[geeklog-cvs] geeklog: First attempt to handle uploaded files when token expir...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Dec 29 08:00:33 EST 2009
changeset 7547:aa96980fb72f
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/aa96980fb72f
user: Dirk Haun <dirk at haun-online.de>
date: Sat Dec 26 11:53:40 2009 +0100
description:
First attempt to handle uploaded files when token expired; need to clean up orphaned files when re-authentication fails
diffstat:
public_html/admin/story.php | 18 ++++++++++++++++++
public_html/users.php | 18 +++++++++++++++++-
system/classes/upload.class.php | 8 +++++++-
system/lib-security.php | 20 +++++++++++++++++---
4 files changed, 59 insertions(+), 5 deletions(-)
diffs (162 lines):
diff -r e0748b344b7e -r aa96980fb72f public_html/admin/story.php
--- a/public_html/admin/story.php Fri Dec 25 18:46:26 2009 +0100
+++ b/public_html/admin/story.php Sat Dec 26 11:53:40 2009 +0100
@@ -786,6 +786,8 @@
*/
function submitstory($type='')
{
+ global $_CONF;
+
$output = '';
$args = &$_POST;
@@ -801,6 +803,22 @@
}
}
+ if (empty($_FILES) && isset($_POST['_files_file1'])) {
+ // recreate $_FILES array
+ foreach ($_POST as $key => $value) {
+ if (substr($key, 0, 7) == '_files_') {
+ $file = substr($key, 7);
+ foreach ($value as $kk => $kv) {
+ if ($kk == 'tmp_name') {
+ $filename = basename($kv);
+ $kv = $_CONF['path_data'] . $filename;
+ }
+ $_FILES[$file][$kk] = $kv;
+ }
+ }
+ }
+ }
+
/* ANY FURTHER PROCESSING on POST variables - COM_stripslashes etc.
* Do it HERE on $args */
diff -r e0748b344b7e -r aa96980fb72f public_html/users.php
--- a/public_html/users.php Fri Dec 25 18:46:26 2009 +0100
+++ b/public_html/users.php Sat Dec 26 11:53:40 2009 +0100
@@ -875,6 +875,10 @@
if (isset($_POST['token_getdata'])) {
$getdata = urldecode($_POST['token_getdata']);
}
+ $files = '';
+ if (isset($_POST['token_files'])) {
+ $files = urldecode($_POST['token_files']);
+ }
if (SECINT_checkToken() && !empty($method) && !empty($returnurl) &&
((($method == 'POST') && !empty($postdata)) ||
@@ -891,6 +895,14 @@
$req->addPostData($key, $value);
}
}
+ if (! empty($files)) {
+ $files = unserialize($files);
+ }
+ if (! empty($files)) {
+ foreach ($files as $key => $value) {
+ $req->addPostData('_files_' . $key, $value);
+ }
+ }
} else {
$req->setMethod(HTTP_REQUEST_METHOD_GET);
$data = unserialize($getdata);
@@ -1349,13 +1361,17 @@
if (isset($_POST['token_getdata'])) {
$getdata = urldecode($_POST['token_getdata']);
}
+ $files = '';
+ if (isset($_POST['token_files'])) {
+ $files = urldecode($_POST['token_files']);
+ }
if (SECINT_checkToken() && !empty($method) &&
!empty($returnurl) &&
((($method == 'POST') && !empty($postdata)) ||
(($method == 'GET') && !empty($getdata)))) {
$display .= COM_showMessage(81);
$display .= SECINT_authform($returnurl, $method,
- $postdata, $getdata);
+ $postdata, $getdata, $files);
} else {
echo COM_refresh($_CONF['site_url'] . '/index.php');
exit;
diff -r e0748b344b7e -r aa96980fb72f system/classes/upload.class.php
--- a/system/classes/upload.class.php Fri Dec 25 18:46:26 2009 +0100
+++ b/system/classes/upload.class.php Sat Dec 26 11:53:40 2009 +0100
@@ -509,6 +509,8 @@
*/
function _copyFile()
{
+ global $_CONF;
+
if (!is_writable($this->_fileUploadDirectory)) {
// Developer didn't check return value of setPath() method which would
// have told them the upload directory was not writable. Error out now
@@ -526,7 +528,11 @@
$sizeOK = false;
}
}
- $returnMove = move_uploaded_file($this->_currentFile['tmp_name'], $this->_fileUploadDirectory . '/' . $this->_getDestinationName());
+ if (substr($this->_currentFile['tmp_name'], 0, strlen($_CONF['path_data'])) == $_CONF['path_data']) {
+ $returnMove = rename($this->_currentFile['tmp_name'], $this->_fileUploadDirectory . '/' . $this->_getDestinationName());
+ } else {
+ $returnMove = move_uploaded_file($this->_currentFile['tmp_name'], $this->_fileUploadDirectory . '/' . $this->_getDestinationName());
+ }
if (!($sizeOK)) {
// OK, resize
$sizefactor = $this->_calcSizefactor ($imageInfo['width'],
diff -r e0748b344b7e -r aa96980fb72f system/lib-security.php
--- a/system/lib-security.php Fri Dec 25 18:46:26 2009 +0100
+++ b/system/lib-security.php Sat Dec 26 11:53:40 2009 +0100
@@ -1131,7 +1131,7 @@
*/
function SEC_checkToken()
{
- global $LANG20;
+ global $_CONF, $LANG20;
if (SECINT_checkToken()) {
return true;
@@ -1144,10 +1144,22 @@
$method = strtoupper($_SERVER['REQUEST_METHOD']);
$postdata = serialize($_POST);
$getdata = serialize($_GET);
+ $files = '';
+ if (! empty($_FILES)) {
+ $files = serialize($_FILES);
+ // rescue uploaded files
+ foreach ($_FILES as $f) {
+ if (! empty($f['name'])) {
+ $filename = basename($f['tmp_name']);
+ move_uploaded_file($f['tmp_name'],
+ $_CONF['path_data'] . $filename);
+ }
+ }
+ }
$display = COM_siteHeader('menu', $LANG20[1])
. COM_showMessageText('The security token for this operation has expired. Please authenticate again to continue.')
- . SECINT_authform($returnurl, $method, $postdata, $getdata)
+ . SECINT_authform($returnurl, $method, $postdata, $getdata, $files)
. COM_siteFooter();
COM_output($display);
@@ -1228,7 +1240,7 @@
* @access private
*
*/
-function SECINT_authform($returnurl, $method, $postdata = '', $getdata = '')
+function SECINT_authform($returnurl, $method, $postdata = '', $getdata = '', $files = '')
{
global $_CONF, $LANG01, $LANG04, $LANG20;
@@ -1290,6 +1302,8 @@
. urlencode($postdata) . '"' . XHTML . '>' . LB;
$services .= '<input type="hidden" name="token_getdata" value="'
. urlencode($getdata) . '"' . XHTML . '>' . LB;
+ $services .= '<input type="hidden" name="token_files" value="'
+ . urlencode($files) . '"' . XHTML . '>' . LB;
$services .= '<input type="hidden" name="token_requestmethod" value="'
. $method . '"' . XHTML . '>' . LB;
$services .= '<input type="hidden" name="' . CSRF_TOKEN . '" value="'
More information about the geeklog-cvs
mailing list