From 4f4021a517a7b299dc73133afeac31e4707075cd Mon Sep 17 00:00:00 2001
From: Cameron <e107inc@gmail.com>
Date: Fri, 2 Dec 2016 13:14:50 -0800
Subject: [PATCH] More code cleanup

---
 e107_admin/image.php                 |   5 +-
 e107_plugins/forum/forum_uploads.php |   2 +-
 e107_web/js/plupload/upload.php      | 280 +++++++++++++++------------
 3 files changed, 165 insertions(+), 122 deletions(-)

diff --git a/e107_admin/image.php b/e107_admin/image.php
index 20a763453..2971d6bf4 100644
--- a/e107_admin/image.php
+++ b/e107_admin/image.php
@@ -1864,6 +1864,7 @@ class media_admin_ui extends e_admin_ui
 
 		$sql = e107::getDb();
 		$mes = e107::getMessage();
+		$tp = e107::getParser();
 
 			if(!empty($_POST['multiaction']))
 			{
@@ -1887,7 +1888,7 @@ class media_admin_ui extends e_admin_ui
 					}
 
 					//delete it from server
-					$deletePath = e_AVATAR.$path;
+					$deletePath = e_AVATAR.$tp->filter($path);
 					if(@unlink($deletePath))
 					{
 						$mes->addDebug('Deleted: '.$deletePath);
@@ -2619,7 +2620,7 @@ class media_admin_ui extends e_admin_ui
 		foreach($_POST['batch_selected'] as $key=>$file)
 		{
 
-			$oldpath = e_IMPORT.$file;
+			$oldpath = e_IMPORT.$tp->filter($file, 'w');
 
 			if($_POST['batch_category'] == '_avatars_public' || $_POST['batch_category'] == '_avatars_private')
 			{
diff --git a/e107_plugins/forum/forum_uploads.php b/e107_plugins/forum/forum_uploads.php
index 3e7f6fe9f..0fed72252 100644
--- a/e107_plugins/forum/forum_uploads.php
+++ b/e107_plugins/forum/forum_uploads.php
@@ -33,7 +33,7 @@ if(is_array($_POST['delete']))
 		$f = explode("_", $fname);
 		if($f[1] == USERID)
 		{
-			$path = e_UPLOAD.$fname;
+			$path = e_UPLOAD.e107::getParser()->filter($fname,'w');
 			if(unlink($path) == TRUE)
 			{
 				$msg = LAN_FORUM_7002.": $path";
diff --git a/e107_web/js/plupload/upload.php b/e107_web/js/plupload/upload.php
index e1f77ed69..a6800359e 100644
--- a/e107_web/js/plupload/upload.php
+++ b/e107_web/js/plupload/upload.php
@@ -1,165 +1,207 @@
 <?php
-/**
- * upload.php
- *
- * Copyright 2009, Moxiecode Systems AB
- * Released under GPL License.
- *
- * License: http://www.plupload.com/license
- * Contributing: http://www.plupload.com/contributing
- */
+	/**
+	 * upload.php
+	 *
+	 * Copyright 2009, Moxiecode Systems AB
+	 * Released under GPL License.
+	 *
+	 * License: http://www.plupload.com/license
+	 * Contributing: http://www.plupload.com/contributing
+	 */
 
 // HTTP headers for no cache etc
 
-$_E107['no_online'] = true;
-define('e_MINIMAL', true);
-define('FLOODPROTECT', false);
-require_once("../../../class2.php");
+	$_E107['no_online'] = true;
+	define('e_MINIMAL', true);
+	define('FLOODPROTECT', false);
+	require_once("../../../class2.php");
 
-if(!ADMIN)
-{
-	exit;	
-}
+	if(!ADMIN)
+	{
+		exit;
+	}
 
-header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
-header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
-header("Cache-Control: no-store, no-cache, must-revalidate");
-header("Cache-Control: post-check=0, pre-check=0", false);
-header("Pragma: no-cache");
+	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
+	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+	header("Cache-Control: no-store, no-cache, must-revalidate");
+	header("Cache-Control: post-check=0, pre-check=0", false);
+	header("Pragma: no-cache");
 
 // Settings
 // $targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
-$targetDir = e_IMPORT;
+	$targetDir = e_IMPORT;
 //$targetDir = 'uploads';
 
-$cleanupTargetDir = true; // Remove old files
-$maxFileAge = 5 * 3600; // Temp file age in seconds
+	$cleanupTargetDir = true; // Remove old files
+	$maxFileAge = 5 * 3600; // Temp file age in seconds
 
 // 5 minutes execution time
-@set_time_limit(5 * 60);
+	@set_time_limit(5 * 60);
 
 // Uncomment this one to fake upload time
 // usleep(5000);
 
 // Get parameters
-$chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
-$chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
-$fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
-
+	$chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
+	$chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
+	$fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
 
 
 // Clean the fileName for security reasons
-$fileName = preg_replace('/[^\w\._]+/', '_', $fileName);
+	$fileName = preg_replace('/[^\w\._]+/', '_', $fileName);
 
 // Make sure the fileName is unique but only if chunking is disabled
-if ($chunks < 2 && file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName)) {
-	$ext = strrpos($fileName, '.');
-	$fileName_a = substr($fileName, 0, $ext);
-	$fileName_b = substr($fileName, $ext);
+	if($chunks < 2 && file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName))
+	{
+		$ext = strrpos($fileName, '.');
+		$fileName_a = substr($fileName, 0, $ext);
+		$fileName_b = substr($fileName, $ext);
 
-	$count = 1;
-	while (file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName_a . '_' . $count . $fileName_b))
-		$count++;
+		$count = 1;
+		while(file_exists($targetDir . DIRECTORY_SEPARATOR . $fileName_a . '_' . $count . $fileName_b))
+		{
+			$count++;
+		}
 
-	$fileName = $fileName_a . '_' . $count . $fileName_b;
-}
+		$fileName = $fileName_a . '_' . $count . $fileName_b;
+	}
 
-$filePath = $targetDir . DIRECTORY_SEPARATOR . $fileName;
+	$filePath = $targetDir . DIRECTORY_SEPARATOR . $fileName;
 
 // Create target dir
-if (!file_exists($targetDir))
-	@mkdir($targetDir);
+	if(!file_exists($targetDir))
+	{
+		@mkdir($targetDir);
+	}
 
 // Remove old temp files	
-if ($cleanupTargetDir && is_dir($targetDir) && ($dir = opendir($targetDir))) {
-	while (($file = readdir($dir)) !== false) {
-		$tmpfilePath = $targetDir . DIRECTORY_SEPARATOR . $file;
+	if($cleanupTargetDir && is_dir($targetDir) && ($dir = opendir($targetDir)))
+	{
+		while(($file = readdir($dir)) !== false)
+		{
+			$tmpfilePath = $targetDir . DIRECTORY_SEPARATOR . $file;
 
-		// Remove temp file if it is older than the max age and is not the current file
-		if (preg_match('/\.part$/', $file) && (filemtime($tmpfilePath) < time() - $maxFileAge) && ($tmpfilePath != "{$filePath}.part")) {
-			@unlink($tmpfilePath);
+			// Remove temp file if it is older than the max age and is not the current file
+			if(preg_match('/\.part$/', $file) && (filemtime($tmpfilePath) < time() - $maxFileAge) && ($tmpfilePath != "{$filePath}.part"))
+			{
+				@unlink($tmpfilePath);
+			}
+		}
+
+		closedir($dir);
+	}
+	else
+	{
+		die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}');
+	}
+
+
+// Look for the content type header
+	if(isset($_SERVER["HTTP_CONTENT_TYPE"]))
+	{
+		$contentType = $_SERVER["HTTP_CONTENT_TYPE"];
+	}
+
+	if(isset($_SERVER["CONTENT_TYPE"]))
+	{
+		$contentType = $_SERVER["CONTENT_TYPE"];
+	}
+
+// Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
+	if(strpos($contentType, "multipart") !== false)
+	{
+		if(isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name']))
+		{
+			// Open temp file
+			$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
+
+			if($out)
+			{
+				// Read binary input stream and append it to temp file
+				$tmpName = e107::getParser()->filter($_FILES['file']['tmp_name'],'w');
+				$in = fopen($tmpName, "rb");
+
+				if($in)
+				{
+					while($buff = fread($in, 4096))
+					{
+						fwrite($out, $buff);
+					}
+				}
+				else
+				{
+					die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
+				}
+				fclose($in);
+				fclose($out);
+				@unlink($tmpName);
+			}
+			else
+			{
+				die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
+			}
+		}
+		else
+		{
+			die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');
+		}
+	}
+	else
+	{
+		// Open temp file
+		$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
+		if($out)
+		{
+			// Read binary input stream and append it to temp file
+			$in = fopen("php://input", "rb");
+
+			if($in)
+			{
+				while($buff = fread($in, 4096))
+				{
+					fwrite($out, $buff);
+				}
+			}
+			else
+			{
+				die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
+			}
+
+			fclose($in);
+			fclose($out);
+		}
+		else
+		{
+			die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
 		}
 	}
 
-	closedir($dir);
-} else
-	die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}');
-	
-
-// Look for the content type header
-if (isset($_SERVER["HTTP_CONTENT_TYPE"]))
-	$contentType = $_SERVER["HTTP_CONTENT_TYPE"];
-
-if (isset($_SERVER["CONTENT_TYPE"]))
-	$contentType = $_SERVER["CONTENT_TYPE"];
-
-// Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
-if (strpos($contentType, "multipart") !== false) {
-	if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
-		// Open temp file
-		$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
-		if ($out) {
-			// Read binary input stream and append it to temp file
-			$in = fopen($_FILES['file']['tmp_name'], "rb");
-
-			if ($in) {
-				while ($buff = fread($in, 4096))
-					fwrite($out, $buff);
-			} else
-				die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
-			fclose($in);
-			fclose($out);
-			@unlink($_FILES['file']['tmp_name']);
-		} else
-			die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
-	} else
-		die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');
-} else {
-	// Open temp file
-	$out = fopen("{$filePath}.part", $chunk == 0 ? "wb" : "ab");
-	if ($out) {
-		// Read binary input stream and append it to temp file
-		$in = fopen("php://input", "rb");
-
-		if ($in) {
-			while ($buff = fread($in, 4096))
-				fwrite($out, $buff);
-		} else
-			die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
-
-		fclose($in);
-		fclose($out);
-	} else
-		die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');
-}
-
 // Check if file has been uploaded
-if (!$chunks || $chunk == $chunks - 1) {
-	// Strip the temp .part suffix off 
-	rename("{$filePath}.part", $filePath);
-}
-
-
+	if(!$chunks || $chunk == $chunks - 1)
+	{
+		// Strip the temp .part suffix off
+		rename("{$filePath}.part", $filePath);
+	}
 
 
 // rename($targetDir.$fileName,e_MEDIA."images/2012-05/",$fileName);
-if($_GET['for'] !='') // leave in upload directory if no category given. 
-{
-	$result = e107::getMedia()->importFile($fileName,$_GET['for']);
-}
+	if($_GET['for'] != '') // leave in upload directory if no category given.
+	{
+		$result = e107::getMedia()->importFile($fileName, $_GET['for']);
+	}
 
 
-$log = $_GET; 
-$log['filepath'] = $filePath; 
-$log['filename'] = $fileName; 
-$log['status'] = ($result) ? 'ok' : 'failed'; 
-$type = ($result) ? E_LOG_INFORMATIVE : E_LOG_WARNING; 
+	$log = $_GET;
+	$log['filepath'] = $filePath;
+	$log['filename'] = $fileName;
+	$log['status'] = ($result) ? 'ok' : 'failed';
+	$type = ($result) ? E_LOG_INFORMATIVE : E_LOG_WARNING;
 
-e107::getLog()->add('Media Upload', print_r($log,true), $type, MEDIA_01); 
+	e107::getLog()->add('Media Upload', print_r($log, true), $type, MEDIA_01);
 
-$array = array("jsonrpc"=>"2.0", "result"=>$result,"id"=>"id");
+	$array = array("jsonrpc" => "2.0", "result" => $result, "id" => "id");
 
-echo json_encode($array);
+	echo json_encode($array);
 // Return JSON-RPC response
 // die('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}');