sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00
Code Activity

Write initial avatar uploading engine! We've still got a few things left to do, though - like creating infrastructure fort he avatar to actually be used.

Browse source
This commit is contained in:
Starbeamrainbowlabs 2017-05-23 20:31:34 +01:00
parent adc6b93f6d
commit 7c5da3f6a9
1 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
modules/feature-upload.php
View file

@ -23,6 +23,7 @@ register_module([
* @apiParam {string} name The name of the file to upload. * @apiParam {string} name The name of the file to upload.
* @apiParam {string} description A description of the file. * @apiParam {string} description A description of the file.
* @apiParam {file} file The file to upload. * @apiParam {file} file The file to upload.
* @apiParam {boolean} avatar Whether this upload should be uploaded as the current user's avatar. If specified, any filenames provided will be ignored.
* *
* @apiUse UserNotLoggedInError * @apiUse UserNotLoggedInError
* @apiError UploadsDisabledError Uploads are currently disabled in the wiki's settings. * @apiError UploadsDisabledError Uploads are currently disabled in the wiki's settings.
@ -43,6 +44,8 @@ register_module([
add_action("upload", function() { add_action("upload", function() {
global $settings, $env, $pageindex, $paths; global $settings, $env, $pageindex, $paths;
$is_avatar = !empty($_POST["avatar"]) || !empty($_GET["avatar"]);
switch($_SERVER["REQUEST_METHOD"]) switch($_SERVER["REQUEST_METHOD"])
{ {
case "GET": case "GET":
@ -54,8 +57,22 @@ register_module([
exit(page_renderer::render("Upload Error - $settings->sitename", "<p>You are not currently logged in, so you can't upload anything.</p> exit(page_renderer::render("Upload Error - $settings->sitename", "<p>You are not currently logged in, so you can't upload anything.</p>
<p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first.</p>")); <p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first.</p>"));
if($is_avatar) {
exit(page_renderer::render("Upload avatar - $settings->sitenamae", "<h1>Upload avatar</h1>
<p>Select an image below, and then press upload. $settings->sitename currently supports the following file types (though not all of them may be suitable for an avatar): " . implode(", ", $settings->upload_allowed_file_types) . "</p>
<form method='post' action='action=upload' enctype='multipart/form-data'>
<label for='file'>Select a file to upload.</label>
<input type='file' name='file' id='file-upload-selector' tabindex='1' />
<br />
<p class='editing_message'>$settings->editing_message</p>
<input type='hidden' name='avatar' value='yes' />
<input type='submit' value='Upload' tabindex='20' />
</form>"));
}
exit(page_renderer::render("Upload - $settings->sitename", "<h1>Upload file</h1> exit(page_renderer::render("Upload - $settings->sitename", "<h1>Upload file</h1>
<p>Select an image below, and then type a name for it in the box. This server currently supports uploads up to " . human_filesize(get_max_upload_size()) . " in size.</p> <p>Select an image or file below, and then type a name for it in the box. This server currently supports uploads up to " . human_filesize(get_max_upload_size()) . " in size.</p>
<p>$settings->sitename currently supports uploading of the following file types: " . implode(", ", $settings->upload_allowed_file_types) . ".</p> <p>$settings->sitename currently supports uploading of the following file types: " . implode(", ", $settings->upload_allowed_file_types) . ".</p>
<form method='post' action='?action=upload' enctype='multipart/form-data'> <form method='post' action='?action=upload' enctype='multipart/form-data'>
<label for='file'>Select a file to upload.</label> <label for='file'>Select a file to upload.</label>
@ -85,7 +102,8 @@ register_module([
// Make sure uploads are enabled // Make sure uploads are enabled
if(!$settings->upload_enabled) if(!$settings->upload_enabled)
{ {
unlink($_FILES["file"]["tmp_name"]); if(!empty($_FILES["file"]))
unlink($_FILES["file"]["tmp_name"]);
http_response_code(412); http_response_code(412);
exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because uploads are currently disabled on $settings->sitename. <a href='index.php'>Go back to the main page</a>.</p>")); exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because uploads are currently disabled on $settings->sitename. <a href='index.php'>Go back to the main page</a>.</p>"));
} }
@ -93,14 +111,15 @@ register_module([
// Make sure that the user is logged in // Make sure that the user is logged in
if(!$env->is_logged_in) if(!$env->is_logged_in)
{ {
unlink($_FILES["file"]["tmp_name"]); if(!empty($_FILES["file"]))
unlink($_FILES["file"]["tmp_name"]);
http_response_code(401); http_response_code(401);
exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because you are not logged in.</p><p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first.")); exit(page_renderer::render("Upload failed - $settings->sitename", "<p>Your upload couldn't be processed because you are not logged in.</p><p>Try <a href='?action=login&returnto=" . rawurlencode("?action=upload") . "'>logging in</a> first."));
} }
// Calculate the target name, removing any characters we // Calculate the target name, removing any characters we
// are unsure about. // are unsure about.
$target_name = makepathsafe($_POST["name"]); $target_name = makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar");
$temp_filename = $_FILES["file"]["tmp_name"]; $temp_filename = $_FILES["file"]["tmp_name"];
$mimechecker = finfo_open(FILEINFO_MIME_TYPE); $mimechecker = finfo_open(FILEINFO_MIME_TYPE);
@ -116,6 +135,11 @@ register_module([
} }
// Perform appropriate checks based on the *real* filetype // Perform appropriate checks based on the *real* filetype
if($is_avatar && substr($mime_type, 0, strpos($mime_type, "/")) !== "image") {
http_response_code(415);
exit(page_renderer::render_main("Error uploading avatar - $settings->sitename", "<p>That file appears to be unsuitable as an avatar, as $settings->sitename has detected it to be of type <code>$mime_type</code>, which doesn't appear to be an image. Please try <a href='?action=upload&avatar=yes'>uploading a different file</a> to use as your avatar.</p>"));
}
switch(substr($mime_type, 0, strpos($mime_type, "/"))) switch(substr($mime_type, 0, strpos($mime_type, "/")))
{ {
case "image": case "image":
@ -140,17 +164,18 @@ register_module([
if(isset($settings->mime_mappings_overrides->$mime_type)) if(isset($settings->mime_mappings_overrides->$mime_type))
$file_extension = $settings->mime_mappings_overrides->$mime_type; $file_extension = $settings->mime_mappings_overrides->$mime_type;
if(in_array($file_extension, [ "php", ".htaccess", "asp" ])) if(in_array($file_extension, [ "php", ".htaccess", "asp", "aspx" ]))
{ {
http_response_code(415); http_response_code(415);
exit(page_renderer::render("Upload Error - $settings->sitename", "<p>The file you uploaded appears to be dangerous and has been discarded. Please contact $settings->sitename's administrator for assistance.</p> exit(page_renderer::render("Upload Error - $settings->sitename", "<p>The file you uploaded appears to be dangerous and has been discarded. Please contact $settings->sitename's administrator for assistance.</p>
<p>Additional information: The file uploaded appeared to be of type <code>$mime_type</code>, which mapped onto the extension <code>$file_extension</code>. This file extension has the potential to be executed accidentally by the web server.</p>")); <p>Additional information: The file uploaded appeared to be of type <code>$mime_type</code>, which mapped onto the extension <code>$file_extension</code>. This file extension has the potential to be executed accidentally by the web server.</p>"));
} }
// Rewrite the name to include the _actual_ file extension we've cleverly calculated :D
$new_filename = "$paths->upload_file_prefix$target_name.$file_extension"; $new_filename = "$paths->upload_file_prefix$target_name.$file_extension";
$new_description_filename = "$new_filename.md"; $new_description_filename = "$new_filename.md";
if(isset($pageindex->$new_filename)) if(isset($pageindex->$new_filename) && !$is_avatar)
exit(page_renderer::render("Upload Error - $settings->sitename", "<p>A page or file has already been uploaded with the name '$new_filename'. Try deleting it first. If you do not have permission to delete things, try contacting one of the moderators.</p>")); exit(page_renderer::render("Upload Error - $settings->sitename", "<p>A page or file has already been uploaded with the name '$new_filename'. Try deleting it first. If you do not have permission to delete things, try contacting one of the moderators.</p>"));
if(!file_exists($env->storage_prefix . "Files")) if(!file_exists($env->storage_prefix . "Files"))