Ticket #992: upload.php-t992.diff

admin/includes/classes/upload.php

@@ -26 +26 @@
       $this->set_destination($destination);
       $this->set_permissions($permissions);
       $this->set_extensions($extensions);
+      $this->set_mime_types($mime_types);
 
       if (xtc_not_null($this->file) && xtc_not_null($this->destination)) {
         if ( ($this->parse() == true) && ($this->save() == true) ) {
@@ -37 +38 @@
     }
 
     function parse() {
-      global $messageStack;
-      
+
       $file = array();
 
       if (isset($_FILES[$this->file])) {
@@ -68 +68 @@
       if (isset($file['tmp_name']) && !empty($file['tmp_name']) && ($file['tmp_name'] != 'none') && is_uploaded_file($file['tmp_name'])) {
         if (sizeof($this->mime_types) > 0) {
           if (!in_array(strtolower($file['type']), $this->mime_types)) {
-            $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
+            $this->set_message(ERROR_FILETYPE_NOT_ALLOWED);
             return false;
           }
         }
         if (sizeof($this->extensions) > 0) {
           if (!in_array(strtolower(substr($file['name'], strrpos($file['name'], '.')+1)), $this->extensions)) {
-            $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
+            $this->set_message(ERROR_FILETYPE_NOT_ALLOWED);
             return false;
           }
         }
         //BOF - DokuMan - 2010-08-31 - disable upload of php files and htaccess/htpasswd to avoid uploading of malicious scripts
+        /*
         if (in_array(strtolower(substr($file['name'], strrpos($file['name'], '.')+1)), array('php', 'php3', 'php4', 'php5', 'phtml'))) {
-            $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
+            $this->set_message(ERROR_FILETYPE_NOT_ALLOWED);
             return false;
         }
+        */
         if ($file['name'] == '.htaccess' || $file['name'] == '.htpasswd') {
-            $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
+            $this->set_message(ERROR_FILETYPE_NOT_ALLOWED);
             return false;
         }
         //EOF - DokuMan - 2010-08-31 - disable upload of php files and htaccess/htpasswd to avoid uploading of malicious scripts
@@ -95 +97 @@
         return $this->check_destination();
         
       } else {
-        if ($file['tmp_name']=='none') $messageStack->add_session(WARNING_NO_FILE_UPLOADED, 'warning');
+        if ($file['tmp_name']=='none') $this->set_message(WARNING_NO_FILE_UPLOADED, 'warning');
         return false;
       }
     }
 
     function save() {
-      global $messageStack;
 
       if (substr($this->destination, -1) != '/') $this->destination .= '/';
 
@@ -114 +115 @@
           if (strstr(PRODUCT_IMAGE_THUMBNAIL_MERGE,'.gif') ||
               strstr(PRODUCT_IMAGE_INFO_MERGE,'.gif') ||
               strstr(PRODUCT_IMAGE_POPUP_MERGE,'.gif')) {
-              $messageStack->add_session(ERROR_GIF_MERGE, 'error');
+              $this->set_message(ERROR_GIF_MERGE);
               return false;
           }
           // check if uploaded image = .gif
           if (strstr($this->filename,'.gif')) {
-           $messageStack->add_session(ERROR_GIF_UPLOAD, 'error');
+           $this->set_message(ERROR_GIF_UPLOAD);
            return false;
           }
 
@@ -129 +130 @@
 
       if (move_uploaded_file($this->file['tmp_name'], $this->destination . $this->filename)) {
         chmod($this->destination . $this->filename, $this->permissions);
-        $messageStack->add_session(SUCCESS_FILE_SAVED_SUCCESSFULLY, 'success');
+        $this->set_message(SUCCESS_FILE_SAVED_SUCCESSFULLY, 'success');
         return true;
         
       } else {
-        $messageStack->add_session(ERROR_FILE_NOT_SAVED, 'error');
+        $this->set_message(ERROR_FILE_NOT_SAVED);
         return false;
       }
     }
@@ -170 +171 @@
       }
     }
 
+        /**
+         * Set mime types.
+         * @since 2.0.1
+         * @param string|array $mime_types Mime type(string) or types(array).
+         */
+        function set_mime_types($mime_types) {
+                if (xtc_not_null($mime_types)) {
+                        if (is_array($mime_types)) {
+                                $this->mime_types = $mime_types;
+                        } else {
+                                $this->mime_types = array($mime_types);
+                        }
+                } else {
+                        $this->mime_types = array();
+                }
+        }
+
     function check_destination() {
-      global $messageStack;
 
       if (!is_writeable($this->destination)) {
         if (is_dir($this->destination)) {
-          $messageStack->add_session(sprintf(ERROR_DESTINATION_NOT_WRITEABLE, $this->destination), 'error');
+          $this->set_message(sprintf(ERROR_DESTINATION_NOT_WRITEABLE, $this->destination));
         } else {
-          $messageStack->add_session(sprintf(ERROR_DESTINATION_DOES_NOT_EXIST, $this->destination), 'error');
+          $this->set_message(sprintf(ERROR_DESTINATION_DOES_NOT_EXIST, $this->destination));
         }
         return false;
         
@@ -186 +203 @@
       }
     }
 
+        /**
+         * Set message.
+         * @since 2.0.1
+         * @param string $text Message text.
+         * @param string $type (optional) Message type.
+         */
+        private function set_message($text, $type = 'error') {
+                global $messageStack;
+                if (is_object($messageStack)) {
+                        $messageStack->add_session($text, $type);
+                }
+        }
+
   }
-?>
- No newline at end of file