Index: branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php =================================================================== --- branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php (revision 16595) +++ branches/5.2.x/core/kernel/utility/formatters/upload_formatter.php (revision 16596) @@ -1,653 +1,647 @@ fileHelper = $this->Application->recallObject('FileHelper'); if ( $this->DestinationPath ) { $this->FullPath = FULL_PATH . $this->DestinationPath; } } /** * Sets field option defaults. * * @param string $field_name Field nae. * @param array $field_options Field options. * @param kDBBase $object Object. * * @return void */ public function PrepareOptions($field_name, &$field_options, &$object) { if ( !$this->DestinationPath && !isset($field_options['upload_dir']) ) { $base_path = $this->Application->getUnitOption($object->Prefix, 'BasePath'); $field_options['upload_dir'] = WRITEBALE_BASE . '/' . basename($base_path) . '/'; } if ( !isset($field_options['max_size']) ) { $field_options['max_size'] = MAX_UPLOAD_SIZE; } } /** * Processes file uploads from form * * @param mixed $value * @param string $field_name * @param kDBItem $object * @return mixed * @access public */ public function Parse($value, $field_name, &$object) { $value = $this->Application->HttpQuery->unescapeRequestVariable($value); $options = $object->GetFieldOptions($field_name); if ( getArrayValue($options, 'upload_dir') ) { $this->DestinationPath = $options['upload_dir']; $this->FullPath = FULL_PATH . $this->DestinationPath; } if ( is_array($value) && isset($value['tmp_ids']) ) { $ret = $this->_processFlashUploader($value, $field_name, $object); } else { $ret = $this->_processRegularUploader($value, $field_name, $object); } if ( getArrayValue($options, 'upload_dir') ) { $this->DestinationPath = null; $this->FullPath = null; } return $ret; } /** * Handles uploaded files, provided by Flash uploader * * @param Array|string $value * @param string $field_name * @param kDBItem $object * @return string * @access protected */ protected function _processFlashUploader($value, $field_name, $object) { $options = $object->GetFieldOptions($field_name); $this->sorting = isset($value['order']) ? explode('|', $value['order']) : Array (); if ( $value['tmp_deleted'] ) { $n_upload = Array (); $deleted = explode('|', $value['tmp_deleted']); $upload = explode('|', $value['upload']); foreach ($upload as $name) { if ( in_array($name, $deleted) ) { continue; } $n_upload[] = $name; } $value['upload'] = implode('|', $n_upload); } if ( !$value['tmp_ids'] ) { // no pending files -> return already uploaded files return $this->_sortFiles($value['upload']); } $swf_uploaded_ids = explode('|', $value['tmp_ids']); $swf_uploaded_names = explode('|', $value['tmp_names']); $existing = $value['upload'] ? explode('|', $value['upload']) : Array (); $fret = Array (); $max_files = $this->_getMaxFiles($options); $pending_actions = $object->getPendingActions(); $files_to_delete = $this->_getFilesToDelete($object); for ($i = 0; $i < min($max_files, count($swf_uploaded_ids)); $i++) { // don't delete uploaded file, when it's name matches delete file name $real_name = $this->_getRealFilename($swf_uploaded_names[$i], $options, $object, $files_to_delete); $file_name = $this->FullPath . $real_name; $tmp_file = WRITEABLE . '/tmp/' . $swf_uploaded_ids[$i] . '_' . $swf_uploaded_names[$i]; rename($tmp_file, $file_name); @chmod($file_name, 0666); $fret[] = getArrayValue($options, 'upload_dir') ? $real_name : $this->DestinationPath . $real_name; $pending_actions[] = Array ( 'action' => 'make_live', 'id' => $object->GetID(), 'field' => $field_name, 'file' => $file_name ); $this->_renameFileInSorting($swf_uploaded_names[$i], $real_name); } $object->setPendingActions($pending_actions); return $this->_sortFiles(array_merge($existing, $fret)); } /** * Returns files, scheduled for deleting * * @param kDBItem $object * @return Array * @access protected */ protected function _getFilesToDelete($object) { $ret = Array (); foreach ($object->getPendingActions() as $data) { if ( $data['action'] == 'delete' ) { $ret[] = $data['file']; } } return $ret; } /** * Handles regular file upload * * @param string|Array $value * @param string $field_name * @param kDBItem $object * @return string * @access protected */ protected function _processRegularUploader($value, $field_name, $object) { $ret = !is_array($value) ? $value : ''; $options = $object->GetFieldOptions($field_name); if ( getArrayValue($value, 'upload') && getArrayValue($value, 'error') == UPLOAD_ERR_NO_FILE ) { // file was not uploaded this time, but was uploaded before, then use previously uploaded file (from db) return getArrayValue($value, 'upload'); } if ( is_array($value) && count($value) > 1 && $value['size'] ) { if ( is_array($value) && (int)$value['error'] === UPLOAD_ERR_OK ) { // we can get mime type based on file content and don't use one, provided by the client // $value['type'] = kUtil::mimeContentType($value['tmp_name']); if ( getArrayValue($options, 'file_types') && !$this->extensionMatch($value['name'], $options['file_types']) ) { // match by file extensions $error_params = Array ( 'file_name' => $value['name'], 'file_types' => $options['file_types'], ); $object->SetError($field_name, 'bad_file_format', 'la_error_InvalidFileFormat', $error_params); } elseif ( getArrayValue($options, 'allowed_types') && !in_array($value['type'], $options['allowed_types']) ) { // match by mime type provided by web-browser $error_params = Array ( 'file_type' => $value['type'], 'allowed_types' => $options['allowed_types'], ); $object->SetError($field_name, 'bad_file_format', 'la_error_InvalidFileFormat', $error_params); } elseif ( $value['size'] > $options['max_size'] ) { $object->SetError($field_name, 'bad_file_size', 'la_error_FileTooLarge'); } elseif ( !is_writable($this->FullPath) ) { $object->SetError($field_name, 'cant_save_file', 'la_error_cant_save_file'); } else { $real_name = $this->_getRealFilename($value['name'], $options, $object); $file_name = $this->FullPath . $real_name; + $moved = move_uploaded_file($value['tmp_name'], $file_name); $storage_format = isset($options['storage_format']) ? $options['storage_format'] : false; if ( $storage_format ) { - /** @var ImageHelper $image_helper */ - $image_helper = $this->Application->recallObject('ImageHelper'); - - move_uploaded_file($value['tmp_name'], $value['tmp_name'] . '.jpg'); // add extension, so ResizeImage can work - $url = $image_helper->ResizeImage($value['tmp_name'] . '.jpg', $storage_format); - $tmp_name = preg_replace('/^' . preg_quote($this->Application->BaseURL(), '/') . '/', '/', $url); - $moved = rename($tmp_name, $file_name); - } - else { - $moved = move_uploaded_file($value['tmp_name'], $file_name); + /** @var kUploadHelper $upload_helper */ + $upload_helper = $this->Application->recallObject('kUploadHelper'); + $moved = $upload_helper->resizeUploadedFile($file_name, $storage_format); } if ( !$moved ) { $object->SetError($field_name, 'cant_save_file', 'la_error_cant_save_file'); } else { @chmod($file_name, 0666); if ( getArrayValue($options, 'size_field') ) { $object->SetDBField($options['size_field'], $value['size']); } if ( getArrayValue($options, 'orig_name_field') ) { $object->SetDBField($options['orig_name_field'], $value['name']); } if ( getArrayValue($options, 'content_type_field') ) { $object->SetDBField($options['content_type_field'], $value['type']); } $ret = getArrayValue($options, 'upload_dir') ? $real_name : $this->DestinationPath . $real_name; // delete previous file, when new file is uploaded under same field /*$previous_file = isset($value['upload']) ? $value['upload'] : false; if ( $previous_file && file_exists($this->FullPath . $previous_file) ) { unlink($this->FullPath . $previous_file); }*/ } } } else { $object->SetError($field_name, 'cant_save_file', 'la_error_cant_save_file'); } } if ( (count($value) > 1) && $value['error'] && ($value['error'] != UPLOAD_ERR_NO_FILE) ) { $object->SetError($field_name, 'cant_save_file', 'la_error_cant_save_file', $value); } return $ret; } /** * Checks, that given file name has on of provided file extensions * * @param string $filename * @param string $file_types * @return bool * @access protected */ protected function extensionMatch($filename, $file_types) { if ( preg_match_all('/\*\.(.*?)(;|$)/', $file_types, $regs) ) { $file_extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $file_extensions = array_map('mb_strtolower', $regs[1]); return in_array($file_extension, $file_extensions); } return true; } /** * Resorts uploaded files according to given file order * * @param Array|string $files * @return string * @access protected */ protected function _sortFiles($files) { if ( !is_array($files) ) { $files = explode('|', $files); } $sorted_files = array_intersect($this->sorting, $files); // removes deleted files from sorting $new_files = array_diff($files, $sorted_files); // files, that weren't sorted - add to the end return implode('|', array_merge($sorted_files, $new_files)); } /** * Returns maximal allowed file count per field * * @param Array $options * @return int * @access protected */ protected function _getMaxFiles($options) { if ( !isset($options['multiple']) ) { return 1; } return $options['multiple'] == false ? 1 : $options['multiple']; } /** * Returns final filename after applying storage-engine specific naming * * @param string $file_name * @param Array $options * @param kDBItem $object * @param Array $files_to_delete * @return string * @access protected */ protected function _getRealFilename($file_name, $options, $object, $files_to_delete = Array ()) { $real_name = $this->getStorageEngineFile($file_name, $options, $object->Prefix); $real_name = $this->getStorageEngineFolder($real_name, $options) . $real_name; return $this->fileHelper->ensureUniqueFilename($this->FullPath, $real_name, $files_to_delete); } /** * Renames file in sorting list * * @param string $old_name * @param string $new_name * @return void * @access protected */ protected function _renameFileInSorting($old_name, $new_name) { $index = array_search($old_name, $this->sorting); if ( $index !== false ) { $this->sorting[$index] = $new_name; } } function getSingleFormat($format) { $single_mapping = Array ( 'file_raw_urls' => 'raw_url', 'file_display_names' => 'display_name', 'file_urls' => 'full_url', 'file_paths' => 'full_path', 'file_sizes' => 'file_size', 'files_resized' => 'resize', 'img_sizes' => 'img_size', 'wms' => 'wm', ); return $single_mapping[$format]; } /** * Return formatted file url,path or size (or same for multiple files) * * @param string $value * @param string $field_name * @param kDBItem|kDBList $object * @param string $format * @return string */ function Format($value, $field_name, &$object, $format = NULL) { if ( is_null($value) ) { return ''; } $options = $object->GetFieldOptions($field_name); if ( !isset($format) ) { $format = isset($options['format']) ? $options['format'] : false; } if ( $format && preg_match('/(file_raw_urls|file_display_names|file_urls|file_paths|file_names|file_sizes|img_sizes|files_resized|wms)(.*)/', $format, $regs) ) { if ( !$value || $format == 'file_names' ) { // storage format matches display format OR no value return $value; } $ret = Array (); $files = explode('|', $value); $format = $this->getSingleFormat($regs[1]) . $regs[2]; foreach ($files as $a_file) { $ret[] = $this->GetFormatted($a_file, $field_name, $object, $format); } return implode('|', $ret); } $tc_value = $this->TypeCast($value, $options); if ( ($tc_value === false) || ($tc_value != $value) ) { // for leaving badly formatted date on the form return $value; } return $this->GetFormatted($tc_value, $field_name, $object, $format); } /** * Return formatted file url,path or size * * @param string $value * @param string $field_name * @param kDBItem $object * @param string $format * @return string */ function GetFormatted($value, $field_name, &$object, $format = NULL) { if ( !$format ) { return $value; } $options = $object->GetFieldOptions($field_name); $upload_dir = isset($options['include_path']) && $options['include_path'] ? '' : $this->getUploadDir($options); $file_path = strlen($value) ? FULL_PATH . str_replace('/', DIRECTORY_SEPARATOR, $upload_dir) . $value : ''; if ( preg_match('/resize:([\d]*)x([\d]*)/', $format, $regs) ) { /** @var ImageHelper $image_helper */ $image_helper = $this->Application->recallObject('ImageHelper'); try { return $image_helper->ResizeImage($file_path, $format); } catch ( RuntimeException $e ) { // error, during image resize -> return empty string return ''; } } elseif ( !strlen($file_path) || !file_exists($file_path) ) { // file doesn't exist OR not uploaded return ''; } switch ($format) { case 'display_name': return kUtil::removeTempExtension($value); break; case 'raw_url': return $this->fileHelper->pathToUrl($file_path); break; case 'full_url': $direct_links = isset($options['direct_links']) ? $options['direct_links'] : true; if ( $direct_links ) { return $this->fileHelper->pathToUrl($file_path); } else { $url_params = Array ( 'pass' => 'm,'.$object->Prefix, $object->Prefix . '_event' => 'OnViewFile', 'file' => $value, 'field' => $field_name ); return $this->Application->HREF('', '', $url_params); } break; case 'full_path': return $file_path; break; case 'file_size': return filesize($file_path); break; case 'img_size': /** @var ImageHelper $image_helper */ $image_helper = $this->Application->recallObject('ImageHelper'); $image_info = $image_helper->getImageInfo($file_path); return $image_info ? $image_info[3] : ''; break; } return sprintf($format, $value); } /** * Creates & returns folder, based on storage engine specified in field options * * @param string $file_name * @param array $options * @return string * @access protected * @throws Exception */ protected function getStorageEngineFolder($file_name, $options) { $storage_engine = (string)getArrayValue($options, 'storage_engine'); if ( !$storage_engine ) { return ''; } switch ($storage_engine) { case StorageEngine::HASH: $folder_path = kUtil::getHashPathForLevel($file_name); break; case StorageEngine::TIMESTAMP: $folder_path = adodb_date('Y-m/d/'); break; default: throw new Exception('Unknown storage engine "' . $storage_engine . '".'); break; } return $folder_path; } /** * Applies prefix & suffix to uploaded filename, based on storage engine in field options * * @param string $name * @param array $options * @param string $unit_prefix * @return string * @access protected */ protected function getStorageEngineFile($name, $options, $unit_prefix) { $prefix = $this->getStorageEngineFilePart(getArrayValue($options, 'filename_prefix'), $unit_prefix); $suffix = $this->getStorageEngineFilePart(getArrayValue($options, 'filename_suffix'), $unit_prefix); $parts = pathinfo($name); return ($prefix ? $prefix . '_' : '') . $parts['filename'] . ($suffix ? '_' . $suffix : '') . '.' . $parts['extension']; } /** * Creates prefix/suffix to join with uploaded file * * Added "u" before user_id to keep this value after FileHelper::ensureUniqueFilename method call * * @param string $option * @param string $unit_prefix * @return string * @access protected */ protected function getStorageEngineFilePart($option, $unit_prefix) { $replace_from = Array ( StorageEngine::PS_DATE_TIME, StorageEngine::PS_PREFIX, StorageEngine::PS_USER ); $replace_to = Array ( adodb_date('Ymd-His'), $unit_prefix, 'u' . $this->Application->RecallVar('user_id') ); return str_replace($replace_from, $replace_to, $option); } public function getUploadDir($options) { return isset($options['upload_dir']) ? $options['upload_dir'] : $this->DestinationPath; } } class kPictureFormatter extends kUploadFormatter { public function __construct() { $this->NakeLookupPath = IMAGES_PATH; // used ? $this->DestinationPath = kUtil::constOn('ADMIN') ? IMAGES_PENDING_PATH : IMAGES_PATH; parent::__construct(); } /** * Return formatted file url,path or size * * @param string $value * @param string $field_name * @param kDBItem $object * @param string $format * @return string */ function GetFormatted($value, $field_name, &$object, $format = NULL) { if ( $format == 'img_size' ) { $options = $object->GetFieldOptions($field_name); $img_path = FULL_PATH . '/' . $this->getUploadDir($options) . $value; $image_info = getimagesize($img_path); return ' ' . $image_info[3]; } return parent::GetFormatted($value, $field_name, $object, $format); } } Index: branches/5.2.x/core/units/helpers/upload_helper.php =================================================================== --- branches/5.2.x/core/units/helpers/upload_helper.php (revision 16595) +++ branches/5.2.x/core/units/helpers/upload_helper.php (revision 16596) @@ -1,332 +1,358 @@ fileHelper = $this->Application->recallObject('FileHelper'); + // 5 minutes execution time @set_time_limit(5 * 60); } /** * Handles the upload. * * @param kEvent $event Event. * * @return string * @throws kUploaderException When upload could not be handled properly. */ public function handle(kEvent $event) { $this->disableBrowserCache(); // Uncomment this one to fake upload time // sleep(5); if ( !$this->Application->HttpQuery->Post ) { // Variables {field, id, flashsid} are always submitted through POST! // When file size is larger, then "upload_max_filesize" (in php.ini), // then these variables also are not submitted. throw new kUploaderException('File size exceeds allowed limit.', 413); } if ( !$this->checkPermissions($event) ) { // 403 Forbidden throw new kUploaderException('You don\'t have permissions to upload.', 403); } $value = $this->Application->GetVar('file'); if ( !$value || ($value['error'] != UPLOAD_ERR_OK) ) { // 413 Request Entity Too Large (file uploads disabled OR uploaded file was // too large for web server to accept, see "upload_max_filesize" in php.ini) throw new kUploaderException('File size exceeds allowed limit.', 413); } $value = $this->Application->unescapeRequestVariable($value); $tmp_path = WRITEABLE . '/tmp/'; $filename = $this->getUploadedFilename() . '.tmp'; $id = $this->Application->GetVar('id'); if ( $id ) { $filename = $id . '_' . $filename; } if ( !is_writable($tmp_path) ) { // 500 Internal Server Error // check both temp and live upload directory throw new kUploaderException('Write permissions not set on the server, please contact server administrator.', 500); } - /** @var FileHelper $file_helper */ - $file_helper = $this->Application->recallObject('FileHelper'); - $filename = $file_helper->ensureUniqueFilename($tmp_path, $filename); + $filename = $this->fileHelper->ensureUniqueFilename($tmp_path, $filename); $storage_format = $this->getStorageFormat($this->Application->GetVar('field'), $event); + $this->moveUploadedFile($tmp_path . $filename); if ( $storage_format ) { - /** @var ImageHelper $image_helper */ - $image_helper = $this->Application->recallObject('ImageHelper'); - - $this->moveUploadedFile($value['tmp_name'] . '.jpg'); // add extension, so ResizeImage can work - $url = $image_helper->ResizeImage($value['tmp_name'] . '.jpg', $storage_format); - $tmp_name = preg_replace('/^' . preg_quote($this->Application->BaseURL(), '/') . '/', '/', $url); - rename($tmp_name, $tmp_path . $filename); - } - else { - $this->moveUploadedFile($tmp_path . $filename); + $this->resizeUploadedFile($tmp_path . $filename, $storage_format); } $this->deleteTempFiles($tmp_path); $thumbs_path = preg_replace('/^' . preg_quote(FULL_PATH, '/') . '/', '', $tmp_path, 1); $thumbs_path = FULL_PATH . THUMBS_PATH . $thumbs_path; if ( file_exists($thumbs_path) ) { $this->deleteTempFiles($thumbs_path); } return preg_replace('/^' . preg_quote($id, '/') . '_/', '', $filename); } /** + * Resizes uploaded file. + * + * @param string $file_path File path. + * @param string $format Format. + * + * @return boolean + */ + public function resizeUploadedFile($file_path, $format) + { + /** @var ImageHelper $image_helper */ + $image_helper = $this->Application->recallObject('ImageHelper'); + + // Add extension, so that "ImageHelper::ResizeImage" can work. + $resize_file_path = tempnam(sys_get_temp_dir(), 'uploaded_') . '.jpg'; + + if ( rename($file_path, $resize_file_path) === false ) { + return false; + } + + $resized_file_path = $this->fileHelper->urlToPath( + $image_helper->ResizeImage($resize_file_path, $format) + ); + + return rename($resized_file_path, $file_path); + } + + /** * Sends headers to ensure, that response is never cached. * * @return void */ protected function disableBrowserCache() { header('Expires: Mon, 26 Jul 1997 05:00:00 GMT'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Cache-Control: no-store, no-cache, must-revalidate'); header('Cache-Control: post-check=0, pre-check=0', false); header('Pragma: no-cache'); } /** * Checks, that flash uploader is allowed to perform upload * * @param kEvent $event * @return bool */ protected function checkPermissions(kEvent $event) { // Flash uploader does NOT send correct cookies, so we need to make our own check $cookie_name = 'adm_' . $this->Application->ConfigValue('SessionCookieName'); $this->Application->HttpQuery->Cookie['cookies_on'] = 1; $this->Application->HttpQuery->Cookie[$cookie_name] = $this->Application->GetVar('flashsid'); // this prevents session from auto-expiring when KeepSessionOnBrowserClose & FireFox is used $this->Application->HttpQuery->Cookie[$cookie_name . '_live'] = $this->Application->GetVar('flashsid'); /** @var Session $admin_session */ $admin_session = $this->Application->recallObject('Session.admin'); if ( $this->Application->permissionCheckingDisabled($admin_session->RecallVar('user_id')) ) { return true; } // copy some data from given session to current session $backup_user_id = $this->Application->RecallVar('user_id'); $this->Application->StoreVar('user_id', $admin_session->RecallVar('user_id')); $backup_user_groups = $this->Application->RecallVar('UserGroups'); $this->Application->StoreVar('UserGroups', $admin_session->RecallVar('UserGroups')); // check permissions using event, that have "add|edit" rule $check_event = new kEvent($event->getPrefixSpecial() . ':OnProcessSelected'); $check_event->setEventParam('top_prefix', $this->Application->GetTopmostPrefix($event->Prefix, true)); /** @var kEventHandler $event_handler */ $event_handler = $this->Application->recallObject($event->Prefix . '_EventHandler'); $allowed_to_upload = $event_handler->CheckPermission($check_event); // restore changed data, so nothing gets saved to database $this->Application->StoreVar('user_id', $backup_user_id); $this->Application->StoreVar('UserGroups', $backup_user_groups); return $allowed_to_upload; } /** * Returns uploaded filename. * * @return string */ protected function getUploadedFilename() { if ( isset($_REQUEST['name']) ) { $file_name = $_REQUEST['name']; } elseif ( !empty($_FILES) ) { $file_name = $_FILES['file']['name']; } else { $file_name = uniqid('file_'); } return $file_name; } /** * Gets storage format for a given field. * * @param string $field_name * @param kEvent $event * @return bool */ protected function getStorageFormat($field_name, kEvent $event) { $fields = $this->Application->getUnitOption($event->Prefix, 'Fields'); $virtual_fields = $this->Application->getUnitOption($event->Prefix, 'VirtualFields'); $field_options = array_key_exists($field_name, $fields) ? $fields[$field_name] : $virtual_fields[$field_name]; return isset($field_options['storage_format']) ? $field_options['storage_format'] : false; } /** * Moves uploaded file to given location. * * @param string $file_path File path. * * @return void * @throws kUploaderException When upload could not be handled properly. */ protected function moveUploadedFile($file_path) { // Chunking might be enabled $chunk = (int)$this->Application->GetVar('chunk', 0); $chunks = (int)$this->Application->GetVar('chunks', 0); // Open temp file if ( !$out = @fopen("{$file_path}.part", $chunks ? 'ab' : 'wb') ) { throw new kUploaderException('Failed to open output stream.', 102); } if ( !empty($_FILES) ) { if ( $_FILES['file']['error'] || !is_uploaded_file($_FILES['file']['tmp_name']) ) { throw new kUploaderException('Failed to move uploaded file.', 103); } // Read binary input stream and append it to temp file if ( !$in = @fopen($_FILES['file']['tmp_name'], 'rb') ) { throw new kUploaderException('Failed to open input stream.', 101); } } else { if ( !$in = @fopen('php://input', 'rb') ) { throw new kUploaderException('Failed to open input stream.', 101); } } while ( $buff = fread($in, 4096) ) { fwrite($out, $buff); } @fclose($out); @fclose($in); // Check if file has been uploaded if ( !$chunks || $chunk == $chunks - 1 ) { // Strip the temp .part suffix off rename("{$file_path}.part", $file_path); } } /** * Delete temporary files, that won't be used for sure * * @param string $path * @return void */ protected function deleteTempFiles($path) { $files = glob($path . '*.*'); $max_file_date = strtotime('-1 day'); foreach ( $files as $file ) { if ( filemtime($file) < $max_file_date ) { unlink($file); } } } /** * Prepares object for operations with file on given field. * * @param kEvent $event Event. * @param string $field Field. * * @return kDBItem */ public function prepareUploadedFile(kEvent $event, $field) { /** @var kDBItem $object */ $object = $event->getObject(Array ('skip_autoload' => true)); $filename = $this->getSafeFilename(); if ( !$filename ) { $object->SetDBField($field, ''); return $object; } // set current uploaded file if ( $this->Application->GetVar('tmp') ) { $options = $object->GetFieldOptions($field); $options['upload_dir'] = WRITEBALE_BASE . '/tmp/'; unset($options['include_path']); $object->SetFieldOptions($field, $options); $filename = $this->Application->GetVar('id') . '_' . $filename; } $object->SetDBField($field, $filename); return $object; } /** * Returns safe version of filename specified in url * * @return bool|string * @access protected */ protected function getSafeFilename() { $filename = $this->Application->GetVar('file'); $filename = $this->Application->unescapeRequestVariable($filename); if ( (strpos($filename, '../') !== false) || (trim($filename) !== $filename) ) { // when relative paths or special chars are found template names from url, then it's hacking attempt return false; } return $filename; } } class kUploaderException extends Exception { }