Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 3a7fb04fec6d5a389b8ab40b32403c9db0c40389 / . / system / libraries / Upload.php
blob: 287e281068ce7cc510a35968e6e6e6155238b9bc [file] [log] [blame]
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]1<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]2/**
3 * CodeIgniter
4 *
Phil Sturgeon07c1ac82012-03-09 17:03:37 +0000[diff] [blame]5 * An open source application development framework for PHP 5.2.4 or newer
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]6 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]7 * NOTICE OF LICENSE
Andrey Andreev3a459572011-12-21 11:23:11 +0200[diff] [blame]8 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]9 * Licensed under the Open Software License version 3.0
Andrey Andreev3a459572011-12-21 11:23:11 +0200[diff] [blame]10 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]11 * This source file is subject to the Open Software License (OSL 3.0) that is
12 * bundled with this package in the files license.txt / license.rst. It is
13 * also available through the world wide web at this URL:
14 * http://opensource.org/licenses/OSL-3.0
15 * If you did not receive a copy of the license and are unable to obtain it
16 * through the world wide web, please send an email to
17 * licensing@ellislab.com so we can send you a copy immediately.
18 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]19 * @package CodeIgniter
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]20 * @author EllisLab Dev Team
Greg Aker0defe5d2012-01-01 18:46:41 -0600[diff] [blame]21 * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/)
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]22 * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]23 * @link http://codeigniter.com
24 * @since Version 1.0
25 * @filesource
26 */
27
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]28/**
29 * File Uploading Class
30 *
31 * @package CodeIgniter
32 * @subpackage Libraries
33 * @category Uploads
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]34 * @author EllisLab Dev Team
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]35 * @link http://codeigniter.com/user_guide/libraries/file_uploading.html
36 */
37class CI_Upload {
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]38
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]39 public $max_size = 0;
40 public $max_width = 0;
41 public $max_height = 0;
42 public $max_filename = 0;
Adam Jackettccbbea12011-08-21 16:19:11 -0400[diff] [blame]43 public $max_filename_increment = 100;
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]44 public $allowed_types = '';
45 public $file_temp = '';
46 public $file_name = '';
47 public $orig_name = '';
48 public $file_type = '';
49 public $file_size = '';
50 public $file_ext = '';
51 public $upload_path = '';
52 public $overwrite = FALSE;
53 public $encrypt_name = FALSE;
54 public $is_image = FALSE;
55 public $image_width = '';
56 public $image_height = '';
57 public $image_type = '';
58 public $image_size_str = '';
59 public $error_msg = array();
60 public $mimes = array();
61 public $remove_spaces = TRUE;
62 public $xss_clean = FALSE;
63 public $temp_prefix = 'temp_file_';
64 public $client_name = '';
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]65
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]66 protected $_file_name_override = '';
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]67
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]68 /**
69 * Constructor
70 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]71 * @param array
72 * @return void
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]73 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]74 public function __construct($props = array())
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]75 {
76 if (count($props) > 0)
77 {
78 $this->initialize($props);
79 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]80
Andrey Andreev6ef498b2012-06-05 22:01:58 +0300[diff] [blame]81 $this->mimes =& get_mimes();
82
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]83 log_message('debug', 'Upload Class Initialized');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]84 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]85
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]86 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]87
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]88 /**
89 * Initialize preferences
90 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]91 * @param array
92 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]93 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]94 public function initialize($config = array())
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]95 {
96 $defaults = array(
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]97 'max_size' => 0,
98 'max_width' => 0,
99 'max_height' => 0,
100 'max_filename' => 0,
101 'max_filename_increment' => 100,
102 'allowed_types' => '',
103 'file_temp' => '',
104 'file_name' => '',
105 'orig_name' => '',
106 'file_type' => '',
107 'file_size' => '',
108 'file_ext' => '',
109 'upload_path' => '',
110 'overwrite' => FALSE,
111 'encrypt_name' => FALSE,
112 'is_image' => FALSE,
113 'image_width' => '',
114 'image_height' => '',
115 'image_type' => '',
116 'image_size_str' => '',
117 'error_msg' => array(),
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]118 'remove_spaces' => TRUE,
119 'xss_clean' => FALSE,
120 'temp_prefix' => 'temp_file_',
121 'client_name' => ''
122 );
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]123
124
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]125 foreach ($defaults as $key => $val)
126 {
127 if (isset($config[$key]))
128 {
129 $method = 'set_'.$key;
130 if (method_exists($this, $method))
131 {
132 $this->$method($config[$key]);
133 }
134 else
135 {
136 $this->$key = $config[$key];
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]137 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]138 }
139 else
140 {
141 $this->$key = $val;
142 }
143 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]144
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]145 // if a file_name was provided in the config, use it instead of the user input
146 // supplied file name for all uploads until initialized again
147 $this->_file_name_override = $this->file_name;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]148 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]149
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]150 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]151
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]152 /**
153 * Perform the file upload
154 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]155 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]156 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]157 public function do_upload($field = 'userfile')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]158 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]159 // Is $_FILES[$field] set? If not, no reason to continue.
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]160 if ( ! isset($_FILES[$field]))
161 {
162 $this->set_error('upload_no_file_selected');
163 return FALSE;
164 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]165
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]166 // Is the upload path valid?
167 if ( ! $this->validate_upload_path())
168 {
169 // errors will already be set by validate_upload_path() so just return FALSE
170 return FALSE;
171 }
172
173 // Was the file able to be uploaded? If not, determine the reason why.
174 if ( ! is_uploaded_file($_FILES[$field]['tmp_name']))
175 {
176 $error = ( ! isset($_FILES[$field]['error'])) ? 4 : $_FILES[$field]['error'];
177
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]178 switch ($error)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]179 {
180 case 1: // UPLOAD_ERR_INI_SIZE
181 $this->set_error('upload_file_exceeds_limit');
182 break;
183 case 2: // UPLOAD_ERR_FORM_SIZE
184 $this->set_error('upload_file_exceeds_form_limit');
185 break;
186 case 3: // UPLOAD_ERR_PARTIAL
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]187 $this->set_error('upload_file_partial');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]188 break;
189 case 4: // UPLOAD_ERR_NO_FILE
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]190 $this->set_error('upload_no_file_selected');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]191 break;
192 case 6: // UPLOAD_ERR_NO_TMP_DIR
193 $this->set_error('upload_no_temp_directory');
194 break;
195 case 7: // UPLOAD_ERR_CANT_WRITE
196 $this->set_error('upload_unable_to_write_file');
197 break;
198 case 8: // UPLOAD_ERR_EXTENSION
199 $this->set_error('upload_stopped_by_extension');
200 break;
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]201 default:
202 $this->set_error('upload_no_file_selected');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]203 break;
204 }
205
206 return FALSE;
207 }
208
209 // Set the uploaded data as class variables
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]210 $this->file_temp = $_FILES[$field]['tmp_name'];
211 $this->file_size = $_FILES[$field]['size'];
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]212 $this->_file_mime_type($_FILES[$field]);
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]213 $this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type);
Derek Jones616fb022010-04-22 16:52:18 -0500[diff] [blame]214 $this->file_type = strtolower(trim(stripslashes($this->file_type), '"'));
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]215 $this->file_name = $this->_prep_filename($_FILES[$field]['name']);
216 $this->file_ext = $this->get_extension($this->file_name);
217 $this->client_name = $this->file_name;
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]218
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]219 // Is the file type allowed to be uploaded?
220 if ( ! $this->is_allowed_filetype())
221 {
222 $this->set_error('upload_invalid_filetype');
223 return FALSE;
224 }
225
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]226 // if we're overriding, let's now make sure the new name and type is allowed
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]227 if ($this->_file_name_override !== '')
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]228 {
229 $this->file_name = $this->_prep_filename($this->_file_name_override);
Phil Sturgeon1e74da22010-12-15 10:45:06 +0000[diff] [blame]230
231 // If no extension was provided in the file_name config item, use the uploaded one
Pascal Kriete14287f32011-02-14 13:39:34 -0500[diff] [blame]232 if (strpos($this->_file_name_override, '.') === FALSE)
Phil Sturgeon1e74da22010-12-15 10:45:06 +0000[diff] [blame]233 {
234 $this->file_name .= $this->file_ext;
235 }
Phil Sturgeon1e74da22010-12-15 10:45:06 +0000[diff] [blame]236 else
237 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]238 // An extension was provided, lets have it!
239 $this->file_ext = $this->get_extension($this->_file_name_override);
Phil Sturgeon1e74da22010-12-15 10:45:06 +0000[diff] [blame]240 }
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]241
242 if ( ! $this->is_allowed_filetype(TRUE))
243 {
244 $this->set_error('upload_invalid_filetype');
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]245 return FALSE;
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]246 }
247 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]248
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]249 // Convert the file size to kilobytes
250 if ($this->file_size > 0)
251 {
252 $this->file_size = round($this->file_size/1024, 2);
253 }
254
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]255 // Is the file size within the allowed maximum?
256 if ( ! $this->is_allowed_filesize())
257 {
258 $this->set_error('upload_invalid_filesize');
259 return FALSE;
260 }
261
262 // Are the image dimensions within the allowed size?
263 // Note: This can fail if the server has an open_basdir restriction.
264 if ( ! $this->is_allowed_dimensions())
265 {
266 $this->set_error('upload_invalid_dimensions');
267 return FALSE;
268 }
269
270 // Sanitize the file name for security
271 $this->file_name = $this->clean_file_name($this->file_name);
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]272
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]273 // Truncate the file name if it's too long
274 if ($this->max_filename > 0)
275 {
276 $this->file_name = $this->limit_filename_length($this->file_name, $this->max_filename);
277 }
278
279 // Remove white spaces in the name
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]280 if ($this->remove_spaces === TRUE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]281 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]282 $this->file_name = preg_replace('/\s+/', '_', $this->file_name);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]283 }
284
285 /*
286 * Validate the file name
287 * This function appends an number onto the end of
288 * the file if one with the same name already exists.
289 * If it returns false there was a problem.
290 */
291 $this->orig_name = $this->file_name;
292
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]293 if ($this->overwrite === FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]294 {
295 $this->file_name = $this->set_filename($this->upload_path, $this->file_name);
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]296
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]297 if ($this->file_name === FALSE)
298 {
299 return FALSE;
300 }
301 }
302
303 /*
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]304 * Run the file through the XSS hacking filter
305 * This helps prevent malicious code from being
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]306 * embedded within a file. Scripts can easily
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]307 * be disguised as images or other file types.
308 */
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]309 if ($this->xss_clean && $this->do_xss_clean() === FALSE)
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]310 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]311 $this->set_error('upload_unable_to_write_file');
312 return FALSE;
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]313 }
314
315 /*
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]316 * Move the file to the final destination
317 * To deal with different server configurations
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]318 * we'll attempt to use copy() first. If that fails
319 * we'll use move_uploaded_file(). One of the two should
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]320 * reliably work in most environments
321 */
322 if ( ! @copy($this->file_temp, $this->upload_path.$this->file_name))
323 {
324 if ( ! @move_uploaded_file($this->file_temp, $this->upload_path.$this->file_name))
325 {
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]326 $this->set_error('upload_destination_error');
327 return FALSE;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]328 }
329 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]330
331 /*
332 * Set the finalized image dimensions
333 * This sets the image width/height (assuming the
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]334 * file was an image). We use this information
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]335 * in the "data" function.
336 */
337 $this->set_image_properties($this->upload_path.$this->file_name);
338
339 return TRUE;
340 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]341
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]342 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]343
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]344 /**
345 * Finalized Data Array
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]346 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]347 * Returns an associative array containing all of the information
348 * related to the upload, allowing the developer easy access in one array.
349 *
Michiel Vugteveendca9f232012-06-11 09:17:14 +0200[diff] [blame]350 * @param string
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]351 * @return array
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]352 */
Michiel Vugteveendca9f232012-06-11 09:17:14 +0200[diff] [blame]353 public function data($index = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]354 {
Michiel Vugteveendca9f232012-06-11 09:17:14 +0200[diff] [blame]355 $data = array(
Michiel Vugteveen3a7fb042012-06-11 09:29:16 +0200[diff] [blame^]356 'file_name' => $this->file_name,
357 'file_type' => $this->file_type,
358 'file_path' => $this->upload_path,
359 'full_path' => $this->upload_path.$this->file_name,
360 'raw_name' => str_replace($this->file_ext, '', $this->file_name),
361 'orig_name' => $this->orig_name,
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]362 'client_name' => $this->client_name,
Michiel Vugteveen3a7fb042012-06-11 09:29:16 +0200[diff] [blame^]363 'file_ext' => $this->file_ext,
364 'file_size' => $this->file_size,
365 'is_image' => $this->is_image(),
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]366 'image_width' => $this->image_width,
367 'image_height' => $this->image_height,
368 'image_type' => $this->image_type,
369 'image_size_str' => $this->image_size_str,
370 );
Michiel Vugteveendca9f232012-06-11 09:17:14 +0200[diff] [blame]371
372 if ($index === NULL OR ! isset($data[$index]))
373 {
374 return $data;
375 }
376
377 return $data[$index];
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]378 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]379
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]380 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]381
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]382 /**
383 * Set Upload Path
384 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]385 * @param string
386 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]387 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]388 public function set_upload_path($path)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]389 {
390 // Make sure it has a trailing slash
391 $this->upload_path = rtrim($path, '/').'/';
392 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]393
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]394 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]395
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]396 /**
397 * Set the file name
398 *
399 * This function takes a filename/path as input and looks for the
400 * existence of a file with the same name. If found, it will append a
401 * number to the end of the filename to avoid overwriting a pre-existing file.
402 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]403 * @param string
404 * @param string
405 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]406 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]407 public function set_filename($path, $filename)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]408 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]409 if ($this->encrypt_name === TRUE)
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]410 {
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]411 mt_srand();
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]412 $filename = md5(uniqid(mt_rand())).$this->file_ext;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]413 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]414
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]415 if ( ! file_exists($path.$filename))
416 {
417 return $filename;
418 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]419
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]420 $filename = str_replace($this->file_ext, '', $filename);
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]421
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]422 $new_filename = '';
Adam Jackettccbbea12011-08-21 16:19:11 -0400[diff] [blame]423 for ($i = 1; $i < $this->max_filename_increment; $i++)
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]424 {
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]425 if ( ! file_exists($path.$filename.$i.$this->file_ext))
426 {
427 $new_filename = $filename.$i.$this->file_ext;
428 break;
429 }
430 }
431
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]432 if ($new_filename === '')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]433 {
434 $this->set_error('upload_bad_filename');
435 return FALSE;
436 }
437 else
438 {
439 return $new_filename;
440 }
441 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]442
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]443 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]444
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]445 /**
446 * Set Maximum File Size
447 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]448 * @param int
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]449 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]450 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]451 public function set_max_filesize($n)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]452 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]453 $this->max_size = ((int) $n < 0) ? 0 : (int) $n;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]454 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]455
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]456 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]457
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]458 /**
459 * Set Maximum File Name Length
460 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]461 * @param int
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]462 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]463 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]464 public function set_max_filename($n)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]465 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]466 $this->max_filename = ((int) $n < 0) ? 0 : (int) $n;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]467 }
468
469 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]470
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]471 /**
472 * Set Maximum Image Width
473 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]474 * @param int
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]475 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]476 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]477 public function set_max_width($n)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]478 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]479 $this->max_width = ((int) $n < 0) ? 0 : (int) $n;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]480 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]481
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]482 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]483
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]484 /**
485 * Set Maximum Image Height
486 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]487 * @param int
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]488 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]489 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]490 public function set_max_height($n)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]491 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]492 $this->max_height = ((int) $n < 0) ? 0 : (int) $n;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]493 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]494
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]495 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]496
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]497 /**
498 * Set Allowed File Types
499 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]500 * @param string
501 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]502 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]503 public function set_allowed_types($types)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]504 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]505 if ( ! is_array($types) && $types === '*')
Derek Jonese12f64e2010-03-02 22:55:08 -0600[diff] [blame]506 {
507 $this->allowed_types = '*';
508 return;
509 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]510 $this->allowed_types = explode('|', $types);
511 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]512
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]513 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]514
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]515 /**
516 * Set Image Properties
517 *
518 * Uses GD to determine the width/height/type of image
519 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]520 * @param string
521 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]522 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]523 public function set_image_properties($path = '')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]524 {
525 if ( ! $this->is_image())
526 {
527 return;
528 }
529
530 if (function_exists('getimagesize'))
531 {
532 if (FALSE !== ($D = @getimagesize($path)))
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]533 {
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]534 $types = array(1 => 'gif', 2 => 'jpeg', 3 => 'png');
535
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]536 $this->image_width = $D[0];
537 $this->image_height = $D[1];
538 $this->image_type = isset($types[$D[2]]) ? $types[$D[2]] : 'unknown';
539 $this->image_size_str = $D[3]; // string containing height and width
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]540 }
541 }
542 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]543
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]544 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]545
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]546 /**
547 * Set XSS Clean
548 *
549 * Enables the XSS flag so that the file that was uploaded
550 * will be run through the XSS filter.
551 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]552 * @param bool
553 * @return void
554 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]555 public function set_xss_clean($flag = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]556 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]557 $this->xss_clean = ($flag === TRUE);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]558 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]559
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]560 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]561
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]562 /**
563 * Validate the image
564 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]565 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]566 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]567 public function is_image()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]568 {
569 // IE will sometimes return odd mime-types during upload, so here we just standardize all
570 // jpegs or pngs to the same file type.
571
Derek Jones4b9c6292011-07-01 17:40:48 -0500[diff] [blame]572 $png_mimes = array('image/x-png');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]573 $jpeg_mimes = array('image/jpg', 'image/jpe', 'image/jpeg', 'image/pjpeg');
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]574
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]575 if (in_array($this->file_type, $png_mimes))
576 {
577 $this->file_type = 'image/png';
578 }
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]579 elseif (in_array($this->file_type, $jpeg_mimes))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]580 {
581 $this->file_type = 'image/jpeg';
582 }
583
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]584 $img_mimes = array('image/gif', 'image/jpeg', 'image/png');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]585
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]586 return in_array($this->file_type, $img_mimes, TRUE);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]587 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]588
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]589 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]590
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]591 /**
592 * Verify that the filetype is allowed
593 *
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]594 * @param bool
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]595 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]596 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]597 public function is_allowed_filetype($ignore_mime = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]598 {
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]599 if ($this->allowed_types === '*')
Derek Jonese12f64e2010-03-02 22:55:08 -0600[diff] [blame]600 {
601 return TRUE;
602 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]603
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]604 if ( ! is_array($this->allowed_types) OR count($this->allowed_types) === 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]605 {
606 $this->set_error('upload_no_file_types');
607 return FALSE;
608 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]609
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]610 $ext = strtolower(ltrim($this->file_ext, '.'));
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]611
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]612 if ( ! in_array($ext, $this->allowed_types))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]613 {
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]614 return FALSE;
615 }
Derek Jonesafa282f2009-02-10 17:11:52 +0000[diff] [blame]616
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]617 // Images get some additional checks
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]618 $image_types = array('gif', 'jpg', 'jpeg', 'png', 'jpe');
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]619
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]620 if (in_array($ext, $image_types) && @getimagesize($this->file_temp) === FALSE)
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]621 {
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]622 return FALSE;
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]623 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]624
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]625 if ($ignore_mime === TRUE)
626 {
627 return TRUE;
628 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]629
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]630 $mime = $this->mimes_types($ext);
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]631
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]632 if (is_array($mime) && in_array($this->file_type, $mime, TRUE))
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]633 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]634 return TRUE;
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]635 }
Andrey Andreev6ca407e2012-03-01 15:33:21 +0200[diff] [blame]636 elseif ($mime === $this->file_type)
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]637 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]638 return TRUE;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]639 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]640
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]641 return FALSE;
642 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]643
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]644 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]645
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]646 /**
647 * Verify that the file is within the allowed size
648 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]649 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]650 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]651 public function is_allowed_filesize()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]652 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]653 return ($this->max_size === 0 OR $this->max_size > $this->file_size);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]654 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]655
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]656 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]657
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]658 /**
659 * Verify that the image is within the allowed width/height
660 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]661 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]662 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]663 public function is_allowed_dimensions()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]664 {
665 if ( ! $this->is_image())
666 {
667 return TRUE;
668 }
669
670 if (function_exists('getimagesize'))
671 {
672 $D = @getimagesize($this->file_temp);
673
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]674 if ($this->max_width > 0 && $D[0] > $this->max_width)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]675 {
676 return FALSE;
677 }
678
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]679 if ($this->max_height > 0 && $D[1] > $this->max_height)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]680 {
681 return FALSE;
682 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]683 }
684
685 return TRUE;
686 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]687
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]688 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]689
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]690 /**
691 * Validate Upload Path
692 *
693 * Verifies that it is a valid upload path with proper permissions.
694 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]695 * @return bool
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]696 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]697 public function validate_upload_path()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]698 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]699 if ($this->upload_path === '')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]700 {
701 $this->set_error('upload_no_filepath');
702 return FALSE;
703 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]704
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]705 if (@realpath($this->upload_path) !== FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]706 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]707 $this->upload_path = str_replace('\\', '/', realpath($this->upload_path));
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]708 }
709
710 if ( ! @is_dir($this->upload_path))
711 {
712 $this->set_error('upload_no_filepath');
713 return FALSE;
714 }
715
716 if ( ! is_really_writable($this->upload_path))
717 {
718 $this->set_error('upload_not_writable');
719 return FALSE;
720 }
721
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]722 $this->upload_path = preg_replace('/(.+?)\/*$/', '\\1/', $this->upload_path);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]723 return TRUE;
724 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]725
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]726 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]727
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]728 /**
729 * Extract the file extension
730 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]731 * @param string
732 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]733 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]734 public function get_extension($filename)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]735 {
736 $x = explode('.', $filename);
Andrey Andreev46d53fb2012-05-11 13:42:24 +0300[diff] [blame]737 return (count($x) !== 1) ? '.'.end($x) : '';
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]738 }
739
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]740 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]741
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]742 /**
743 * Clean the file name for security
744 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]745 * @param string
746 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]747 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]748 public function clean_file_name($filename)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]749 {
750 $bad = array(
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]751 '<!--', '-->',
752 "'", '"',
753 '<', '>',
754 '&', '$',
755 '=',
756 ';',
757 '?',
758 '/',
Andrey Andreev470805b2012-05-24 21:57:21 +0300[diff] [blame]759 '!',
760 '#',
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]761 '%20',
762 '%22',
763 '%3c', // <
764 '%253c', // <
765 '%3e', // >
766 '%0e', // >
767 '%28', // (
768 '%29', // )
769 '%2528', // (
770 '%26', // &
771 '%24', // $
772 '%3f', // ?
773 '%3b', // ;
774 '%3d' // =
775 );
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]776
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]777 return stripslashes(str_replace($bad, '', $filename));
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]778 }
779
780 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]781
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]782 /**
783 * Limit the File Name Length
784 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]785 * @param string
786 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]787 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]788 public function limit_filename_length($filename, $length)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]789 {
790 if (strlen($filename) < $length)
791 {
792 return $filename;
793 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]794
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]795 $ext = '';
796 if (strpos($filename, '.') !== FALSE)
797 {
798 $parts = explode('.', $filename);
799 $ext = '.'.array_pop($parts);
800 $filename = implode('.', $parts);
801 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]802
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]803 return substr($filename, 0, ($length - strlen($ext))).$ext;
804 }
805
806 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]807
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]808 /**
809 * Runs the file through the XSS clean function
810 *
811 * This prevents people from embedding malicious code in their files.
812 * I'm not sure that it won't negatively affect certain files in unexpected ways,
813 * but so far I haven't found that it causes trouble.
814 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]815 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]816 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]817 public function do_xss_clean()
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]818 {
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]819 $file = $this->file_temp;
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]820
Andrey Andreev5036c9c2012-06-04 15:34:56 +0300[diff] [blame]821 if (filesize($file) == 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]822 {
823 return FALSE;
824 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]825
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]826 if (memory_get_usage() && ($memory_limit = ini_get('memory_limit')))
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]827 {
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]828 $memory_limit *= 1024 * 1024;
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]829
Greg Akerc78a2592010-06-09 11:45:32 -0500[diff] [blame]830 // There was a bug/behavioural change in PHP 5.2, where numbers over one million get output
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]831 // into scientific notation. number_format() ensures this number is an integer
Greg Akerc78a2592010-06-09 11:45:32 -0500[diff] [blame]832 // http://bugs.php.net/bug.php?id=43053
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]833
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]834 $memory_limit = number_format(ceil(filesize($file) + $memory_limit), 0, '.', '');
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]835
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]836 ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]837 }
838
839 // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but
840 // IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]841 // using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this
842 // CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]843 // processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]844 // attempted XSS attack.
845
846 if (function_exists('getimagesize') && @getimagesize($file) !== FALSE)
847 {
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]848 if (($file = @fopen($file, 'rb')) === FALSE) // "b" to force binary
849 {
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]850 return FALSE; // Couldn't open the file, return FALSE
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]851 }
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]852
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]853 $opening_bytes = fread($file, 256);
854 fclose($file);
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]855
856 // These are known to throw IE into mime-type detection chaos
857 // <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title
858 // title is basically just in SVG, but we filter it anyhow
859
Andrey Andreevc839d282012-06-07 14:35:27 +0300[diff] [blame]860 // if its an image or no "triggers" detected in the first 256 bytes - we're good
861 return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes);
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]862 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]863
864 if (($data = @file_get_contents($file)) === FALSE)
865 {
866 return FALSE;
867 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]868
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]869 $CI =& get_instance();
Greg Akerf82e51c2010-04-14 19:33:50 -0500[diff] [blame]870 return $CI->security->xss_clean($data, TRUE);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]871 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]872
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]873 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]874
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]875 /**
876 * Set an error message
877 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]878 * @param string
879 * @return void
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]880 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]881 public function set_error($msg)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]882 {
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]883 $CI =& get_instance();
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]884 $CI->lang->load('upload');
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]885
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]886 if (is_array($msg))
887 {
888 foreach ($msg as $val)
889 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]890 $msg = ($CI->lang->line($val) === FALSE) ? $val : $CI->lang->line($val);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]891 $this->error_msg[] = $msg;
892 log_message('error', $msg);
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]893 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]894 }
895 else
896 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]897 $msg = ($CI->lang->line($msg) === FALSE) ? $msg : $CI->lang->line($msg);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]898 $this->error_msg[] = $msg;
899 log_message('error', $msg);
900 }
901 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]902
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]903 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]904
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]905 /**
906 * Display the error message
907 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]908 * @param string
909 * @param string
910 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]911 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]912 public function display_errors($open = '<p>', $close = '</p>')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]913 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]914 return (count($this->error_msg) > 0) ? $open.implode($close.$open, $this->error_msg).$close : '';
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]915 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]916
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]917 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]918
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]919 /**
920 * List of Mime Types
921 *
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]922 * This is a list of mime types. We use it to validate
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]923 * the "allowed types" set by the developer
924 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]925 * @param string
926 * @return string
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]927 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]928 public function mimes_types($mime)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]929 {
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]930 return isset($this->mimes[$mime]) ? $this->mimes[$mime] : FALSE;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]931 }
932
933 // --------------------------------------------------------------------
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]934
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]935 /**
936 * Prep Filename
937 *
938 * Prevents possible script execution from Apache's handling of files multiple extensions
939 * http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext
940 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]941 * @param string
942 * @return string
943 */
Greg Aker58fdee82010-11-10 15:07:09 -0600[diff] [blame]944 protected function _prep_filename($filename)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]945 {
Alex Bilbied261b1e2012-06-02 11:12:16 +0100[diff] [blame]946 if (strpos($filename, '.') === FALSE OR $this->allowed_types === '*')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]947 {
948 return $filename;
949 }
Derek Allard616dab82009-02-16 15:44:32 +0000[diff] [blame]950
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]951 $parts = explode('.', $filename);
952 $ext = array_pop($parts);
953 $filename = array_shift($parts);
Derek Allard616dab82009-02-16 15:44:32 +0000[diff] [blame]954
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]955 foreach ($parts as $part)
956 {
Derek Jonese9d723f2010-07-12 10:10:59 -0500[diff] [blame]957 if ( ! in_array(strtolower($part), $this->allowed_types) OR $this->mimes_types(strtolower($part)) === FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]958 {
959 $filename .= '.'.$part.'_';
960 }
961 else
962 {
963 $filename .= '.'.$part;
964 }
965 }
Derek Allardd70b0642009-02-16 13:51:42 +0000[diff] [blame]966
Andrey Andreev8e6f7a92012-03-26 20:13:00 +0300[diff] [blame]967 return $filename.'.'.$ext;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]968 }
969
970 // --------------------------------------------------------------------
971
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]972 /**
973 * File MIME type
974 *
975 * Detects the (actual) MIME type of the uploaded file, if possible.
976 * The input array is expected to be $_FILES[$field]
977 *
978 * @param array
979 * @return void
980 */
981 protected function _file_mime_type($file)
982 {
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]983 // We'll need this to validate the MIME info string (e.g. text/plain; charset=us-ascii)
Andrey Andreevf7aed122011-12-13 11:01:06 +0200[diff] [blame]984 $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/';
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]985
986 /* Fileinfo extension - most reliable method
987 *
988 * Unfortunately, prior to PHP 5.3 - it's only available as a PECL extension and the
989 * more convenient FILEINFO_MIME_TYPE flag doesn't exist.
990 */
991 if (function_exists('finfo_file'))
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]992 {
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]993 $finfo = finfo_open(FILEINFO_MIME);
994 if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]995 {
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]996 $mime = @finfo_file($finfo, $file['tmp_name']);
997 finfo_close($finfo);
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]998
999 /* According to the comments section of the PHP manual page,
1000 * it is possible that this function returns an empty string
Andrey Andreev2cec39f2011-09-24 22:59:37 +0300[diff] [blame]1001 * for some files (e.g. if they don't exist in the magic MIME database)
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1002 */
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1003 if (is_string($mime) && preg_match($regexp, $mime, $matches))
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1004 {
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1005 $this->file_type = $matches[1];
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1006 return;
1007 }
1008 }
1009 }
1010
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1011 /* This is an ugly hack, but UNIX-type systems provide a "native" way to detect the file type,
1012 * which is still more secure than depending on the value of $_FILES[$field]['type'], and as it
1013 * was reported in issue #750 (https://github.com/EllisLab/CodeIgniter/issues/750) - it's better
1014 * than mime_content_type() as well, hence the attempts to try calling the command line with
1015 * three different functions.
Andrey Andreev6700b932011-09-24 14:25:33 +0300[diff] [blame]1016 *
1017 * Notes:
Andrey Andreev59654312011-12-02 14:28:54 +0200[diff] [blame]1018 * - the DIRECTORY_SEPARATOR comparison ensures that we're not on a Windows system
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1019 * - many system admins would disable the exec(), shell_exec(), popen() and similar functions
1020 * due to security concerns, hence the function_exists() checks
Andrey Andreev6700b932011-09-24 14:25:33 +0300[diff] [blame]1021 */
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1022 if (DIRECTORY_SEPARATOR !== '\\')
Andrey Andreev6700b932011-09-24 14:25:33 +0300[diff] [blame]1023 {
Andrey Andreev56454792012-05-17 14:32:19 +0300[diff] [blame]1024 $cmd = 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1';
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1025
1026 if (function_exists('exec'))
Andrey Andreev6700b932011-09-24 14:25:33 +0300[diff] [blame]1027 {
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1028 /* This might look confusing, as $mime is being populated with all of the output when set in the second parameter.
1029 * However, we only neeed the last line, which is the actual return value of exec(), and as such - it overwrites
1030 * anything that could already be set for $mime previously. This effectively makes the second parameter a dummy
1031 * value, which is only put to allow us to get the return status code.
1032 */
1033 $mime = @exec($cmd, $mime, $return_status);
1034 if ($return_status === 0 && is_string($mime) && preg_match($regexp, $mime, $matches))
1035 {
1036 $this->file_type = $matches[1];
1037 return;
1038 }
1039 }
1040
1041 if ( (bool) @ini_get('safe_mode') === FALSE && function_exists('shell_exec'))
1042 {
1043 $mime = @shell_exec($cmd);
1044 if (strlen($mime) > 0)
1045 {
1046 $mime = explode("\n", trim($mime));
1047 if (preg_match($regexp, $mime[(count($mime) - 1)], $matches))
1048 {
1049 $this->file_type = $matches[1];
1050 return;
1051 }
1052 }
1053 }
1054
1055 if (function_exists('popen'))
1056 {
1057 $proc = @popen($cmd, 'r');
1058 if (is_resource($proc))
1059 {
tubalmartin010f1f42012-03-03 22:24:31 +0100[diff] [blame]1060 $mime = @fread($proc, 512);
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1061 @pclose($proc);
1062 if ($mime !== FALSE)
1063 {
1064 $mime = explode("\n", trim($mime));
1065 if (preg_match($regexp, $mime[(count($mime) - 1)], $matches))
1066 {
1067 $this->file_type = $matches[1];
1068 return;
1069 }
1070 }
1071 }
1072 }
1073 }
1074
1075 // Fall back to the deprecated mime_content_type(), if available (still better than $_FILES[$field]['type'])
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1076 if (function_exists('mime_content_type'))
1077 {
1078 $this->file_type = @mime_content_type($file['tmp_name']);
Andrey Andreeva49e3812011-12-09 13:05:22 +0200[diff] [blame]1079 if (strlen($this->file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1080 {
Andrey Andreev3a3c9472011-09-24 14:25:33 +0300[diff] [blame]1081 return;
1082 }
1083 }
1084
1085 $this->file_type = $file['type'];
1086 }
1087
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]1088}
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]1089
1090/* End of file Upload.php */
Andrey Andreev56454792012-05-17 14:32:19 +0300[diff] [blame]1091/* Location: ./system/libraries/Upload.php */