | return FALSE; |
|
1172 | } |
|
1173 | ||
1174 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1175 | } |
|
1176 | ||
1177 | // -------------------------------------------------------------------- |
|
1178 | ||
1179 | /** |
|
1180 | * Set an error message |
|
1181 | * |
|
1182 | * @param string $msg |
|
1183 | * @return CI_Upload |
|
1184 | * |
|
1185 | * @codeCoverageIgnore |
|
1186 | */ |
|
1187 | public function set_error($msg, $log_level = 'error') |
|
1188 | { |
|
1189 | $this->_CI->lang->load('upload'); |
|
1190 | ||
1191 | is_array($msg) OR $msg = array($msg); |
|
1192 | foreach ($msg as $val) |
|
1193 | { |
|
1194 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1195 | $this->error_msg[] = $msg; |
|
1196 | log_message($log_level, $msg); |
|
1197 | } |
|
1198 | ||
1199 | return $this; |
|
1200 | } |
|
1201 | ||
1202 | // -------------------------------------------------------------------- |
|
1203 | ||
1204 | /** |
|
1205 | * Display the error message |
|
1206 | * |
|
1207 | * @param string $open |
|
1208 | * @param string $close |
|
1209 | * @return string |
|
1210 | * |
|
1211 | * @codeCoverageIgnore |
|
1212 | */ |
|
1213 | public function display_errors($open = '<p>', $close = '</p>') |
|
1214 | { |
|
1215 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1216 | } |
|
1217 | ||
1218 | // -------------------------------------------------------------------- |
|
1219 | ||
1220 | /** |
|
1221 | * Prep Filename |
|
1222 | * |
|
1223 | * Prevents possible script execution from Apache's handling |
|
1224 | * of files' multiple extensions. |
|
1225 | * |
|
1226 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1227 | * |
|
1228 | * @param string $filename |
|
1229 | * @return string |
|
1230 | * |
|
1231 | * @codeCoverageIgnore |
|
1232 | */ |
|
1233 | protected function _prep_filename($filename) |
|
1234 | { |
|
1235 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1236 | { |
|
1237 | return $filename; |
|
1238 | } |
|
1239 | ||
1240 | $ext = substr($filename, $ext_pos); |
|
1241 | $filename = substr($filename, 0, $ext_pos); |
|
1242 | return str_replace('.', '_', $filename).$ext; |
|
1243 | } |
|
1244 | ||
1245 | // -------------------------------------------------------------------- |
|
1246 | ||
1247 | /** |
|
1248 | * File MIME type |
|
1249 | * |
|
1250 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1251 | * The input array is expected to be $_FILES[$field] |
|
1252 | * |
|
1253 | * @param array $file |
|
1254 | * @return void |
|
1255 | * |
|
1256 | * @codeCoverageIgnore |
|
1257 | */ |
|
1258 | protected function _file_mime_type($file) |
|
1259 | { |
|
1260 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1261 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1262 | ||
1263 | /** |
|
1264 | * Fileinfo extension - most reliable method |
|
1265 | * |
|
1266 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1267 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1268 | * ext/fileinfo, which is otherwise enabled by default |
|
1269 | * since PHP 5.3 ... |
|
1270 | */ |
|
1271 | if (function_exists('finfo_file')) |
|
1272 | { |
|
1273 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1274 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1275 | { |
|
1276 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1277 | finfo_close($finfo); |
|
1278 | ||
1279 | /* According to the comments section of the PHP manual page, |
|
1280 | * it is possible that this function returns an empty string |
|
1281 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1282 | */ |
|
1283 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1284 | { |
|
1285 | $this->file_type = $matches[1]; |
|
1286 | return; |
|
1287 | } |
|
1288 | } |
|
1289 | } |
|
1290 | ||
1291 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1292 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1293 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1294 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1295 | * three different functions. |
|
1296 | * |
|
1297 | * Notes: |
|
1298 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1299 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1300 | * due to security concerns, hence the function_usable() checks |
|
1301 | */ |
|
1302 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1303 | { |
|
1304 | $cmd = function_exists('escapeshellarg') |
|
1305 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1306 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1307 | ||
1308 | if (function_usable('exec')) |
|
1309 | { |
|
1310 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1311 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1312 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1313 | * value, which is only put to allow us to get the return status code. |
|
1314 | */ |
|
1315 | $mime = @exec($cmd, $mime, $return_status); |
|
1316 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1317 | { |
|
1318 | $this->file_type = $matches[1]; |
|
1319 | return; |
|
1320 | } |
|
1321 | } |
|
1322 | ||
1323 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1324 | { |
|
1325 | $mime = @shell_exec($cmd); |
|
1326 | if (strlen($mime) > 0) |
|
1327 | { |
|
1328 | $mime = explode("\n", trim($mime)); |
|
1329 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1330 | { |
|
1331 | $this->file_type = $matches[1]; |
|
1332 | return; |
|
1333 | } |
|
1334 | } |
|
1335 | } |
|
1336 | ||
1337 | if (function_usable('popen')) |
|
1338 | { |
|
1339 | $proc = @popen($cmd, 'r'); |
|
1340 | if (is_resource($proc)) |
|
1341 | { |
|
1342 | $mime = @fread($proc, 512); |
|
1343 | @pclose($proc); |
|
1344 | if ($mime !== FALSE) |
|
1345 | { |
|
1346 | $mime = explode("\n", trim($mime)); |
|
1347 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1348 | { |
|
1349 | $this->file_type = $matches[1]; |
|
1350 | return; |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | } |
|
1355 | } |
|
1356 | ||
1357 | // Fall back to mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1358 | if (function_exists('mime_content_type')) |
|
1359 | { |
|
1360 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1361 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1362 | { |
|
1363 | return; |
|
1364 | } |
|
1365 | } |
|
1366 | ||
1367 | $this->file_type = $file['type']; |
|
1368 | } |
|
1369 | ||
1370 | } |
|
1371 |
@@ 49-1368 (lines=1320) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | ||
692 | return $new_filename; |
|
693 | } |
|
694 | ||
695 | // -------------------------------------------------------------------- |
|
696 | ||
697 | /** |
|
698 | * Set Maximum File Size |
|
699 | * |
|
700 | * @param int $n |
|
701 | * @return CI_Upload |
|
702 | */ |
|
703 | public function set_max_filesize($n) |
|
704 | { |
|
705 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
706 | return $this; |
|
707 | } |
|
708 | ||
709 | // -------------------------------------------------------------------- |
|
710 | ||
711 | /** |
|
712 | * Set Maximum File Size |
|
713 | * |
|
714 | * An internal alias to set_max_filesize() to help with configuration |
|
715 | * as initialize() will look for a set_<property_name>() method ... |
|
716 | * |
|
717 | * @param int $n |
|
718 | * @return CI_Upload |
|
719 | */ |
|
720 | protected function set_max_size($n) |
|
721 | { |
|
722 | return $this->set_max_filesize($n); |
|
723 | } |
|
724 | ||
725 | // -------------------------------------------------------------------- |
|
726 | ||
727 | /** |
|
728 | * Set Maximum File Name Length |
|
729 | * |
|
730 | * @param int $n |
|
731 | * @return CI_Upload |
|
732 | * |
|
733 | * @codeCoverageIgnore |
|
734 | */ |
|
735 | public function set_max_filename($n) |
|
736 | { |
|
737 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
738 | return $this; |
|
739 | } |
|
740 | ||
741 | // -------------------------------------------------------------------- |
|
742 | ||
743 | /** |
|
744 | * Set Maximum Image Width |
|
745 | * |
|
746 | * @param int $n |
|
747 | * @return CI_Upload |
|
748 | */ |
|
749 | public function set_max_width($n) |
|
750 | { |
|
751 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
752 | return $this; |
|
753 | } |
|
754 | ||
755 | // -------------------------------------------------------------------- |
|
756 | ||
757 | /** |
|
758 | * Set Maximum Image Height |
|
759 | * |
|
760 | * @param int $n |
|
761 | * @return CI_Upload |
|
762 | */ |
|
763 | public function set_max_height($n) |
|
764 | { |
|
765 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
766 | return $this; |
|
767 | } |
|
768 | ||
769 | // -------------------------------------------------------------------- |
|
770 | ||
771 | /** |
|
772 | * Set minimum image width |
|
773 | * |
|
774 | * @param int $n |
|
775 | * @return CI_Upload |
|
776 | * |
|
777 | * @codeCoverageIgnore |
|
778 | */ |
|
779 | public function set_min_width($n) |
|
780 | { |
|
781 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
782 | return $this; |
|
783 | } |
|
784 | ||
785 | // -------------------------------------------------------------------- |
|
786 | ||
787 | /** |
|
788 | * Set minimum image height |
|
789 | * |
|
790 | * @param int $n |
|
791 | * @return CI_Upload |
|
792 | * |
|
793 | * @codeCoverageIgnore |
|
794 | */ |
|
795 | public function set_min_height($n) |
|
796 | { |
|
797 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
798 | return $this; |
|
799 | } |
|
800 | ||
801 | // -------------------------------------------------------------------- |
|
802 | ||
803 | /** |
|
804 | * Set Allowed File Types |
|
805 | * |
|
806 | * @param mixed $types |
|
807 | * @return CI_Upload |
|
808 | */ |
|
809 | public function set_allowed_types($types) |
|
810 | { |
|
811 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
812 | ? $types |
|
813 | : explode('|', $types); |
|
814 | return $this; |
|
815 | } |
|
816 | ||
817 | // -------------------------------------------------------------------- |
|
818 | ||
819 | /** |
|
820 | * Set Image Properties |
|
821 | * |
|
822 | * Uses GD to determine the width/height/type of image |
|
823 | * |
|
824 | * @param string $path |
|
825 | * @return CI_Upload |
|
826 | */ |
|
827 | public function set_image_properties($path = '') |
|
828 | { |
|
829 | if ($this->is_image() && function_exists('getimagesize')) |
|
830 | { |
|
831 | if (FALSE !== ($D = @getimagesize($path))) |
|
832 | { |
|
833 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
834 | ||
835 | $this->image_width = $D[0]; |
|
836 | $this->image_height = $D[1]; |
|
837 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
838 | $this->image_size_str = $D[3]; // string containing height and width |
|
839 | } |
|
840 | } |
|
841 | ||
842 | return $this; |
|
843 | } |
|
844 | ||
845 | // -------------------------------------------------------------------- |
|
846 | ||
847 | /** |
|
848 | * Set XSS Clean |
|
849 | * |
|
850 | * Enables the XSS flag so that the file that was uploaded |
|
851 | * will be run through the XSS filter. |
|
852 | * |
|
853 | * @param bool $flag |
|
854 | * @return CI_Upload |
|
855 | * |
|
856 | * @codeCoverageIgnore |
|
857 | */ |
|
858 | public function set_xss_clean($flag = FALSE) |
|
859 | { |
|
860 | $this->xss_clean = ($flag === TRUE); |
|
861 | return $this; |
|
862 | } |
|
863 | ||
864 | // -------------------------------------------------------------------- |
|
865 | ||
866 | /** |
|
867 | * Validate the image |
|
868 | * |
|
869 | * @return bool |
|
870 | * |
|
871 | * @codeCoverageIgnore |
|
872 | */ |
|
873 | public function is_image() |
|
874 | { |
|
875 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
876 | // jpegs or pngs to the same file type. |
|
877 | ||
878 | $png_mimes = array('image/x-png'); |
|
879 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
880 | ||
881 | if (in_array($this->file_type, $png_mimes)) |
|
882 | { |
|
883 | $this->file_type = 'image/png'; |
|
884 | } |
|
885 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
886 | { |
|
887 | $this->file_type = 'image/jpeg'; |
|
888 | } |
|
889 | ||
890 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
891 | ||
892 | return in_array($this->file_type, $img_mimes, TRUE); |
|
893 | } |
|
894 | ||
895 | // -------------------------------------------------------------------- |
|
896 | ||
897 | /** |
|
898 | * Verify that the filetype is allowed |
|
899 | * |
|
900 | * @param bool $ignore_mime |
|
901 | * @return bool |
|
902 | * |
|
903 | * @codeCoverageIgnore |
|
904 | */ |
|
905 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
906 | { |
|
907 | if ($this->allowed_types === '*') |
|
908 | { |
|
909 | return TRUE; |
|
910 | } |
|
911 | ||
912 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
913 | { |
|
914 | $this->set_error('upload_no_file_types', 'debug'); |
|
915 | return FALSE; |
|
916 | } |
|
917 | ||
918 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
919 | ||
920 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
921 | { |
|
922 | return FALSE; |
|
923 | } |
|
924 | ||
925 | // Images get some additional checks |
|
926 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
927 | { |
|
928 | return FALSE; |
|
929 | } |
|
930 | ||
931 | if ($ignore_mime === TRUE) |
|
932 | { |
|
933 | return TRUE; |
|
934 | } |
|
935 | ||
936 | if (isset($this->_mimes[$ext])) |
|
937 | { |
|
938 | return is_array($this->_mimes[$ext]) |
|
939 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
940 | : ($this->_mimes[$ext] === $this->file_type); |
|
941 | } |
|
942 | ||
943 | return FALSE; |
|
944 | } |
|
945 | ||
946 | // -------------------------------------------------------------------- |
|
947 | ||
948 | /** |
|
949 | * Verify that the file is within the allowed size |
|
950 | * |
|
951 | * @return bool |
|
952 | * |
|
953 | * @codeCoverageIgnore |
|
954 | */ |
|
955 | public function is_allowed_filesize() |
|
956 | { |
|
957 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
958 | } |
|
959 | ||
960 | // -------------------------------------------------------------------- |
|
961 | ||
962 | /** |
|
963 | * Verify that the image is within the allowed width/height |
|
964 | * |
|
965 | * @return bool |
|
966 | * |
|
967 | * @codeCoverageIgnore |
|
968 | */ |
|
969 | public function is_allowed_dimensions() |
|
970 | { |
|
971 | if ( ! $this->is_image()) |
|
972 | { |
|
973 | return TRUE; |
|
974 | } |
|
975 | ||
976 | if (function_exists('getimagesize')) |
|
977 | { |
|
978 | $D = @getimagesize($this->file_temp); |
|
979 | ||
980 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
981 | { |
|
982 | return FALSE; |
|
983 | } |
|
984 | ||
985 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
986 | { |
|
987 | return FALSE; |
|
988 | } |
|
989 | ||
990 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
991 | { |
|
992 | return FALSE; |
|
993 | } |
|
994 | ||
995 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
996 | { |
|
997 | return FALSE; |
|
998 | } |
|
999 | } |
|
1000 | ||
1001 | return TRUE; |
|
1002 | } |
|
1003 | ||
1004 | // -------------------------------------------------------------------- |
|
1005 | ||
1006 | /** |
|
1007 | * Validate Upload Path |
|
1008 | * |
|
1009 | * Verifies that it is a valid upload path with proper permissions. |
|
1010 | * |
|
1011 | * @return bool |
|
1012 | * |
|
1013 | * @codeCoverageIgnore |
|
1014 | */ |
|
1015 | public function validate_upload_path() |
|
1016 | { |
|
1017 | if ($this->upload_path === '') |
|
1018 | { |
|
1019 | $this->set_error('upload_no_filepath', 'error'); |
|
1020 | return FALSE; |
|
1021 | } |
|
1022 | ||
1023 | if (realpath($this->upload_path) !== FALSE) |
|
1024 | { |
|
1025 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1026 | } |
|
1027 | ||
1028 | if ( ! is_dir($this->upload_path)) |
|
1029 | { |
|
1030 | $this->set_error('upload_no_filepath', 'error'); |
|
1031 | return FALSE; |
|
1032 | } |
|
1033 | ||
1034 | if ( ! is_really_writable($this->upload_path)) |
|
1035 | { |
|
1036 | $this->set_error('upload_not_writable', 'error'); |
|
1037 | return FALSE; |
|
1038 | } |
|
1039 | ||
1040 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1041 | return TRUE; |
|
1042 | } |
|
1043 | ||
1044 | // -------------------------------------------------------------------- |
|
1045 | ||
1046 | /** |
|
1047 | * Extract the file extension |
|
1048 | * |
|
1049 | * @param string $filename |
|
1050 | * @return string |
|
1051 | * |
|
1052 | * @codeCoverageIgnore |
|
1053 | */ |
|
1054 | public function get_extension($filename) |
|
1055 | { |
|
1056 | $x = explode('.', $filename); |
|
1057 | ||
1058 | if (count($x) === 1) |
|
1059 | { |
|
1060 | return ''; |
|
1061 | } |
|
1062 | ||
1063 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1064 | return '.'.$ext; |
|
1065 | } |
|
1066 | ||
1067 | // -------------------------------------------------------------------- |
|
1068 | ||
1069 | /** |
|
1070 | * Limit the File Name Length |
|
1071 | * |
|
1072 | * @param string $filename |
|
1073 | * @param int $length |
|
1074 | * @return string |
|
1075 | * |
|
1076 | * @codeCoverageIgnore |
|
1077 | */ |
|
1078 | public function limit_filename_length($filename, $length) |
|
1079 | { |
|
1080 | if (strlen($filename) < $length) |
|
1081 | { |
|
1082 | return $filename; |
|
1083 | } |
|
1084 | ||
1085 | $ext = ''; |
|
1086 | if (strpos($filename, '.') !== FALSE) |
|
1087 | { |
|
1088 | $parts = explode('.', $filename); |
|
1089 | $ext = '.'.array_pop($parts); |
|
1090 | $filename = implode('.', $parts); |
|
1091 | } |
|
1092 | ||
1093 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1094 | } |
|
1095 | ||
1096 | // -------------------------------------------------------------------- |
|
1097 | ||
1098 | /** |
|
1099 | * Runs the file through the XSS clean function |
|
1100 | * |
|
1101 | * This prevents people from embedding malicious code in their files. |
|
1102 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1103 | * but so far I haven't found that it causes trouble. |
|
1104 | * |
|
1105 | * @return string |
|
1106 | * |
|
1107 | * @codeCoverageIgnore |
|
1108 | */ |
|
1109 | public function do_xss_clean() |
|
1110 | { |
|
1111 | $file = $this->file_temp; |
|
1112 | ||
1113 | if (filesize($file) == 0) |
|
1114 | { |
|
1115 | return FALSE; |
|
1116 | } |
|
1117 | ||
1118 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1119 | { |
|
1120 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1121 | if ( ! empty($memory_limit[1])) |
|
1122 | { |
|
1123 | switch ($memory_limit[1][0]) |
|
1124 | { |
|
1125 | case 'g': |
|
1126 | case 'G': |
|
1127 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1128 | break; |
|
1129 | case 'm': |
|
1130 | case 'M': |
|
1131 | $memory_limit[0] *= 1024 * 1024; |
|
1132 | break; |
|
1133 | default: |
|
1134 | break; |
|
1135 | } |
|
1136 | } |
|
1137 | ||
1138 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1139 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1140 | } |
|
1141 | ||
1142 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1143 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1144 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1145 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1146 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1147 | // attempted XSS attack. |
|
1148 | ||
1149 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1150 | { |
|
1151 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1152 | { |
|
1153 | return FALSE; // Couldn't open the file, return FALSE |
|
1154 | } |
|
1155 | ||
1156 | $opening_bytes = fread($file, 256); |
|
1157 | fclose($file); |
|
1158 | ||
1159 | // These are known to throw IE into mime-type detection chaos |
|
1160 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1161 | // title is basically just in SVG, but we filter it anyhow |
|
1162 | ||
1163 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1164 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1165 | } |
|
1166 | ||
1167 | if (($data = @file_get_contents($file)) === FALSE) |
|
1168 | { |
|
1169 | return FALSE; |
|
1170 | } |
|
1171 | ||
1172 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1173 | } |
|
1174 | ||
1175 | // -------------------------------------------------------------------- |
|
1176 | ||
1177 | /** |
|
1178 | * Set an error message |
|
1179 | * |
|
1180 | * @param string $msg |
|
1181 | * @return CI_Upload |
|
1182 | * |
|
1183 | * @codeCoverageIgnore |
|
1184 | */ |
|
1185 | public function set_error($msg, $log_level = 'error') |
|
1186 | { |
|
1187 | $this->_CI->lang->load('upload'); |
|
1188 | ||
1189 | is_array($msg) OR $msg = array($msg); |
|
1190 | foreach ($msg as $val) |
|
1191 | { |
|
1192 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1193 | $this->error_msg[] = $msg; |
|
1194 | log_message($log_level, $msg); |
|
1195 | } |
|
1196 | ||
1197 | return $this; |
|
1198 | } |
|
1199 | ||
1200 | // -------------------------------------------------------------------- |
|
1201 | ||
1202 | /** |
|
1203 | * Display the error message |
|
1204 | * |
|
1205 | * @param string $open |
|
1206 | * @param string $close |
|
1207 | * @return string |
|
1208 | * |
|
1209 | * @codeCoverageIgnore |
|
1210 | */ |
|
1211 | public function display_errors($open = '<p>', $close = '</p>') |
|
1212 | { |
|
1213 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1214 | } |
|
1215 | ||
1216 | // -------------------------------------------------------------------- |
|
1217 | ||
1218 | /** |
|
1219 | * Prep Filename |
|
1220 | * |
|
1221 | * Prevents possible script execution from Apache's handling |
|
1222 | * of files' multiple extensions. |
|
1223 | * |
|
1224 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1225 | * |
|
1226 | * @param string $filename |
|
1227 | * @return string |
|
1228 | * |
|
1229 | * @codeCoverageIgnore |
|
1230 | */ |
|
1231 | protected function _prep_filename($filename) |
|
1232 | { |
|
1233 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1234 | { |
|
1235 | return $filename; |
|
1236 | } |
|
1237 | ||
1238 | $ext = substr($filename, $ext_pos); |
|
1239 | $filename = substr($filename, 0, $ext_pos); |
|
1240 | return str_replace('.', '_', $filename).$ext; |
|
1241 | } |
|
1242 | ||
1243 | // -------------------------------------------------------------------- |
|
1244 | ||
1245 | /** |
|
1246 | * File MIME type |
|
1247 | * |
|
1248 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1249 | * The input array is expected to be $_FILES[$field] |
|
1250 | * |
|
1251 | * @param array $file |
|
1252 | * @return void |
|
1253 | * |
|
1254 | * @codeCoverageIgnore |
|
1255 | */ |
|
1256 | protected function _file_mime_type($file) |
|
1257 | { |
|
1258 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1259 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1260 | ||
1261 | /** |
|
1262 | * Fileinfo extension - most reliable method |
|
1263 | * |
|
1264 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1265 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1266 | * ext/fileinfo, which is otherwise enabled by default |
|
1267 | * since PHP 5.3 ... |
|
1268 | */ |
|
1269 | if (function_exists('finfo_file')) |
|
1270 | { |
|
1271 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1272 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1273 | { |
|
1274 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1275 | finfo_close($finfo); |
|
1276 | ||
1277 | /* According to the comments section of the PHP manual page, |
|
1278 | * it is possible that this function returns an empty string |
|
1279 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1280 | */ |
|
1281 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1282 | { |
|
1283 | $this->file_type = $matches[1]; |
|
1284 | return; |
|
1285 | } |
|
1286 | } |
|
1287 | } |
|
1288 | ||
1289 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1290 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1291 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1292 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1293 | * three different functions. |
|
1294 | * |
|
1295 | * Notes: |
|
1296 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1297 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1298 | * due to security concerns, hence the function_usable() checks |
|
1299 | */ |
|
1300 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1301 | { |
|
1302 | $cmd = function_exists('escapeshellarg') |
|
1303 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1304 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1305 | ||
1306 | if (function_usable('exec')) |
|
1307 | { |
|
1308 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1309 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1310 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1311 | * value, which is only put to allow us to get the return status code. |
|
1312 | */ |
|
1313 | $mime = @exec($cmd, $mime, $return_status); |
|
1314 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1315 | { |
|
1316 | $this->file_type = $matches[1]; |
|
1317 | return; |
|
1318 | } |
|
1319 | } |
|
1320 | ||
1321 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1322 | { |
|
1323 | $mime = @shell_exec($cmd); |
|
1324 | if (strlen($mime) > 0) |
|
1325 | { |
|
1326 | $mime = explode("\n", trim($mime)); |
|
1327 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1328 | { |
|
1329 | $this->file_type = $matches[1]; |
|
1330 | return; |
|
1331 | } |
|
1332 | } |
|
1333 | } |
|
1334 | ||
1335 | if (function_usable('popen')) |
|
1336 | { |
|
1337 | $proc = @popen($cmd, 'r'); |
|
1338 | if (is_resource($proc)) |
|
1339 | { |
|
1340 | $mime = @fread($proc, 512); |
|
1341 | @pclose($proc); |
|
1342 | if ($mime !== FALSE) |
|
1343 | { |
|
1344 | $mime = explode("\n", trim($mime)); |
|
1345 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1346 | { |
|
1347 | $this->file_type = $matches[1]; |
|
1348 | return; |
|
1349 | } |
|
1350 | } |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | ||
1355 | // Fall back to mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1356 | if (function_exists('mime_content_type')) |
|
1357 | { |
|
1358 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1359 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1360 | { |
|
1361 | return; |
|
1362 | } |
|
1363 | } |
|
1364 | ||
1365 | $this->file_type = $file['type']; |
|
1366 | } |
|
1367 | ||
1368 | } |
|
1369 |
@@ 49-1368 (lines=1320) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | ||
692 | return $new_filename; |
|
693 | } |
|
694 | ||
695 | // -------------------------------------------------------------------- |
|
696 | ||
697 | /** |
|
698 | * Set Maximum File Size |
|
699 | * |
|
700 | * @param int $n |
|
701 | * @return CI_Upload |
|
702 | */ |
|
703 | public function set_max_filesize($n) |
|
704 | { |
|
705 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
706 | return $this; |
|
707 | } |
|
708 | ||
709 | // -------------------------------------------------------------------- |
|
710 | ||
711 | /** |
|
712 | * Set Maximum File Size |
|
713 | * |
|
714 | * An internal alias to set_max_filesize() to help with configuration |
|
715 | * as initialize() will look for a set_<property_name>() method ... |
|
716 | * |
|
717 | * @param int $n |
|
718 | * @return CI_Upload |
|
719 | */ |
|
720 | protected function set_max_size($n) |
|
721 | { |
|
722 | return $this->set_max_filesize($n); |
|
723 | } |
|
724 | ||
725 | // -------------------------------------------------------------------- |
|
726 | ||
727 | /** |
|
728 | * Set Maximum File Name Length |
|
729 | * |
|
730 | * @param int $n |
|
731 | * @return CI_Upload |
|
732 | * |
|
733 | * @codeCoverageIgnore |
|
734 | */ |
|
735 | public function set_max_filename($n) |
|
736 | { |
|
737 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
738 | return $this; |
|
739 | } |
|
740 | ||
741 | // -------------------------------------------------------------------- |
|
742 | ||
743 | /** |
|
744 | * Set Maximum Image Width |
|
745 | * |
|
746 | * @param int $n |
|
747 | * @return CI_Upload |
|
748 | */ |
|
749 | public function set_max_width($n) |
|
750 | { |
|
751 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
752 | return $this; |
|
753 | } |
|
754 | ||
755 | // -------------------------------------------------------------------- |
|
756 | ||
757 | /** |
|
758 | * Set Maximum Image Height |
|
759 | * |
|
760 | * @param int $n |
|
761 | * @return CI_Upload |
|
762 | */ |
|
763 | public function set_max_height($n) |
|
764 | { |
|
765 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
766 | return $this; |
|
767 | } |
|
768 | ||
769 | // -------------------------------------------------------------------- |
|
770 | ||
771 | /** |
|
772 | * Set minimum image width |
|
773 | * |
|
774 | * @param int $n |
|
775 | * @return CI_Upload |
|
776 | * |
|
777 | * @codeCoverageIgnore |
|
778 | */ |
|
779 | public function set_min_width($n) |
|
780 | { |
|
781 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
782 | return $this; |
|
783 | } |
|
784 | ||
785 | // -------------------------------------------------------------------- |
|
786 | ||
787 | /** |
|
788 | * Set minimum image height |
|
789 | * |
|
790 | * @param int $n |
|
791 | * @return CI_Upload |
|
792 | * |
|
793 | * @codeCoverageIgnore |
|
794 | */ |
|
795 | public function set_min_height($n) |
|
796 | { |
|
797 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
798 | return $this; |
|
799 | } |
|
800 | ||
801 | // -------------------------------------------------------------------- |
|
802 | ||
803 | /** |
|
804 | * Set Allowed File Types |
|
805 | * |
|
806 | * @param mixed $types |
|
807 | * @return CI_Upload |
|
808 | */ |
|
809 | public function set_allowed_types($types) |
|
810 | { |
|
811 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
812 | ? $types |
|
813 | : explode('|', $types); |
|
814 | return $this; |
|
815 | } |
|
816 | ||
817 | // -------------------------------------------------------------------- |
|
818 | ||
819 | /** |
|
820 | * Set Image Properties |
|
821 | * |
|
822 | * Uses GD to determine the width/height/type of image |
|
823 | * |
|
824 | * @param string $path |
|
825 | * @return CI_Upload |
|
826 | */ |
|
827 | public function set_image_properties($path = '') |
|
828 | { |
|
829 | if ($this->is_image() && function_exists('getimagesize')) |
|
830 | { |
|
831 | if (FALSE !== ($D = @getimagesize($path))) |
|
832 | { |
|
833 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
834 | ||
835 | $this->image_width = $D[0]; |
|
836 | $this->image_height = $D[1]; |
|
837 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
838 | $this->image_size_str = $D[3]; // string containing height and width |
|
839 | } |
|
840 | } |
|
841 | ||
842 | return $this; |
|
843 | } |
|
844 | ||
845 | // -------------------------------------------------------------------- |
|
846 | ||
847 | /** |
|
848 | * Set XSS Clean |
|
849 | * |
|
850 | * Enables the XSS flag so that the file that was uploaded |
|
851 | * will be run through the XSS filter. |
|
852 | * |
|
853 | * @param bool $flag |
|
854 | * @return CI_Upload |
|
855 | * |
|
856 | * @codeCoverageIgnore |
|
857 | */ |
|
858 | public function set_xss_clean($flag = FALSE) |
|
859 | { |
|
860 | $this->xss_clean = ($flag === TRUE); |
|
861 | return $this; |
|
862 | } |
|
863 | ||
864 | // -------------------------------------------------------------------- |
|
865 | ||
866 | /** |
|
867 | * Validate the image |
|
868 | * |
|
869 | * @return bool |
|
870 | * |
|
871 | * @codeCoverageIgnore |
|
872 | */ |
|
873 | public function is_image() |
|
874 | { |
|
875 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
876 | // jpegs or pngs to the same file type. |
|
877 | ||
878 | $png_mimes = array('image/x-png'); |
|
879 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
880 | ||
881 | if (in_array($this->file_type, $png_mimes)) |
|
882 | { |
|
883 | $this->file_type = 'image/png'; |
|
884 | } |
|
885 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
886 | { |
|
887 | $this->file_type = 'image/jpeg'; |
|
888 | } |
|
889 | ||
890 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
891 | ||
892 | return in_array($this->file_type, $img_mimes, TRUE); |
|
893 | } |
|
894 | ||
895 | // -------------------------------------------------------------------- |
|
896 | ||
897 | /** |
|
898 | * Verify that the filetype is allowed |
|
899 | * |
|
900 | * @param bool $ignore_mime |
|
901 | * @return bool |
|
902 | * |
|
903 | * @codeCoverageIgnore |
|
904 | */ |
|
905 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
906 | { |
|
907 | if ($this->allowed_types === '*') |
|
908 | { |
|
909 | return TRUE; |
|
910 | } |
|
911 | ||
912 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
913 | { |
|
914 | $this->set_error('upload_no_file_types', 'debug'); |
|
915 | return FALSE; |
|
916 | } |
|
917 | ||
918 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
919 | ||
920 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
921 | { |
|
922 | return FALSE; |
|
923 | } |
|
924 | ||
925 | // Images get some additional checks |
|
926 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
927 | { |
|
928 | return FALSE; |
|
929 | } |
|
930 | ||
931 | if ($ignore_mime === TRUE) |
|
932 | { |
|
933 | return TRUE; |
|
934 | } |
|
935 | ||
936 | if (isset($this->_mimes[$ext])) |
|
937 | { |
|
938 | return is_array($this->_mimes[$ext]) |
|
939 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
940 | : ($this->_mimes[$ext] === $this->file_type); |
|
941 | } |
|
942 | ||
943 | return FALSE; |
|
944 | } |
|
945 | ||
946 | // -------------------------------------------------------------------- |
|
947 | ||
948 | /** |
|
949 | * Verify that the file is within the allowed size |
|
950 | * |
|
951 | * @return bool |
|
952 | * |
|
953 | * @codeCoverageIgnore |
|
954 | */ |
|
955 | public function is_allowed_filesize() |
|
956 | { |
|
957 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
958 | } |
|
959 | ||
960 | // -------------------------------------------------------------------- |
|
961 | ||
962 | /** |
|
963 | * Verify that the image is within the allowed width/height |
|
964 | * |
|
965 | * @return bool |
|
966 | * |
|
967 | * @codeCoverageIgnore |
|
968 | */ |
|
969 | public function is_allowed_dimensions() |
|
970 | { |
|
971 | if ( ! $this->is_image()) |
|
972 | { |
|
973 | return TRUE; |
|
974 | } |
|
975 | ||
976 | if (function_exists('getimagesize')) |
|
977 | { |
|
978 | $D = @getimagesize($this->file_temp); |
|
979 | ||
980 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
981 | { |
|
982 | return FALSE; |
|
983 | } |
|
984 | ||
985 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
986 | { |
|
987 | return FALSE; |
|
988 | } |
|
989 | ||
990 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
991 | { |
|
992 | return FALSE; |
|
993 | } |
|
994 | ||
995 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
996 | { |
|
997 | return FALSE; |
|
998 | } |
|
999 | } |
|
1000 | ||
1001 | return TRUE; |
|
1002 | } |
|
1003 | ||
1004 | // -------------------------------------------------------------------- |
|
1005 | ||
1006 | /** |
|
1007 | * Validate Upload Path |
|
1008 | * |
|
1009 | * Verifies that it is a valid upload path with proper permissions. |
|
1010 | * |
|
1011 | * @return bool |
|
1012 | * |
|
1013 | * @codeCoverageIgnore |
|
1014 | */ |
|
1015 | public function validate_upload_path() |
|
1016 | { |
|
1017 | if ($this->upload_path === '') |
|
1018 | { |
|
1019 | $this->set_error('upload_no_filepath', 'error'); |
|
1020 | return FALSE; |
|
1021 | } |
|
1022 | ||
1023 | if (realpath($this->upload_path) !== FALSE) |
|
1024 | { |
|
1025 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1026 | } |
|
1027 | ||
1028 | if ( ! is_dir($this->upload_path)) |
|
1029 | { |
|
1030 | $this->set_error('upload_no_filepath', 'error'); |
|
1031 | return FALSE; |
|
1032 | } |
|
1033 | ||
1034 | if ( ! is_really_writable($this->upload_path)) |
|
1035 | { |
|
1036 | $this->set_error('upload_not_writable', 'error'); |
|
1037 | return FALSE; |
|
1038 | } |
|
1039 | ||
1040 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1041 | return TRUE; |
|
1042 | } |
|
1043 | ||
1044 | // -------------------------------------------------------------------- |
|
1045 | ||
1046 | /** |
|
1047 | * Extract the file extension |
|
1048 | * |
|
1049 | * @param string $filename |
|
1050 | * @return string |
|
1051 | * |
|
1052 | * @codeCoverageIgnore |
|
1053 | */ |
|
1054 | public function get_extension($filename) |
|
1055 | { |
|
1056 | $x = explode('.', $filename); |
|
1057 | ||
1058 | if (count($x) === 1) |
|
1059 | { |
|
1060 | return ''; |
|
1061 | } |
|
1062 | ||
1063 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1064 | return '.'.$ext; |
|
1065 | } |
|
1066 | ||
1067 | // -------------------------------------------------------------------- |
|
1068 | ||
1069 | /** |
|
1070 | * Limit the File Name Length |
|
1071 | * |
|
1072 | * @param string $filename |
|
1073 | * @param int $length |
|
1074 | * @return string |
|
1075 | * |
|
1076 | * @codeCoverageIgnore |
|
1077 | */ |
|
1078 | public function limit_filename_length($filename, $length) |
|
1079 | { |
|
1080 | if (strlen($filename) < $length) |
|
1081 | { |
|
1082 | return $filename; |
|
1083 | } |
|
1084 | ||
1085 | $ext = ''; |
|
1086 | if (strpos($filename, '.') !== FALSE) |
|
1087 | { |
|
1088 | $parts = explode('.', $filename); |
|
1089 | $ext = '.'.array_pop($parts); |
|
1090 | $filename = implode('.', $parts); |
|
1091 | } |
|
1092 | ||
1093 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1094 | } |
|
1095 | ||
1096 | // -------------------------------------------------------------------- |
|
1097 | ||
1098 | /** |
|
1099 | * Runs the file through the XSS clean function |
|
1100 | * |
|
1101 | * This prevents people from embedding malicious code in their files. |
|
1102 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1103 | * but so far I haven't found that it causes trouble. |
|
1104 | * |
|
1105 | * @return string |
|
1106 | * |
|
1107 | * @codeCoverageIgnore |
|
1108 | */ |
|
1109 | public function do_xss_clean() |
|
1110 | { |
|
1111 | $file = $this->file_temp; |
|
1112 | ||
1113 | if (filesize($file) == 0) |
|
1114 | { |
|
1115 | return FALSE; |
|
1116 | } |
|
1117 | ||
1118 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1119 | { |
|
1120 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1121 | if ( ! empty($memory_limit[1])) |
|
1122 | { |
|
1123 | switch ($memory_limit[1][0]) |
|
1124 | { |
|
1125 | case 'g': |
|
1126 | case 'G': |
|
1127 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1128 | break; |
|
1129 | case 'm': |
|
1130 | case 'M': |
|
1131 | $memory_limit[0] *= 1024 * 1024; |
|
1132 | break; |
|
1133 | default: |
|
1134 | break; |
|
1135 | } |
|
1136 | } |
|
1137 | ||
1138 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1139 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1140 | } |
|
1141 | ||
1142 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1143 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1144 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1145 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1146 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1147 | // attempted XSS attack. |
|
1148 | ||
1149 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1150 | { |
|
1151 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1152 | { |
|
1153 | return FALSE; // Couldn't open the file, return FALSE |
|
1154 | } |
|
1155 | ||
1156 | $opening_bytes = fread($file, 256); |
|
1157 | fclose($file); |
|
1158 | ||
1159 | // These are known to throw IE into mime-type detection chaos |
|
1160 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1161 | // title is basically just in SVG, but we filter it anyhow |
|
1162 | ||
1163 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1164 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1165 | } |
|
1166 | ||
1167 | if (($data = @file_get_contents($file)) === FALSE) |
|
1168 | { |
|
1169 | return FALSE; |
|
1170 | } |
|
1171 | ||
1172 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1173 | } |
|
1174 | ||
1175 | // -------------------------------------------------------------------- |
|
1176 | ||
1177 | /** |
|
1178 | * Set an error message |
|
1179 | * |
|
1180 | * @param string $msg |
|
1181 | * @return CI_Upload |
|
1182 | * |
|
1183 | * @codeCoverageIgnore |
|
1184 | */ |
|
1185 | public function set_error($msg, $log_level = 'error') |
|
1186 | { |
|
1187 | $this->_CI->lang->load('upload'); |
|
1188 | ||
1189 | is_array($msg) OR $msg = array($msg); |
|
1190 | foreach ($msg as $val) |
|
1191 | { |
|
1192 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1193 | $this->error_msg[] = $msg; |
|
1194 | log_message($log_level, $msg); |
|
1195 | } |
|
1196 | ||
1197 | return $this; |
|
1198 | } |
|
1199 | ||
1200 | // -------------------------------------------------------------------- |
|
1201 | ||
1202 | /** |
|
1203 | * Display the error message |
|
1204 | * |
|
1205 | * @param string $open |
|
1206 | * @param string $close |
|
1207 | * @return string |
|
1208 | * |
|
1209 | * @codeCoverageIgnore |
|
1210 | */ |
|
1211 | public function display_errors($open = '<p>', $close = '</p>') |
|
1212 | { |
|
1213 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1214 | } |
|
1215 | ||
1216 | // -------------------------------------------------------------------- |
|
1217 | ||
1218 | /** |
|
1219 | * Prep Filename |
|
1220 | * |
|
1221 | * Prevents possible script execution from Apache's handling |
|
1222 | * of files' multiple extensions. |
|
1223 | * |
|
1224 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1225 | * |
|
1226 | * @param string $filename |
|
1227 | * @return string |
|
1228 | * |
|
1229 | * @codeCoverageIgnore |
|
1230 | */ |
|
1231 | protected function _prep_filename($filename) |
|
1232 | { |
|
1233 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1234 | { |
|
1235 | return $filename; |
|
1236 | } |
|
1237 | ||
1238 | $ext = substr($filename, $ext_pos); |
|
1239 | $filename = substr($filename, 0, $ext_pos); |
|
1240 | return str_replace('.', '_', $filename).$ext; |
|
1241 | } |
|
1242 | ||
1243 | // -------------------------------------------------------------------- |
|
1244 | ||
1245 | /** |
|
1246 | * File MIME type |
|
1247 | * |
|
1248 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1249 | * The input array is expected to be $_FILES[$field] |
|
1250 | * |
|
1251 | * @param array $file |
|
1252 | * @return void |
|
1253 | * |
|
1254 | * @codeCoverageIgnore |
|
1255 | */ |
|
1256 | protected function _file_mime_type($file) |
|
1257 | { |
|
1258 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1259 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1260 | ||
1261 | /** |
|
1262 | * Fileinfo extension - most reliable method |
|
1263 | * |
|
1264 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1265 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1266 | * ext/fileinfo, which is otherwise enabled by default |
|
1267 | * since PHP 5.3 ... |
|
1268 | */ |
|
1269 | if (function_exists('finfo_file')) |
|
1270 | { |
|
1271 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1272 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1273 | { |
|
1274 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1275 | finfo_close($finfo); |
|
1276 | ||
1277 | /* According to the comments section of the PHP manual page, |
|
1278 | * it is possible that this function returns an empty string |
|
1279 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1280 | */ |
|
1281 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1282 | { |
|
1283 | $this->file_type = $matches[1]; |
|
1284 | return; |
|
1285 | } |
|
1286 | } |
|
1287 | } |
|
1288 | ||
1289 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1290 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1291 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1292 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1293 | * three different functions. |
|
1294 | * |
|
1295 | * Notes: |
|
1296 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1297 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1298 | * due to security concerns, hence the function_usable() checks |
|
1299 | */ |
|
1300 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1301 | { |
|
1302 | $cmd = function_exists('escapeshellarg') |
|
1303 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1304 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1305 | ||
1306 | if (function_usable('exec')) |
|
1307 | { |
|
1308 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1309 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1310 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1311 | * value, which is only put to allow us to get the return status code. |
|
1312 | */ |
|
1313 | $mime = @exec($cmd, $mime, $return_status); |
|
1314 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1315 | { |
|
1316 | $this->file_type = $matches[1]; |
|
1317 | return; |
|
1318 | } |
|
1319 | } |
|
1320 | ||
1321 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1322 | { |
|
1323 | $mime = @shell_exec($cmd); |
|
1324 | if (strlen($mime) > 0) |
|
1325 | { |
|
1326 | $mime = explode("\n", trim($mime)); |
|
1327 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1328 | { |
|
1329 | $this->file_type = $matches[1]; |
|
1330 | return; |
|
1331 | } |
|
1332 | } |
|
1333 | } |
|
1334 | ||
1335 | if (function_usable('popen')) |
|
1336 | { |
|
1337 | $proc = @popen($cmd, 'r'); |
|
1338 | if (is_resource($proc)) |
|
1339 | { |
|
1340 | $mime = @fread($proc, 512); |
|
1341 | @pclose($proc); |
|
1342 | if ($mime !== FALSE) |
|
1343 | { |
|
1344 | $mime = explode("\n", trim($mime)); |
|
1345 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1346 | { |
|
1347 | $this->file_type = $matches[1]; |
|
1348 | return; |
|
1349 | } |
|
1350 | } |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | ||
1355 | // Fall back to mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1356 | if (function_exists('mime_content_type')) |
|
1357 | { |
|
1358 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1359 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1360 | { |
|
1361 | return; |
|
1362 | } |
|
1363 | } |
|
1364 | ||
1365 | $this->file_type = $file['type']; |
|
1366 | } |
|
1367 | ||
1368 | } |
|
1369 |
@@ 49-1368 (lines=1320) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | ||
692 | return $new_filename; |
|
693 | } |
|
694 | ||
695 | // -------------------------------------------------------------------- |
|
696 | ||
697 | /** |
|
698 | * Set Maximum File Size |
|
699 | * |
|
700 | * @param int $n |
|
701 | * @return CI_Upload |
|
702 | */ |
|
703 | public function set_max_filesize($n) |
|
704 | { |
|
705 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
706 | return $this; |
|
707 | } |
|
708 | ||
709 | // -------------------------------------------------------------------- |
|
710 | ||
711 | /** |
|
712 | * Set Maximum File Size |
|
713 | * |
|
714 | * An internal alias to set_max_filesize() to help with configuration |
|
715 | * as initialize() will look for a set_<property_name>() method ... |
|
716 | * |
|
717 | * @param int $n |
|
718 | * @return CI_Upload |
|
719 | */ |
|
720 | protected function set_max_size($n) |
|
721 | { |
|
722 | return $this->set_max_filesize($n); |
|
723 | } |
|
724 | ||
725 | // -------------------------------------------------------------------- |
|
726 | ||
727 | /** |
|
728 | * Set Maximum File Name Length |
|
729 | * |
|
730 | * @param int $n |
|
731 | * @return CI_Upload |
|
732 | * |
|
733 | * @codeCoverageIgnore |
|
734 | */ |
|
735 | public function set_max_filename($n) |
|
736 | { |
|
737 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
738 | return $this; |
|
739 | } |
|
740 | ||
741 | // -------------------------------------------------------------------- |
|
742 | ||
743 | /** |
|
744 | * Set Maximum Image Width |
|
745 | * |
|
746 | * @param int $n |
|
747 | * @return CI_Upload |
|
748 | */ |
|
749 | public function set_max_width($n) |
|
750 | { |
|
751 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
752 | return $this; |
|
753 | } |
|
754 | ||
755 | // -------------------------------------------------------------------- |
|
756 | ||
757 | /** |
|
758 | * Set Maximum Image Height |
|
759 | * |
|
760 | * @param int $n |
|
761 | * @return CI_Upload |
|
762 | */ |
|
763 | public function set_max_height($n) |
|
764 | { |
|
765 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
766 | return $this; |
|
767 | } |
|
768 | ||
769 | // -------------------------------------------------------------------- |
|
770 | ||
771 | /** |
|
772 | * Set minimum image width |
|
773 | * |
|
774 | * @param int $n |
|
775 | * @return CI_Upload |
|
776 | * |
|
777 | * @codeCoverageIgnore |
|
778 | */ |
|
779 | public function set_min_width($n) |
|
780 | { |
|
781 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
782 | return $this; |
|
783 | } |
|
784 | ||
785 | // -------------------------------------------------------------------- |
|
786 | ||
787 | /** |
|
788 | * Set minimum image height |
|
789 | * |
|
790 | * @param int $n |
|
791 | * @return CI_Upload |
|
792 | * |
|
793 | * @codeCoverageIgnore |
|
794 | */ |
|
795 | public function set_min_height($n) |
|
796 | { |
|
797 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
798 | return $this; |
|
799 | } |
|
800 | ||
801 | // -------------------------------------------------------------------- |
|
802 | ||
803 | /** |
|
804 | * Set Allowed File Types |
|
805 | * |
|
806 | * @param mixed $types |
|
807 | * @return CI_Upload |
|
808 | */ |
|
809 | public function set_allowed_types($types) |
|
810 | { |
|
811 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
812 | ? $types |
|
813 | : explode('|', $types); |
|
814 | return $this; |
|
815 | } |
|
816 | ||
817 | // -------------------------------------------------------------------- |
|
818 | ||
819 | /** |
|
820 | * Set Image Properties |
|
821 | * |
|
822 | * Uses GD to determine the width/height/type of image |
|
823 | * |
|
824 | * @param string $path |
|
825 | * @return CI_Upload |
|
826 | */ |
|
827 | public function set_image_properties($path = '') |
|
828 | { |
|
829 | if ($this->is_image() && function_exists('getimagesize')) |
|
830 | { |
|
831 | if (FALSE !== ($D = @getimagesize($path))) |
|
832 | { |
|
833 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
834 | ||
835 | $this->image_width = $D[0]; |
|
836 | $this->image_height = $D[1]; |
|
837 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
838 | $this->image_size_str = $D[3]; // string containing height and width |
|
839 | } |
|
840 | } |
|
841 | ||
842 | return $this; |
|
843 | } |
|
844 | ||
845 | // -------------------------------------------------------------------- |
|
846 | ||
847 | /** |
|
848 | * Set XSS Clean |
|
849 | * |
|
850 | * Enables the XSS flag so that the file that was uploaded |
|
851 | * will be run through the XSS filter. |
|
852 | * |
|
853 | * @param bool $flag |
|
854 | * @return CI_Upload |
|
855 | * |
|
856 | * @codeCoverageIgnore |
|
857 | */ |
|
858 | public function set_xss_clean($flag = FALSE) |
|
859 | { |
|
860 | $this->xss_clean = ($flag === TRUE); |
|
861 | return $this; |
|
862 | } |
|
863 | ||
864 | // -------------------------------------------------------------------- |
|
865 | ||
866 | /** |
|
867 | * Validate the image |
|
868 | * |
|
869 | * @return bool |
|
870 | * |
|
871 | * @codeCoverageIgnore |
|
872 | */ |
|
873 | public function is_image() |
|
874 | { |
|
875 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
876 | // jpegs or pngs to the same file type. |
|
877 | ||
878 | $png_mimes = array('image/x-png'); |
|
879 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
880 | ||
881 | if (in_array($this->file_type, $png_mimes)) |
|
882 | { |
|
883 | $this->file_type = 'image/png'; |
|
884 | } |
|
885 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
886 | { |
|
887 | $this->file_type = 'image/jpeg'; |
|
888 | } |
|
889 | ||
890 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
891 | ||
892 | return in_array($this->file_type, $img_mimes, TRUE); |
|
893 | } |
|
894 | ||
895 | // -------------------------------------------------------------------- |
|
896 | ||
897 | /** |
|
898 | * Verify that the filetype is allowed |
|
899 | * |
|
900 | * @param bool $ignore_mime |
|
901 | * @return bool |
|
902 | * |
|
903 | * @codeCoverageIgnore |
|
904 | */ |
|
905 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
906 | { |
|
907 | if ($this->allowed_types === '*') |
|
908 | { |
|
909 | return TRUE; |
|
910 | } |
|
911 | ||
912 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
913 | { |
|
914 | $this->set_error('upload_no_file_types', 'debug'); |
|
915 | return FALSE; |
|
916 | } |
|
917 | ||
918 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
919 | ||
920 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
921 | { |
|
922 | return FALSE; |
|
923 | } |
|
924 | ||
925 | // Images get some additional checks |
|
926 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
927 | { |
|
928 | return FALSE; |
|
929 | } |
|
930 | ||
931 | if ($ignore_mime === TRUE) |
|
932 | { |
|
933 | return TRUE; |
|
934 | } |
|
935 | ||
936 | if (isset($this->_mimes[$ext])) |
|
937 | { |
|
938 | return is_array($this->_mimes[$ext]) |
|
939 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
940 | : ($this->_mimes[$ext] === $this->file_type); |
|
941 | } |
|
942 | ||
943 | return FALSE; |
|
944 | } |
|
945 | ||
946 | // -------------------------------------------------------------------- |
|
947 | ||
948 | /** |
|
949 | * Verify that the file is within the allowed size |
|
950 | * |
|
951 | * @return bool |
|
952 | * |
|
953 | * @codeCoverageIgnore |
|
954 | */ |
|
955 | public function is_allowed_filesize() |
|
956 | { |
|
957 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
958 | } |
|
959 | ||
960 | // -------------------------------------------------------------------- |
|
961 | ||
962 | /** |
|
963 | * Verify that the image is within the allowed width/height |
|
964 | * |
|
965 | * @return bool |
|
966 | * |
|
967 | * @codeCoverageIgnore |
|
968 | */ |
|
969 | public function is_allowed_dimensions() |
|
970 | { |
|
971 | if ( ! $this->is_image()) |
|
972 | { |
|
973 | return TRUE; |
|
974 | } |
|
975 | ||
976 | if (function_exists('getimagesize')) |
|
977 | { |
|
978 | $D = @getimagesize($this->file_temp); |
|
979 | ||
980 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
981 | { |
|
982 | return FALSE; |
|
983 | } |
|
984 | ||
985 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
986 | { |
|
987 | return FALSE; |
|
988 | } |
|
989 | ||
990 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
991 | { |
|
992 | return FALSE; |
|
993 | } |
|
994 | ||
995 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
996 | { |
|
997 | return FALSE; |
|
998 | } |
|
999 | } |
|
1000 | ||
1001 | return TRUE; |
|
1002 | } |
|
1003 | ||
1004 | // -------------------------------------------------------------------- |
|
1005 | ||
1006 | /** |
|
1007 | * Validate Upload Path |
|
1008 | * |
|
1009 | * Verifies that it is a valid upload path with proper permissions. |
|
1010 | * |
|
1011 | * @return bool |
|
1012 | * |
|
1013 | * @codeCoverageIgnore |
|
1014 | */ |
|
1015 | public function validate_upload_path() |
|
1016 | { |
|
1017 | if ($this->upload_path === '') |
|
1018 | { |
|
1019 | $this->set_error('upload_no_filepath', 'error'); |
|
1020 | return FALSE; |
|
1021 | } |
|
1022 | ||
1023 | if (realpath($this->upload_path) !== FALSE) |
|
1024 | { |
|
1025 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1026 | } |
|
1027 | ||
1028 | if ( ! is_dir($this->upload_path)) |
|
1029 | { |
|
1030 | $this->set_error('upload_no_filepath', 'error'); |
|
1031 | return FALSE; |
|
1032 | } |
|
1033 | ||
1034 | if ( ! is_really_writable($this->upload_path)) |
|
1035 | { |
|
1036 | $this->set_error('upload_not_writable', 'error'); |
|
1037 | return FALSE; |
|
1038 | } |
|
1039 | ||
1040 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1041 | return TRUE; |
|
1042 | } |
|
1043 | ||
1044 | // -------------------------------------------------------------------- |
|
1045 | ||
1046 | /** |
|
1047 | * Extract the file extension |
|
1048 | * |
|
1049 | * @param string $filename |
|
1050 | * @return string |
|
1051 | * |
|
1052 | * @codeCoverageIgnore |
|
1053 | */ |
|
1054 | public function get_extension($filename) |
|
1055 | { |
|
1056 | $x = explode('.', $filename); |
|
1057 | ||
1058 | if (count($x) === 1) |
|
1059 | { |
|
1060 | return ''; |
|
1061 | } |
|
1062 | ||
1063 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1064 | return '.'.$ext; |
|
1065 | } |
|
1066 | ||
1067 | // -------------------------------------------------------------------- |
|
1068 | ||
1069 | /** |
|
1070 | * Limit the File Name Length |
|
1071 | * |
|
1072 | * @param string $filename |
|
1073 | * @param int $length |
|
1074 | * @return string |
|
1075 | * |
|
1076 | * @codeCoverageIgnore |
|
1077 | */ |
|
1078 | public function limit_filename_length($filename, $length) |
|
1079 | { |
|
1080 | if (strlen($filename) < $length) |
|
1081 | { |
|
1082 | return $filename; |
|
1083 | } |
|
1084 | ||
1085 | $ext = ''; |
|
1086 | if (strpos($filename, '.') !== FALSE) |
|
1087 | { |
|
1088 | $parts = explode('.', $filename); |
|
1089 | $ext = '.'.array_pop($parts); |
|
1090 | $filename = implode('.', $parts); |
|
1091 | } |
|
1092 | ||
1093 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1094 | } |
|
1095 | ||
1096 | // -------------------------------------------------------------------- |
|
1097 | ||
1098 | /** |
|
1099 | * Runs the file through the XSS clean function |
|
1100 | * |
|
1101 | * This prevents people from embedding malicious code in their files. |
|
1102 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1103 | * but so far I haven't found that it causes trouble. |
|
1104 | * |
|
1105 | * @return string |
|
1106 | * |
|
1107 | * @codeCoverageIgnore |
|
1108 | */ |
|
1109 | public function do_xss_clean() |
|
1110 | { |
|
1111 | $file = $this->file_temp; |
|
1112 | ||
1113 | if (filesize($file) == 0) |
|
1114 | { |
|
1115 | return FALSE; |
|
1116 | } |
|
1117 | ||
1118 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1119 | { |
|
1120 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1121 | if ( ! empty($memory_limit[1])) |
|
1122 | { |
|
1123 | switch ($memory_limit[1][0]) |
|
1124 | { |
|
1125 | case 'g': |
|
1126 | case 'G': |
|
1127 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1128 | break; |
|
1129 | case 'm': |
|
1130 | case 'M': |
|
1131 | $memory_limit[0] *= 1024 * 1024; |
|
1132 | break; |
|
1133 | default: |
|
1134 | break; |
|
1135 | } |
|
1136 | } |
|
1137 | ||
1138 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1139 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1140 | } |
|
1141 | ||
1142 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1143 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1144 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1145 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1146 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1147 | // attempted XSS attack. |
|
1148 | ||
1149 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1150 | { |
|
1151 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1152 | { |
|
1153 | return FALSE; // Couldn't open the file, return FALSE |
|
1154 | } |
|
1155 | ||
1156 | $opening_bytes = fread($file, 256); |
|
1157 | fclose($file); |
|
1158 | ||
1159 | // These are known to throw IE into mime-type detection chaos |
|
1160 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1161 | // title is basically just in SVG, but we filter it anyhow |
|
1162 | ||
1163 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1164 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1165 | } |
|
1166 | ||
1167 | if (($data = @file_get_contents($file)) === FALSE) |
|
1168 | { |
|
1169 | return FALSE; |
|
1170 | } |
|
1171 | ||
1172 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1173 | } |
|
1174 | ||
1175 | // -------------------------------------------------------------------- |
|
1176 | ||
1177 | /** |
|
1178 | * Set an error message |
|
1179 | * |
|
1180 | * @param string $msg |
|
1181 | * @return CI_Upload |
|
1182 | * |
|
1183 | * @codeCoverageIgnore |
|
1184 | */ |
|
1185 | public function set_error($msg, $log_level = 'error') |
|
1186 | { |
|
1187 | $this->_CI->lang->load('upload'); |
|
1188 | ||
1189 | is_array($msg) OR $msg = array($msg); |
|
1190 | foreach ($msg as $val) |
|
1191 | { |
|
1192 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1193 | $this->error_msg[] = $msg; |
|
1194 | log_message($log_level, $msg); |
|
1195 | } |
|
1196 | ||
1197 | return $this; |
|
1198 | } |
|
1199 | ||
1200 | // -------------------------------------------------------------------- |
|
1201 | ||
1202 | /** |
|
1203 | * Display the error message |
|
1204 | * |
|
1205 | * @param string $open |
|
1206 | * @param string $close |
|
1207 | * @return string |
|
1208 | * |
|
1209 | * @codeCoverageIgnore |
|
1210 | */ |
|
1211 | public function display_errors($open = '<p>', $close = '</p>') |
|
1212 | { |
|
1213 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1214 | } |
|
1215 | ||
1216 | // -------------------------------------------------------------------- |
|
1217 | ||
1218 | /** |
|
1219 | * Prep Filename |
|
1220 | * |
|
1221 | * Prevents possible script execution from Apache's handling |
|
1222 | * of files' multiple extensions. |
|
1223 | * |
|
1224 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1225 | * |
|
1226 | * @param string $filename |
|
1227 | * @return string |
|
1228 | * |
|
1229 | * @codeCoverageIgnore |
|
1230 | */ |
|
1231 | protected function _prep_filename($filename) |
|
1232 | { |
|
1233 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1234 | { |
|
1235 | return $filename; |
|
1236 | } |
|
1237 | ||
1238 | $ext = substr($filename, $ext_pos); |
|
1239 | $filename = substr($filename, 0, $ext_pos); |
|
1240 | return str_replace('.', '_', $filename).$ext; |
|
1241 | } |
|
1242 | ||
1243 | // -------------------------------------------------------------------- |
|
1244 | ||
1245 | /** |
|
1246 | * File MIME type |
|
1247 | * |
|
1248 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1249 | * The input array is expected to be $_FILES[$field] |
|
1250 | * |
|
1251 | * @param array $file |
|
1252 | * @return void |
|
1253 | * |
|
1254 | * @codeCoverageIgnore |
|
1255 | */ |
|
1256 | protected function _file_mime_type($file) |
|
1257 | { |
|
1258 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1259 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1260 | ||
1261 | /** |
|
1262 | * Fileinfo extension - most reliable method |
|
1263 | * |
|
1264 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1265 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1266 | * ext/fileinfo, which is otherwise enabled by default |
|
1267 | * since PHP 5.3 ... |
|
1268 | */ |
|
1269 | if (function_exists('finfo_file')) |
|
1270 | { |
|
1271 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1272 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1273 | { |
|
1274 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1275 | finfo_close($finfo); |
|
1276 | ||
1277 | /* According to the comments section of the PHP manual page, |
|
1278 | * it is possible that this function returns an empty string |
|
1279 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1280 | */ |
|
1281 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1282 | { |
|
1283 | $this->file_type = $matches[1]; |
|
1284 | return; |
|
1285 | } |
|
1286 | } |
|
1287 | } |
|
1288 | ||
1289 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1290 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1291 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1292 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1293 | * three different functions. |
|
1294 | * |
|
1295 | * Notes: |
|
1296 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1297 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1298 | * due to security concerns, hence the function_usable() checks |
|
1299 | */ |
|
1300 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1301 | { |
|
1302 | $cmd = function_exists('escapeshellarg') |
|
1303 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1304 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1305 | ||
1306 | if (function_usable('exec')) |
|
1307 | { |
|
1308 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1309 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1310 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1311 | * value, which is only put to allow us to get the return status code. |
|
1312 | */ |
|
1313 | $mime = @exec($cmd, $mime, $return_status); |
|
1314 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1315 | { |
|
1316 | $this->file_type = $matches[1]; |
|
1317 | return; |
|
1318 | } |
|
1319 | } |
|
1320 | ||
1321 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1322 | { |
|
1323 | $mime = @shell_exec($cmd); |
|
1324 | if (strlen($mime) > 0) |
|
1325 | { |
|
1326 | $mime = explode("\n", trim($mime)); |
|
1327 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1328 | { |
|
1329 | $this->file_type = $matches[1]; |
|
1330 | return; |
|
1331 | } |
|
1332 | } |
|
1333 | } |
|
1334 | ||
1335 | if (function_usable('popen')) |
|
1336 | { |
|
1337 | $proc = @popen($cmd, 'r'); |
|
1338 | if (is_resource($proc)) |
|
1339 | { |
|
1340 | $mime = @fread($proc, 512); |
|
1341 | @pclose($proc); |
|
1342 | if ($mime !== FALSE) |
|
1343 | { |
|
1344 | $mime = explode("\n", trim($mime)); |
|
1345 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1346 | { |
|
1347 | $this->file_type = $matches[1]; |
|
1348 | return; |
|
1349 | } |
|
1350 | } |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | ||
1355 | // Fall back to mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1356 | if (function_exists('mime_content_type')) |
|
1357 | { |
|
1358 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1359 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1360 | { |
|
1361 | return; |
|
1362 | } |
|
1363 | } |
|
1364 | ||
1365 | $this->file_type = $file['type']; |
|
1366 | } |
|
1367 | ||
1368 | } |
|
1369 |
@@ 49-1368 (lines=1320) @@ | ||
46 | * @author EllisLab Dev Team |
|
47 | * @link https://codeigniter.com/user_guide/libraries/file_uploading.html |
|
48 | */ |
|
49 | class CI_Upload { |
|
50 | ||
51 | /** |
|
52 | * Maximum file size |
|
53 | * |
|
54 | * @var int |
|
55 | */ |
|
56 | public $max_size = 0; |
|
57 | ||
58 | /** |
|
59 | * Maximum image width |
|
60 | * |
|
61 | * @var int |
|
62 | */ |
|
63 | public $max_width = 0; |
|
64 | ||
65 | /** |
|
66 | * Maximum image height |
|
67 | * |
|
68 | * @var int |
|
69 | */ |
|
70 | public $max_height = 0; |
|
71 | ||
72 | /** |
|
73 | * Minimum image width |
|
74 | * |
|
75 | * @var int |
|
76 | */ |
|
77 | public $min_width = 0; |
|
78 | ||
79 | /** |
|
80 | * Minimum image height |
|
81 | * |
|
82 | * @var int |
|
83 | */ |
|
84 | public $min_height = 0; |
|
85 | ||
86 | /** |
|
87 | * Maximum filename length |
|
88 | * |
|
89 | * @var int |
|
90 | */ |
|
91 | public $max_filename = 0; |
|
92 | ||
93 | /** |
|
94 | * Maximum duplicate filename increment ID |
|
95 | * |
|
96 | * @var int |
|
97 | */ |
|
98 | public $max_filename_increment = 100; |
|
99 | ||
100 | /** |
|
101 | * Allowed file types |
|
102 | * |
|
103 | * @var string |
|
104 | */ |
|
105 | public $allowed_types = ''; |
|
106 | ||
107 | /** |
|
108 | * Temporary filename |
|
109 | * |
|
110 | * @var string |
|
111 | */ |
|
112 | public $file_temp = ''; |
|
113 | ||
114 | /** |
|
115 | * Filename |
|
116 | * |
|
117 | * @var string |
|
118 | */ |
|
119 | public $file_name = ''; |
|
120 | ||
121 | /** |
|
122 | * Original filename |
|
123 | * |
|
124 | * @var string |
|
125 | */ |
|
126 | public $orig_name = ''; |
|
127 | ||
128 | /** |
|
129 | * File type |
|
130 | * |
|
131 | * @var string |
|
132 | */ |
|
133 | public $file_type = ''; |
|
134 | ||
135 | /** |
|
136 | * File size |
|
137 | * |
|
138 | * @var int |
|
139 | */ |
|
140 | public $file_size = NULL; |
|
141 | ||
142 | /** |
|
143 | * Filename extension |
|
144 | * |
|
145 | * @var string |
|
146 | */ |
|
147 | public $file_ext = ''; |
|
148 | ||
149 | /** |
|
150 | * Force filename extension to lowercase |
|
151 | * |
|
152 | * @var string |
|
153 | */ |
|
154 | public $file_ext_tolower = FALSE; |
|
155 | ||
156 | /** |
|
157 | * Upload path |
|
158 | * |
|
159 | * @var string |
|
160 | */ |
|
161 | public $upload_path = ''; |
|
162 | ||
163 | /** |
|
164 | * Overwrite flag |
|
165 | * |
|
166 | * @var bool |
|
167 | */ |
|
168 | public $overwrite = FALSE; |
|
169 | ||
170 | /** |
|
171 | * Obfuscate filename flag |
|
172 | * |
|
173 | * @var bool |
|
174 | */ |
|
175 | public $encrypt_name = FALSE; |
|
176 | ||
177 | /** |
|
178 | * Is image flag |
|
179 | * |
|
180 | * @var bool |
|
181 | */ |
|
182 | public $is_image = FALSE; |
|
183 | ||
184 | /** |
|
185 | * Image width |
|
186 | * |
|
187 | * @var int |
|
188 | */ |
|
189 | public $image_width = NULL; |
|
190 | ||
191 | /** |
|
192 | * Image height |
|
193 | * |
|
194 | * @var int |
|
195 | */ |
|
196 | public $image_height = NULL; |
|
197 | ||
198 | /** |
|
199 | * Image type |
|
200 | * |
|
201 | * @var string |
|
202 | */ |
|
203 | public $image_type = ''; |
|
204 | ||
205 | /** |
|
206 | * Image size string |
|
207 | * |
|
208 | * @var string |
|
209 | */ |
|
210 | public $image_size_str = ''; |
|
211 | ||
212 | /** |
|
213 | * Error messages list |
|
214 | * |
|
215 | * @var array |
|
216 | */ |
|
217 | public $error_msg = array(); |
|
218 | ||
219 | /** |
|
220 | * Remove spaces flag |
|
221 | * |
|
222 | * @var bool |
|
223 | */ |
|
224 | public $remove_spaces = TRUE; |
|
225 | ||
226 | /** |
|
227 | * MIME detection flag |
|
228 | * |
|
229 | * @var bool |
|
230 | */ |
|
231 | public $detect_mime = TRUE; |
|
232 | ||
233 | /** |
|
234 | * XSS filter flag |
|
235 | * |
|
236 | * @var bool |
|
237 | */ |
|
238 | public $xss_clean = FALSE; |
|
239 | ||
240 | /** |
|
241 | * Apache mod_mime fix flag |
|
242 | * |
|
243 | * @var bool |
|
244 | */ |
|
245 | public $mod_mime_fix = TRUE; |
|
246 | ||
247 | /** |
|
248 | * Temporary filename prefix |
|
249 | * |
|
250 | * @var string |
|
251 | */ |
|
252 | public $temp_prefix = 'temp_file_'; |
|
253 | ||
254 | /** |
|
255 | * Filename sent by the client |
|
256 | * |
|
257 | * @var bool |
|
258 | */ |
|
259 | public $client_name = ''; |
|
260 | ||
261 | // -------------------------------------------------------------------- |
|
262 | ||
263 | /** |
|
264 | * Filename override |
|
265 | * |
|
266 | * @var string |
|
267 | */ |
|
268 | protected $_file_name_override = ''; |
|
269 | ||
270 | /** |
|
271 | * MIME types list |
|
272 | * |
|
273 | * @var array |
|
274 | */ |
|
275 | protected $_mimes = array(); |
|
276 | ||
277 | /** |
|
278 | * CI Singleton |
|
279 | * |
|
280 | * @var object |
|
281 | */ |
|
282 | protected $_CI; |
|
283 | ||
284 | // -------------------------------------------------------------------- |
|
285 | ||
286 | /** |
|
287 | * Constructor |
|
288 | * |
|
289 | * @param array $config |
|
290 | * @return void |
|
291 | * |
|
292 | * @codeCoverageIgnore |
|
293 | */ |
|
294 | public function __construct($config = array()) |
|
295 | { |
|
296 | empty($config) OR $this->initialize($config, FALSE); |
|
297 | ||
298 | $this->_mimes =& get_mimes(); |
|
299 | $this->_CI =& get_instance(); |
|
300 | ||
301 | log_message('info', 'Upload Class Initialized'); |
|
302 | } |
|
303 | ||
304 | // -------------------------------------------------------------------- |
|
305 | ||
306 | /** |
|
307 | * Initialize preferences |
|
308 | * |
|
309 | * @param array $config |
|
310 | * @param bool $reset |
|
311 | * @return CI_Upload |
|
312 | * |
|
313 | * @codeCoverageIgnore |
|
314 | */ |
|
315 | public function initialize(array $config = array(), $reset = TRUE) |
|
316 | { |
|
317 | $reflection = new ReflectionClass($this); |
|
318 | ||
319 | if ($reset === TRUE) |
|
320 | { |
|
321 | $defaults = $reflection->getDefaultProperties(); |
|
322 | foreach (array_keys($defaults) as $key) |
|
323 | { |
|
324 | if ($key[0] === '_') |
|
325 | { |
|
326 | continue; |
|
327 | } |
|
328 | ||
329 | if (isset($config[$key])) |
|
330 | { |
|
331 | if ($reflection->hasMethod('set_'.$key)) |
|
332 | { |
|
333 | $this->{'set_'.$key}($config[$key]); |
|
334 | } |
|
335 | else |
|
336 | { |
|
337 | $this->$key = $config[$key]; |
|
338 | } |
|
339 | } |
|
340 | else |
|
341 | { |
|
342 | $this->$key = $defaults[$key]; |
|
343 | } |
|
344 | } |
|
345 | } |
|
346 | else |
|
347 | { |
|
348 | foreach ($config as $key => &$value) |
|
349 | { |
|
350 | if ($key[0] !== '_' && $reflection->hasProperty($key)) |
|
351 | { |
|
352 | if ($reflection->hasMethod('set_'.$key)) |
|
353 | { |
|
354 | $this->{'set_'.$key}($value); |
|
355 | } |
|
356 | else |
|
357 | { |
|
358 | $this->$key = $value; |
|
359 | } |
|
360 | } |
|
361 | } |
|
362 | } |
|
363 | ||
364 | // if a file_name was provided in the config, use it instead of the user input |
|
365 | // supplied file name for all uploads until initialized again |
|
366 | $this->_file_name_override = $this->file_name; |
|
367 | return $this; |
|
368 | } |
|
369 | ||
370 | // -------------------------------------------------------------------- |
|
371 | ||
372 | /** |
|
373 | * Perform the file upload |
|
374 | * |
|
375 | * @param string $field |
|
376 | * @return bool |
|
377 | * |
|
378 | * modified by ci-phpunit-test |
|
379 | */ |
|
380 | public function do_upload($field = 'userfile') |
|
381 | { |
|
382 | // Is $_FILES[$field] set? If not, no reason to continue. |
|
383 | if (isset($_FILES[$field])) |
|
384 | { |
|
385 | $_file = $_FILES[$field]; |
|
386 | } |
|
387 | // Does the field name contain array notation? |
|
388 | elseif (($c = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $field, $matches)) > 1) |
|
389 | { |
|
390 | $_file = $_FILES; |
|
391 | for ($i = 0; $i < $c; $i++) |
|
392 | { |
|
393 | // We can't track numeric iterations, only full field names are accepted |
|
394 | if (($field = trim($matches[0][$i], '[]')) === '' OR ! isset($_file[$field])) |
|
395 | { |
|
396 | $_file = NULL; |
|
397 | break; |
|
398 | } |
|
399 | ||
400 | $_file = $_file[$field]; |
|
401 | } |
|
402 | } |
|
403 | ||
404 | if ( ! isset($_file)) |
|
405 | { |
|
406 | $this->set_error('upload_no_file_selected', 'debug'); |
|
407 | return FALSE; |
|
408 | } |
|
409 | ||
410 | // Is the upload path valid? |
|
411 | if ( ! $this->validate_upload_path()) |
|
412 | { |
|
413 | // errors will already be set by validate_upload_path() so just return FALSE |
|
414 | return FALSE; |
|
415 | } |
|
416 | ||
417 | // Was the file able to be uploaded? If not, determine the reason why. |
|
418 | if ( ! file_exists($_file['tmp_name'])) // modified by ci-phpunit-test |
|
419 | { |
|
420 | $error = isset($_file['error']) ? $_file['error'] : 4; |
|
421 | ||
422 | switch ($error) |
|
423 | { |
|
424 | case UPLOAD_ERR_INI_SIZE: |
|
425 | $this->set_error('upload_file_exceeds_limit', 'info'); |
|
426 | break; |
|
427 | case UPLOAD_ERR_FORM_SIZE: |
|
428 | $this->set_error('upload_file_exceeds_form_limit', 'info'); |
|
429 | break; |
|
430 | case UPLOAD_ERR_PARTIAL: |
|
431 | $this->set_error('upload_file_partial', 'debug'); |
|
432 | break; |
|
433 | case UPLOAD_ERR_NO_FILE: |
|
434 | $this->set_error('upload_no_file_selected', 'debug'); |
|
435 | break; |
|
436 | case UPLOAD_ERR_NO_TMP_DIR: |
|
437 | $this->set_error('upload_no_temp_directory', 'error'); |
|
438 | break; |
|
439 | case UPLOAD_ERR_CANT_WRITE: |
|
440 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
441 | break; |
|
442 | case UPLOAD_ERR_EXTENSION: |
|
443 | $this->set_error('upload_stopped_by_extension', 'debug'); |
|
444 | break; |
|
445 | default: |
|
446 | $this->set_error('upload_no_file_selected', 'debug'); |
|
447 | break; |
|
448 | } |
|
449 | ||
450 | return FALSE; |
|
451 | } |
|
452 | ||
453 | // Set the uploaded data as class variables |
|
454 | $this->file_temp = $_file['tmp_name']; |
|
455 | $this->file_size = $_file['size']; |
|
456 | ||
457 | // Skip MIME type detection? |
|
458 | if ($this->detect_mime !== FALSE) |
|
459 | { |
|
460 | $this->_file_mime_type($_file); |
|
461 | } |
|
462 | ||
463 | $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type); |
|
464 | $this->file_type = strtolower(trim(stripslashes($this->file_type), '"')); |
|
465 | $this->file_name = $this->_prep_filename($_file['name']); |
|
466 | $this->file_ext = $this->get_extension($this->file_name); |
|
467 | $this->client_name = $this->file_name; |
|
468 | ||
469 | // Is the file type allowed to be uploaded? |
|
470 | if ( ! $this->is_allowed_filetype()) |
|
471 | { |
|
472 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
473 | return FALSE; |
|
474 | } |
|
475 | ||
476 | // if we're overriding, let's now make sure the new name and type is allowed |
|
477 | if ($this->_file_name_override !== '') |
|
478 | { |
|
479 | $this->file_name = $this->_prep_filename($this->_file_name_override); |
|
480 | ||
481 | // If no extension was provided in the file_name config item, use the uploaded one |
|
482 | if (strpos($this->_file_name_override, '.') === FALSE) |
|
483 | { |
|
484 | $this->file_name .= $this->file_ext; |
|
485 | } |
|
486 | else |
|
487 | { |
|
488 | // An extension was provided, let's have it! |
|
489 | $this->file_ext = $this->get_extension($this->_file_name_override); |
|
490 | } |
|
491 | ||
492 | if ( ! $this->is_allowed_filetype(TRUE)) |
|
493 | { |
|
494 | $this->set_error('upload_invalid_filetype', 'debug'); |
|
495 | return FALSE; |
|
496 | } |
|
497 | } |
|
498 | ||
499 | // Convert the file size to kilobytes |
|
500 | if ($this->file_size > 0) |
|
501 | { |
|
502 | $this->file_size = round($this->file_size/1024, 2); |
|
503 | } |
|
504 | ||
505 | // Is the file size within the allowed maximum? |
|
506 | if ( ! $this->is_allowed_filesize()) |
|
507 | { |
|
508 | $this->set_error('upload_invalid_filesize', 'info'); |
|
509 | return FALSE; |
|
510 | } |
|
511 | ||
512 | // Are the image dimensions within the allowed size? |
|
513 | // Note: This can fail if the server has an open_basedir restriction. |
|
514 | if ( ! $this->is_allowed_dimensions()) |
|
515 | { |
|
516 | $this->set_error('upload_invalid_dimensions', 'info'); |
|
517 | return FALSE; |
|
518 | } |
|
519 | ||
520 | // Sanitize the file name for security |
|
521 | $this->file_name = $this->_CI->security->sanitize_filename($this->file_name); |
|
522 | ||
523 | // Truncate the file name if it's too long |
|
524 | if ($this->max_filename > 0) |
|
525 | { |
|
526 | $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename); |
|
527 | } |
|
528 | ||
529 | // Remove white spaces in the name |
|
530 | if ($this->remove_spaces === TRUE) |
|
531 | { |
|
532 | $this->file_name = preg_replace('/\s+/', '_', $this->file_name); |
|
533 | } |
|
534 | ||
535 | if ($this->file_ext_tolower && ($ext_length = strlen($this->file_ext))) |
|
536 | { |
|
537 | // file_ext was previously lower-cased by a get_extension() call |
|
538 | $this->file_name = substr($this->file_name, 0, -$ext_length).$this->file_ext; |
|
539 | } |
|
540 | ||
541 | /* |
|
542 | * Validate the file name |
|
543 | * This function appends an number onto the end of |
|
544 | * the file if one with the same name already exists. |
|
545 | * If it returns false there was a problem. |
|
546 | */ |
|
547 | $this->orig_name = $this->file_name; |
|
548 | if (FALSE === ($this->file_name = $this->set_filename($this->upload_path, $this->file_name))) |
|
549 | { |
|
550 | return FALSE; |
|
551 | } |
|
552 | ||
553 | /* |
|
554 | * Run the file through the XSS hacking filter |
|
555 | * This helps prevent malicious code from being |
|
556 | * embedded within a file. Scripts can easily |
|
557 | * be disguised as images or other file types. |
|
558 | */ |
|
559 | if ($this->xss_clean && $this->do_xss_clean() === FALSE) |
|
560 | { |
|
561 | $this->set_error('upload_unable_to_write_file', 'error'); |
|
562 | return FALSE; |
|
563 | } |
|
564 | ||
565 | /* |
|
566 | * Move the file to the final destination |
|
567 | * To deal with different server configurations |
|
568 | * we'll attempt to use copy() first. If that fails |
|
569 | * we'll use move_uploaded_file(). One of the two should |
|
570 | * reliably work in most environments |
|
571 | */ |
|
572 | if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name)) |
|
573 | { |
|
574 | if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name)) |
|
575 | { |
|
576 | $this->set_error('upload_destination_error', 'error'); |
|
577 | return FALSE; |
|
578 | } |
|
579 | } |
|
580 | ||
581 | /* |
|
582 | * Set the finalized image dimensions |
|
583 | * This sets the image width/height (assuming the |
|
584 | * file was an image). We use this information |
|
585 | * in the "data" function. |
|
586 | */ |
|
587 | $this->set_image_properties($this->upload_path.$this->file_name); |
|
588 | ||
589 | return TRUE; |
|
590 | } |
|
591 | ||
592 | // -------------------------------------------------------------------- |
|
593 | ||
594 | /** |
|
595 | * Finalized Data Array |
|
596 | * |
|
597 | * Returns an associative array containing all of the information |
|
598 | * related to the upload, allowing the developer easy access in one array. |
|
599 | * |
|
600 | * @param string $index |
|
601 | * @return mixed |
|
602 | * |
|
603 | * @codeCoverageIgnore |
|
604 | */ |
|
605 | public function data($index = NULL) |
|
606 | { |
|
607 | $data = array( |
|
608 | 'file_name' => $this->file_name, |
|
609 | 'file_type' => $this->file_type, |
|
610 | 'file_path' => $this->upload_path, |
|
611 | 'full_path' => $this->upload_path.$this->file_name, |
|
612 | 'raw_name' => substr($this->file_name, 0, -strlen($this->file_ext)), |
|
613 | 'orig_name' => $this->orig_name, |
|
614 | 'client_name' => $this->client_name, |
|
615 | 'file_ext' => $this->file_ext, |
|
616 | 'file_size' => $this->file_size, |
|
617 | 'is_image' => $this->is_image(), |
|
618 | 'image_width' => $this->image_width, |
|
619 | 'image_height' => $this->image_height, |
|
620 | 'image_type' => $this->image_type, |
|
621 | 'image_size_str' => $this->image_size_str, |
|
622 | ); |
|
623 | ||
624 | if ( ! empty($index)) |
|
625 | { |
|
626 | return isset($data[$index]) ? $data[$index] : NULL; |
|
627 | } |
|
628 | ||
629 | return $data; |
|
630 | } |
|
631 | ||
632 | // -------------------------------------------------------------------- |
|
633 | ||
634 | /** |
|
635 | * Set Upload Path |
|
636 | * |
|
637 | * @param string $path |
|
638 | * @return CI_Upload |
|
639 | */ |
|
640 | public function set_upload_path($path) |
|
641 | { |
|
642 | // Make sure it has a trailing slash |
|
643 | $this->upload_path = rtrim($path, '/').'/'; |
|
644 | return $this; |
|
645 | } |
|
646 | ||
647 | // -------------------------------------------------------------------- |
|
648 | ||
649 | /** |
|
650 | * Set the file name |
|
651 | * |
|
652 | * This function takes a filename/path as input and looks for the |
|
653 | * existence of a file with the same name. If found, it will append a |
|
654 | * number to the end of the filename to avoid overwriting a pre-existing file. |
|
655 | * |
|
656 | * @param string $path |
|
657 | * @param string $filename |
|
658 | * @return string |
|
659 | * |
|
660 | * @codeCoverageIgnore |
|
661 | */ |
|
662 | public function set_filename($path, $filename) |
|
663 | { |
|
664 | if ($this->encrypt_name === TRUE) |
|
665 | { |
|
666 | $filename = md5(uniqid(mt_rand())).$this->file_ext; |
|
667 | } |
|
668 | ||
669 | if ($this->overwrite === TRUE OR ! file_exists($path.$filename)) |
|
670 | { |
|
671 | return $filename; |
|
672 | } |
|
673 | ||
674 | $filename = str_replace($this->file_ext, '', $filename); |
|
675 | ||
676 | $new_filename = ''; |
|
677 | for ($i = 1; $i < $this->max_filename_increment; $i++) |
|
678 | { |
|
679 | if ( ! file_exists($path.$filename.$i.$this->file_ext)) |
|
680 | { |
|
681 | $new_filename = $filename.$i.$this->file_ext; |
|
682 | break; |
|
683 | } |
|
684 | } |
|
685 | ||
686 | if ($new_filename === '') |
|
687 | { |
|
688 | $this->set_error('upload_bad_filename', 'debug'); |
|
689 | return FALSE; |
|
690 | } |
|
691 | ||
692 | return $new_filename; |
|
693 | } |
|
694 | ||
695 | // -------------------------------------------------------------------- |
|
696 | ||
697 | /** |
|
698 | * Set Maximum File Size |
|
699 | * |
|
700 | * @param int $n |
|
701 | * @return CI_Upload |
|
702 | */ |
|
703 | public function set_max_filesize($n) |
|
704 | { |
|
705 | $this->max_size = ($n < 0) ? 0 : (int) $n; |
|
706 | return $this; |
|
707 | } |
|
708 | ||
709 | // -------------------------------------------------------------------- |
|
710 | ||
711 | /** |
|
712 | * Set Maximum File Size |
|
713 | * |
|
714 | * An internal alias to set_max_filesize() to help with configuration |
|
715 | * as initialize() will look for a set_<property_name>() method ... |
|
716 | * |
|
717 | * @param int $n |
|
718 | * @return CI_Upload |
|
719 | */ |
|
720 | protected function set_max_size($n) |
|
721 | { |
|
722 | return $this->set_max_filesize($n); |
|
723 | } |
|
724 | ||
725 | // -------------------------------------------------------------------- |
|
726 | ||
727 | /** |
|
728 | * Set Maximum File Name Length |
|
729 | * |
|
730 | * @param int $n |
|
731 | * @return CI_Upload |
|
732 | * |
|
733 | * @codeCoverageIgnore |
|
734 | */ |
|
735 | public function set_max_filename($n) |
|
736 | { |
|
737 | $this->max_filename = ($n < 0) ? 0 : (int) $n; |
|
738 | return $this; |
|
739 | } |
|
740 | ||
741 | // -------------------------------------------------------------------- |
|
742 | ||
743 | /** |
|
744 | * Set Maximum Image Width |
|
745 | * |
|
746 | * @param int $n |
|
747 | * @return CI_Upload |
|
748 | */ |
|
749 | public function set_max_width($n) |
|
750 | { |
|
751 | $this->max_width = ($n < 0) ? 0 : (int) $n; |
|
752 | return $this; |
|
753 | } |
|
754 | ||
755 | // -------------------------------------------------------------------- |
|
756 | ||
757 | /** |
|
758 | * Set Maximum Image Height |
|
759 | * |
|
760 | * @param int $n |
|
761 | * @return CI_Upload |
|
762 | */ |
|
763 | public function set_max_height($n) |
|
764 | { |
|
765 | $this->max_height = ($n < 0) ? 0 : (int) $n; |
|
766 | return $this; |
|
767 | } |
|
768 | ||
769 | // -------------------------------------------------------------------- |
|
770 | ||
771 | /** |
|
772 | * Set minimum image width |
|
773 | * |
|
774 | * @param int $n |
|
775 | * @return CI_Upload |
|
776 | * |
|
777 | * @codeCoverageIgnore |
|
778 | */ |
|
779 | public function set_min_width($n) |
|
780 | { |
|
781 | $this->min_width = ($n < 0) ? 0 : (int) $n; |
|
782 | return $this; |
|
783 | } |
|
784 | ||
785 | // -------------------------------------------------------------------- |
|
786 | ||
787 | /** |
|
788 | * Set minimum image height |
|
789 | * |
|
790 | * @param int $n |
|
791 | * @return CI_Upload |
|
792 | * |
|
793 | * @codeCoverageIgnore |
|
794 | */ |
|
795 | public function set_min_height($n) |
|
796 | { |
|
797 | $this->min_height = ($n < 0) ? 0 : (int) $n; |
|
798 | return $this; |
|
799 | } |
|
800 | ||
801 | // -------------------------------------------------------------------- |
|
802 | ||
803 | /** |
|
804 | * Set Allowed File Types |
|
805 | * |
|
806 | * @param mixed $types |
|
807 | * @return CI_Upload |
|
808 | */ |
|
809 | public function set_allowed_types($types) |
|
810 | { |
|
811 | $this->allowed_types = (is_array($types) OR $types === '*') |
|
812 | ? $types |
|
813 | : explode('|', $types); |
|
814 | return $this; |
|
815 | } |
|
816 | ||
817 | // -------------------------------------------------------------------- |
|
818 | ||
819 | /** |
|
820 | * Set Image Properties |
|
821 | * |
|
822 | * Uses GD to determine the width/height/type of image |
|
823 | * |
|
824 | * @param string $path |
|
825 | * @return CI_Upload |
|
826 | */ |
|
827 | public function set_image_properties($path = '') |
|
828 | { |
|
829 | if ($this->is_image() && function_exists('getimagesize')) |
|
830 | { |
|
831 | if (FALSE !== ($D = @getimagesize($path))) |
|
832 | { |
|
833 | $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png'); |
|
834 | ||
835 | $this->image_width = $D[0]; |
|
836 | $this->image_height = $D[1]; |
|
837 | $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown'; |
|
838 | $this->image_size_str = $D[3]; // string containing height and width |
|
839 | } |
|
840 | } |
|
841 | ||
842 | return $this; |
|
843 | } |
|
844 | ||
845 | // -------------------------------------------------------------------- |
|
846 | ||
847 | /** |
|
848 | * Set XSS Clean |
|
849 | * |
|
850 | * Enables the XSS flag so that the file that was uploaded |
|
851 | * will be run through the XSS filter. |
|
852 | * |
|
853 | * @param bool $flag |
|
854 | * @return CI_Upload |
|
855 | * |
|
856 | * @codeCoverageIgnore |
|
857 | */ |
|
858 | public function set_xss_clean($flag = FALSE) |
|
859 | { |
|
860 | $this->xss_clean = ($flag === TRUE); |
|
861 | return $this; |
|
862 | } |
|
863 | ||
864 | // -------------------------------------------------------------------- |
|
865 | ||
866 | /** |
|
867 | * Validate the image |
|
868 | * |
|
869 | * @return bool |
|
870 | * |
|
871 | * @codeCoverageIgnore |
|
872 | */ |
|
873 | public function is_image() |
|
874 | { |
|
875 | // IE will sometimes return odd mime-types during upload, so here we just standardize all |
|
876 | // jpegs or pngs to the same file type. |
|
877 | ||
878 | $png_mimes = array('image/x-png'); |
|
879 | $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg'); |
|
880 | ||
881 | if (in_array($this->file_type, $png_mimes)) |
|
882 | { |
|
883 | $this->file_type = 'image/png'; |
|
884 | } |
|
885 | elseif (in_array($this->file_type, $jpeg_mimes)) |
|
886 | { |
|
887 | $this->file_type = 'image/jpeg'; |
|
888 | } |
|
889 | ||
890 | $img_mimes = array('image/gif', 'image/jpeg', 'image/png'); |
|
891 | ||
892 | return in_array($this->file_type, $img_mimes, TRUE); |
|
893 | } |
|
894 | ||
895 | // -------------------------------------------------------------------- |
|
896 | ||
897 | /** |
|
898 | * Verify that the filetype is allowed |
|
899 | * |
|
900 | * @param bool $ignore_mime |
|
901 | * @return bool |
|
902 | * |
|
903 | * @codeCoverageIgnore |
|
904 | */ |
|
905 | public function is_allowed_filetype($ignore_mime = FALSE) |
|
906 | { |
|
907 | if ($this->allowed_types === '*') |
|
908 | { |
|
909 | return TRUE; |
|
910 | } |
|
911 | ||
912 | if (empty($this->allowed_types) OR ! is_array($this->allowed_types)) |
|
913 | { |
|
914 | $this->set_error('upload_no_file_types', 'debug'); |
|
915 | return FALSE; |
|
916 | } |
|
917 | ||
918 | $ext = strtolower(ltrim($this->file_ext, '.')); |
|
919 | ||
920 | if ( ! in_array($ext, $this->allowed_types, TRUE)) |
|
921 | { |
|
922 | return FALSE; |
|
923 | } |
|
924 | ||
925 | // Images get some additional checks |
|
926 | if (in_array($ext, array('gif', 'jpg', 'jpeg', 'jpe', 'png'), TRUE) && @getimagesize($this->file_temp) === FALSE) |
|
927 | { |
|
928 | return FALSE; |
|
929 | } |
|
930 | ||
931 | if ($ignore_mime === TRUE) |
|
932 | { |
|
933 | return TRUE; |
|
934 | } |
|
935 | ||
936 | if (isset($this->_mimes[$ext])) |
|
937 | { |
|
938 | return is_array($this->_mimes[$ext]) |
|
939 | ? in_array($this->file_type, $this->_mimes[$ext], TRUE) |
|
940 | : ($this->_mimes[$ext] === $this->file_type); |
|
941 | } |
|
942 | ||
943 | return FALSE; |
|
944 | } |
|
945 | ||
946 | // -------------------------------------------------------------------- |
|
947 | ||
948 | /** |
|
949 | * Verify that the file is within the allowed size |
|
950 | * |
|
951 | * @return bool |
|
952 | * |
|
953 | * @codeCoverageIgnore |
|
954 | */ |
|
955 | public function is_allowed_filesize() |
|
956 | { |
|
957 | return ($this->max_size === 0 OR $this->max_size > $this->file_size); |
|
958 | } |
|
959 | ||
960 | // -------------------------------------------------------------------- |
|
961 | ||
962 | /** |
|
963 | * Verify that the image is within the allowed width/height |
|
964 | * |
|
965 | * @return bool |
|
966 | * |
|
967 | * @codeCoverageIgnore |
|
968 | */ |
|
969 | public function is_allowed_dimensions() |
|
970 | { |
|
971 | if ( ! $this->is_image()) |
|
972 | { |
|
973 | return TRUE; |
|
974 | } |
|
975 | ||
976 | if (function_exists('getimagesize')) |
|
977 | { |
|
978 | $D = @getimagesize($this->file_temp); |
|
979 | ||
980 | if ($this->max_width > 0 && $D[0] > $this->max_width) |
|
981 | { |
|
982 | return FALSE; |
|
983 | } |
|
984 | ||
985 | if ($this->max_height > 0 && $D[1] > $this->max_height) |
|
986 | { |
|
987 | return FALSE; |
|
988 | } |
|
989 | ||
990 | if ($this->min_width > 0 && $D[0] < $this->min_width) |
|
991 | { |
|
992 | return FALSE; |
|
993 | } |
|
994 | ||
995 | if ($this->min_height > 0 && $D[1] < $this->min_height) |
|
996 | { |
|
997 | return FALSE; |
|
998 | } |
|
999 | } |
|
1000 | ||
1001 | return TRUE; |
|
1002 | } |
|
1003 | ||
1004 | // -------------------------------------------------------------------- |
|
1005 | ||
1006 | /** |
|
1007 | * Validate Upload Path |
|
1008 | * |
|
1009 | * Verifies that it is a valid upload path with proper permissions. |
|
1010 | * |
|
1011 | * @return bool |
|
1012 | * |
|
1013 | * @codeCoverageIgnore |
|
1014 | */ |
|
1015 | public function validate_upload_path() |
|
1016 | { |
|
1017 | if ($this->upload_path === '') |
|
1018 | { |
|
1019 | $this->set_error('upload_no_filepath', 'error'); |
|
1020 | return FALSE; |
|
1021 | } |
|
1022 | ||
1023 | if (realpath($this->upload_path) !== FALSE) |
|
1024 | { |
|
1025 | $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); |
|
1026 | } |
|
1027 | ||
1028 | if ( ! is_dir($this->upload_path)) |
|
1029 | { |
|
1030 | $this->set_error('upload_no_filepath', 'error'); |
|
1031 | return FALSE; |
|
1032 | } |
|
1033 | ||
1034 | if ( ! is_really_writable($this->upload_path)) |
|
1035 | { |
|
1036 | $this->set_error('upload_not_writable', 'error'); |
|
1037 | return FALSE; |
|
1038 | } |
|
1039 | ||
1040 | $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path); |
|
1041 | return TRUE; |
|
1042 | } |
|
1043 | ||
1044 | // -------------------------------------------------------------------- |
|
1045 | ||
1046 | /** |
|
1047 | * Extract the file extension |
|
1048 | * |
|
1049 | * @param string $filename |
|
1050 | * @return string |
|
1051 | * |
|
1052 | * @codeCoverageIgnore |
|
1053 | */ |
|
1054 | public function get_extension($filename) |
|
1055 | { |
|
1056 | $x = explode('.', $filename); |
|
1057 | ||
1058 | if (count($x) === 1) |
|
1059 | { |
|
1060 | return ''; |
|
1061 | } |
|
1062 | ||
1063 | $ext = ($this->file_ext_tolower) ? strtolower(end($x)) : end($x); |
|
1064 | return '.'.$ext; |
|
1065 | } |
|
1066 | ||
1067 | // -------------------------------------------------------------------- |
|
1068 | ||
1069 | /** |
|
1070 | * Limit the File Name Length |
|
1071 | * |
|
1072 | * @param string $filename |
|
1073 | * @param int $length |
|
1074 | * @return string |
|
1075 | * |
|
1076 | * @codeCoverageIgnore |
|
1077 | */ |
|
1078 | public function limit_filename_length($filename, $length) |
|
1079 | { |
|
1080 | if (strlen($filename) < $length) |
|
1081 | { |
|
1082 | return $filename; |
|
1083 | } |
|
1084 | ||
1085 | $ext = ''; |
|
1086 | if (strpos($filename, '.') !== FALSE) |
|
1087 | { |
|
1088 | $parts = explode('.', $filename); |
|
1089 | $ext = '.'.array_pop($parts); |
|
1090 | $filename = implode('.', $parts); |
|
1091 | } |
|
1092 | ||
1093 | return substr($filename, 0, ($length - strlen($ext))).$ext; |
|
1094 | } |
|
1095 | ||
1096 | // -------------------------------------------------------------------- |
|
1097 | ||
1098 | /** |
|
1099 | * Runs the file through the XSS clean function |
|
1100 | * |
|
1101 | * This prevents people from embedding malicious code in their files. |
|
1102 | * I'm not sure that it won't negatively affect certain files in unexpected ways, |
|
1103 | * but so far I haven't found that it causes trouble. |
|
1104 | * |
|
1105 | * @return string |
|
1106 | * |
|
1107 | * @codeCoverageIgnore |
|
1108 | */ |
|
1109 | public function do_xss_clean() |
|
1110 | { |
|
1111 | $file = $this->file_temp; |
|
1112 | ||
1113 | if (filesize($file) == 0) |
|
1114 | { |
|
1115 | return FALSE; |
|
1116 | } |
|
1117 | ||
1118 | if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')) > 0) |
|
1119 | { |
|
1120 | $memory_limit = str_split($memory_limit, strspn($memory_limit, '1234567890')); |
|
1121 | if ( ! empty($memory_limit[1])) |
|
1122 | { |
|
1123 | switch ($memory_limit[1][0]) |
|
1124 | { |
|
1125 | case 'g': |
|
1126 | case 'G': |
|
1127 | $memory_limit[0] *= 1024 * 1024 * 1024; |
|
1128 | break; |
|
1129 | case 'm': |
|
1130 | case 'M': |
|
1131 | $memory_limit[0] *= 1024 * 1024; |
|
1132 | break; |
|
1133 | default: |
|
1134 | break; |
|
1135 | } |
|
1136 | } |
|
1137 | ||
1138 | $memory_limit = (int) ceil(filesize($file) + $memory_limit[0]); |
|
1139 | ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net |
|
1140 | } |
|
1141 | ||
1142 | // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but |
|
1143 | // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone |
|
1144 | // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this |
|
1145 | // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of |
|
1146 | // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an |
|
1147 | // attempted XSS attack. |
|
1148 | ||
1149 | if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) |
|
1150 | { |
|
1151 | if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary |
|
1152 | { |
|
1153 | return FALSE; // Couldn't open the file, return FALSE |
|
1154 | } |
|
1155 | ||
1156 | $opening_bytes = fread($file, 256); |
|
1157 | fclose($file); |
|
1158 | ||
1159 | // These are known to throw IE into mime-type detection chaos |
|
1160 | // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title |
|
1161 | // title is basically just in SVG, but we filter it anyhow |
|
1162 | ||
1163 | // if it's an image or no "triggers" detected in the first 256 bytes - we're good |
|
1164 | return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); |
|
1165 | } |
|
1166 | ||
1167 | if (($data = @file_get_contents($file)) === FALSE) |
|
1168 | { |
|
1169 | return FALSE; |
|
1170 | } |
|
1171 | ||
1172 | return $this->_CI->security->xss_clean($data, TRUE); |
|
1173 | } |
|
1174 | ||
1175 | // -------------------------------------------------------------------- |
|
1176 | ||
1177 | /** |
|
1178 | * Set an error message |
|
1179 | * |
|
1180 | * @param string $msg |
|
1181 | * @return CI_Upload |
|
1182 | * |
|
1183 | * @codeCoverageIgnore |
|
1184 | */ |
|
1185 | public function set_error($msg, $log_level = 'error') |
|
1186 | { |
|
1187 | $this->_CI->lang->load('upload'); |
|
1188 | ||
1189 | is_array($msg) OR $msg = array($msg); |
|
1190 | foreach ($msg as $val) |
|
1191 | { |
|
1192 | $msg = ($this->_CI->lang->line($val) === FALSE) ? $val : $this->_CI->lang->line($val); |
|
1193 | $this->error_msg[] = $msg; |
|
1194 | log_message($log_level, $msg); |
|
1195 | } |
|
1196 | ||
1197 | return $this; |
|
1198 | } |
|
1199 | ||
1200 | // -------------------------------------------------------------------- |
|
1201 | ||
1202 | /** |
|
1203 | * Display the error message |
|
1204 | * |
|
1205 | * @param string $open |
|
1206 | * @param string $close |
|
1207 | * @return string |
|
1208 | * |
|
1209 | * @codeCoverageIgnore |
|
1210 | */ |
|
1211 | public function display_errors($open = '<p>', $close = '</p>') |
|
1212 | { |
|
1213 | return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : ''; |
|
1214 | } |
|
1215 | ||
1216 | // -------------------------------------------------------------------- |
|
1217 | ||
1218 | /** |
|
1219 | * Prep Filename |
|
1220 | * |
|
1221 | * Prevents possible script execution from Apache's handling |
|
1222 | * of files' multiple extensions. |
|
1223 | * |
|
1224 | * @link http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext |
|
1225 | * |
|
1226 | * @param string $filename |
|
1227 | * @return string |
|
1228 | * |
|
1229 | * @codeCoverageIgnore |
|
1230 | */ |
|
1231 | protected function _prep_filename($filename) |
|
1232 | { |
|
1233 | if ($this->mod_mime_fix === FALSE OR $this->allowed_types === '*' OR ($ext_pos = strrpos($filename, '.')) === FALSE) |
|
1234 | { |
|
1235 | return $filename; |
|
1236 | } |
|
1237 | ||
1238 | $ext = substr($filename, $ext_pos); |
|
1239 | $filename = substr($filename, 0, $ext_pos); |
|
1240 | return str_replace('.', '_', $filename).$ext; |
|
1241 | } |
|
1242 | ||
1243 | // -------------------------------------------------------------------- |
|
1244 | ||
1245 | /** |
|
1246 | * File MIME type |
|
1247 | * |
|
1248 | * Detects the (actual) MIME type of the uploaded file, if possible. |
|
1249 | * The input array is expected to be $_FILES[$field] |
|
1250 | * |
|
1251 | * @param array $file |
|
1252 | * @return void |
|
1253 | * |
|
1254 | * @codeCoverageIgnore |
|
1255 | */ |
|
1256 | protected function _file_mime_type($file) |
|
1257 | { |
|
1258 | // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii) |
|
1259 | $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/'; |
|
1260 | ||
1261 | /** |
|
1262 | * Fileinfo extension - most reliable method |
|
1263 | * |
|
1264 | * Apparently XAMPP, CentOS, cPanel and who knows what |
|
1265 | * other PHP distribution channels EXPLICITLY DISABLE |
|
1266 | * ext/fileinfo, which is otherwise enabled by default |
|
1267 | * since PHP 5.3 ... |
|
1268 | */ |
|
1269 | if (function_exists('finfo_file')) |
|
1270 | { |
|
1271 | $finfo = @finfo_open(FILEINFO_MIME); |
|
1272 | if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system |
|
1273 | { |
|
1274 | $mime = @finfo_file($finfo, $file['tmp_name']); |
|
1275 | finfo_close($finfo); |
|
1276 | ||
1277 | /* According to the comments section of the PHP manual page, |
|
1278 | * it is possible that this function returns an empty string |
|
1279 | * for some files (e.g. if they don't exist in the magic MIME database) |
|
1280 | */ |
|
1281 | if (is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1282 | { |
|
1283 | $this->file_type = $matches[1]; |
|
1284 | return; |
|
1285 | } |
|
1286 | } |
|
1287 | } |
|
1288 | ||
1289 | /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type, |
|
1290 | * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it |
|
1291 | * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better |
|
1292 | * than mime_content_type() as well, hence the attempts to try calling the command line with |
|
1293 | * three different functions. |
|
1294 | * |
|
1295 | * Notes: |
|
1296 | * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system |
|
1297 | * - many system admins would disable the exec(), shell_exec(), popen() and similar functions |
|
1298 | * due to security concerns, hence the function_usable() checks |
|
1299 | */ |
|
1300 | if (DIRECTORY_SEPARATOR !== '\\') |
|
1301 | { |
|
1302 | $cmd = function_exists('escapeshellarg') |
|
1303 | ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1' |
|
1304 | : 'file --brief --mime '.$file['tmp_name'].' 2>&1'; |
|
1305 | ||
1306 | if (function_usable('exec')) |
|
1307 | { |
|
1308 | /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter. |
|
1309 | * However, we only need the last line, which is the actual return value of exec(), and as such - it overwrites |
|
1310 | * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy |
|
1311 | * value, which is only put to allow us to get the return status code. |
|
1312 | */ |
|
1313 | $mime = @exec($cmd, $mime, $return_status); |
|
1314 | if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches)) |
|
1315 | { |
|
1316 | $this->file_type = $matches[1]; |
|
1317 | return; |
|
1318 | } |
|
1319 | } |
|
1320 | ||
1321 | if ( ! ini_get('safe_mode') && function_usable('shell_exec')) |
|
1322 | { |
|
1323 | $mime = @shell_exec($cmd); |
|
1324 | if (strlen($mime) > 0) |
|
1325 | { |
|
1326 | $mime = explode("\n", trim($mime)); |
|
1327 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1328 | { |
|
1329 | $this->file_type = $matches[1]; |
|
1330 | return; |
|
1331 | } |
|
1332 | } |
|
1333 | } |
|
1334 | ||
1335 | if (function_usable('popen')) |
|
1336 | { |
|
1337 | $proc = @popen($cmd, 'r'); |
|
1338 | if (is_resource($proc)) |
|
1339 | { |
|
1340 | $mime = @fread($proc, 512); |
|
1341 | @pclose($proc); |
|
1342 | if ($mime !== FALSE) |
|
1343 | { |
|
1344 | $mime = explode("\n", trim($mime)); |
|
1345 | if (preg_match($regexp, $mime[(count($mime) - 1)], $matches)) |
|
1346 | { |
|
1347 | $this->file_type = $matches[1]; |
|
1348 | return; |
|
1349 | } |
|
1350 | } |
|
1351 | } |
|
1352 | } |
|
1353 | } |
|
1354 | ||
1355 | // Fall back to mime_content_type(), if available (still better than $_FILES[$field]['type']) |
|
1356 | if (function_exists('mime_content_type')) |
|
1357 | { |
|
1358 | $this->file_type = @mime_content_type($file['tmp_name']); |
|
1359 | if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string |
|
1360 | { |
|
1361 | return; |
|
1362 | } |
|
1363 | } |
|
1364 | ||
1365 | $this->file_type = $file['type']; |
|
1366 | } |
|
1367 | ||
1368 | } |
|
1369 |