php-phpbb/phpBB/phpbb/attachment/upload.php

<?php
/**
 *
 * This file is part of the phpBB Forum Software package.
 *
 * @copyright (c) phpBB Limited <https://www.phpbb.com>
 * @license GNU General Public License, version 2 (GPL-2.0)
 *
 * For full copyright and license information, please see
 * the docs/CREDITS.txt file.
 *
 */

namespace phpbb\attachment;

use phpbb\auth\auth;
use \phpbb\cache\service;
use \phpbb\config\config;
use \phpbb\event\dispatcher;
use \phpbb\language\language;
use \phpbb\mimetype\guesser;
use \phpbb\plupload\plupload;
use \phpbb\user;

/**
 * Attachment upload class
 */

class upload
{
	/** @var auth */
	protected $auth;

	/** @var service */
	protected $cache;

	/** @var config */
	protected $config;

	/** @var \phpbb\files\upload Upload class */
	protected $files_upload;

	/** @var \phpbb\language\language */
	protected $language;

	/** @var guesser Mimetype guesser */
	protected $mimetype_guesser;

	/** @var dispatcher */
	protected $phpbb_dispatcher;

	/** @var plupload Plupload */
	protected $plupload;

	/** @var user */
	protected $user;

	/**
	 * Constructor for attachments upload class
	 *
	 * @param auth $auth
	 * @param service $cache
	 * @param config $config
	 * @param \phpbb\files\upload $files_upload
	 * @param language $language
	 * @param guesser $mimetype_guesser
	 * @param dispatcher $phpbb_dispatcher
	 * @param plupload $plupload
	 * @param user $user
	 * @param $phpbb_root_path
	 */
	public function __construct(auth $auth, service $cache, config $config, \phpbb\files\upload $files_upload, language $language, guesser $mimetype_guesser, dispatcher $phpbb_dispatcher, plupload $plupload, user $user, $phpbb_root_path)
	{
		$this->auth = $auth;
		$this->cache = $cache;
		$this->config = $config;
		$this->files_upload = $files_upload;
		$this->language = $language;
		$this->mimetype_guesser = $mimetype_guesser;
		$this->phpbb_dispatcher = $phpbb_dispatcher;
		$this->plupload = $plupload;
		$this->user = $user;
		$this->phpbb_root_path = $phpbb_root_path;
	}

	/**
	 * Upload Attachment - filedata is generated here
	 * Uses upload class
	 *
	 * @param string			$form_name		The form name of the file upload input
	 * @param int			$forum_id		The id of the forum
	 * @param bool			$local			Whether the file is local or not
	 * @param string			$local_storage	The path to the local file
	 * @param bool			$is_message		Whether it is a PM or not
	 * @param array		$local_filedata	An file data object created for the local file
	 *
	 * @return object filespec
	 */
	public function upload($form_name, $forum_id, $local = false, $local_storage = '', $is_message = false, $local_filedata = false)
	{
		$filedata = array(
			'error'	=> array()
		);

		if ($this->config['check_attachment_content'] && isset($this->config['mime_triggers']))
		{
			$this->files_upload->set_disallowed_content(explode('|', $this->config['mime_triggers']));
		}
		else if (!$this->config['check_attachment_content'])
		{
			$this->files_upload->set_disallowed_content(array());
		}

		$filedata['post_attach'] = $local || $this->files_upload->is_valid($form_name);

		if (!$filedata['post_attach'])
		{
			$filedata['error'][] = $this->user->lang['NO_UPLOAD_FORM_FOUND'];
			return $filedata;
		}

		$extensions = $this->cache->obtain_attach_extensions((($is_message) ? false : (int) $forum_id));
		$this->files_upload->set_allowed_extensions(array_keys($extensions['_allowed_']));

		/** @var \phpbb\files\filespec $file */
		$file = ($local) ? $this->files_upload->handle_upload('files.types.local', $local_storage, $local_filedata) : $this->files_upload->handle_upload('files.types.form', $form_name);

		if ($file->init_error())
		{
			$filedata['post_attach'] = false;
			return $filedata;
		}

		// Whether the uploaded file is in the image category
		$is_image = (isset($extensions[$file->get('extension')]['display_cat'])) ? $extensions[$file->get('extension')]['display_cat'] == ATTACHMENT_CATEGORY_IMAGE : false;

		if (!$this->auth->acl_get('a_') && !$this->auth->acl_get('m_', $forum_id))
		{
			// Check Image Size, if it is an image
			if ($is_image)
			{
				$file->upload->set_allowed_dimensions(0, 0, $this->config['img_max_width'], $this->config['img_max_height']);
			}

			// Admins and mods are allowed to exceed the allowed filesize
			if (!empty($extensions[$file->get('extension')]['max_filesize']))
			{
				$allowed_filesize = $extensions[$file->get('extension')]['max_filesize'];
			}
			else
			{
				$allowed_filesize = ($is_message) ? $this->config['max_filesize_pm'] : $this->config['max_filesize'];
			}

			$file->upload->set_max_filesize($allowed_filesize);
		}

		$file->clean_filename('unique', $this->user->data['user_id'] . '_');

		// Are we uploading an image *and* this image being within the image category?
		// Only then perform additional image checks.
		$file->move_file($this->config['upload_path'], false, !$is_image);

		// Do we have to create a thumbnail?
		$filedata['thumbnail'] = ($is_image && $this->config['img_create_thumbnail']) ? 1 : 0;

		if (sizeof($file->error))
		{
			$file->remove();
			$filedata['error'] = array_merge($filedata['error'], $file->error);
			$filedata['post_attach'] = false;

			return $filedata;
		}

		// Make sure the image category only holds valid images...
		if ($is_image && !$file->is_image())
		{
			$file->remove();

			if ($this->plupload && $this->plupload->is_active())
			{
				$this->plupload->emit_error(104, 'ATTACHED_IMAGE_NOT_IMAGE');
			}

			// If this error occurs a user tried to exploit an IE Bug by renaming extensions
			// Since the image category is displaying content inline we need to catch this.
			trigger_error($this->user->lang['ATTACHED_IMAGE_NOT_IMAGE']);
		}

		$filedata['filesize'] = $file->get('filesize');
		$filedata['mimetype'] = $file->get('mimetype');
		$filedata['extension'] = $file->get('extension');
		$filedata['physical_filename'] = $file->get('realname');
		$filedata['real_filename'] = $file->get('uploadname');
		$filedata['filetime'] = time();

		/**
		 * Event to modify uploaded file before submit to the post
		 *
		 * @event core.modify_uploaded_file
		 * @var	array	filedata	Array containing uploaded file data
		 * @var	bool	is_image	Flag indicating if the file is an image
		 * @since 3.1.0-RC3
		 */
		$vars = array(
			'filedata',
			'is_image',
		);
		extract($this->phpbb_dispatcher->trigger_event('core.modify_uploaded_file', compact($vars)));

		// Check our complete quota
		if ($this->config['attachment_quota'])
		{
			if (intval($this->config['upload_dir_size']) + $file->get('filesize') > $this->config['attachment_quota'])
			{
				$filedata['error'][] = $this->user->lang['ATTACH_QUOTA_REACHED'];
				$filedata['post_attach'] = false;

				$file->remove();

				return $filedata;
			}
		}

		// Check free disk space
		if ($free_space = @disk_free_space($this->phpbb_root_path . $this->config['upload_path']))
		{
			if ($free_space <= $file->get('filesize'))
			{
				if ($this->auth->acl_get('a_'))
				{
					$filedata['error'][] = $this->user->lang['ATTACH_DISK_FULL'];
				}
				else
				{
					$filedata['error'][] = $this->user->lang['ATTACH_QUOTA_REACHED'];
				}
				$filedata['post_attach'] = false;

				$file->remove();

				return $filedata;
			}
		}

		// Create Thumbnail
		if ($filedata['thumbnail'])
		{
			$source = $file->get('destination_file');
			$destination = $file->get('destination_path') . '/thumb_' . $file->get('realname');

			if (!create_thumbnail($source, $destination, $file->get('mimetype')))
			{
				$filedata['thumbnail'] = 0;
			}
		}

		return $filedata;
	}
}