Line # | Frequency | Source Line |
1 | | <?php |
2 | | // $Id: file.inc,v 1.122 2008/02/17 20:01:49 dries Exp $ |
3 | |
|
4 | | /** |
5 | | * @file |
6 | | * API for handling file uploads and server file management. |
7 | | */ |
8 | |
|
9 | | /** |
10 | | * @defgroup file File interface |
11 | | * @{ |
12 | | * Common file handling functions. |
13 | | */ |
14 | |
|
15 | | define('FILE_DOWNLOADS_PUBLIC', 1); |
16 | | define('FILE_DOWNLOADS_PRIVATE', 2); |
17 | | define('FILE_CREATE_DIRECTORY', 1); |
18 | | define('FILE_MODIFY_PERMISSIONS', 2); |
19 | | define('FILE_EXISTS_RENAME', 0); |
20 | | define('FILE_EXISTS_REPLACE', 1); |
21 | | define('FILE_EXISTS_ERROR', 2); |
22 | |
|
23 | | /** |
24 | | * A files status can be one of two values: temporary or permanent. The status |
25 | | * for each file Drupal manages is stored in the {files} tables. If the status |
26 | | * is temporary Drupal's file garbage collection will delete the file and |
27 | | * remove it from the files table after a set period of time. |
28 | | * |
29 | | * If you wish to add custom statuses for use by contrib modules please expand as |
30 | | * binary flags and consider the first 8 bits reserved. (0,1,2,4,8,16,32,64,128) |
31 | | */ |
32 | | define('FILE_STATUS_TEMPORARY', 0); |
33 | | define('FILE_STATUS_PERMANENT', 1); |
34 | |
|
35 | | /** |
36 | | * Create the download path to a file. |
37 | | * |
38 | | * @param $path A string containing the path of the file to generate URL for. |
39 | | * @return A string containing a URL that can be used to download the file. |
40 | | */ |
41 | | function file_create_url($path) { |
42 | | // Strip file_directory_path from $path. We only include relative paths in urls. |
43 | | if (strpos($path, file_directory_path() .'/') === 0) { |
44 | | $path = trim(substr($path, strlen(file_directory_path())), '\\/'); |
45 | | } |
46 | | switch (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC)) { |
47 | | case FILE_DOWNLOADS_PUBLIC: |
48 | | return $GLOBALS['base_url'] .'/'. file_directory_path() .'/'. str_replace('\\', '/', $path); |
49 | | case FILE_DOWNLOADS_PRIVATE: |
50 | | return url('system/files/'. $path, array('absolute' => TRUE)); |
51 | | } |
52 | | } |
53 | |
|
54 | | /** |
55 | | * Make sure the destination is a complete path and resides in the file system |
56 | | * directory, if it is not prepend the file system directory. |
57 | | * |
58 | | * @param $dest A string containing the path to verify. If this value is |
59 | | * omitted, Drupal's 'files' directory will be used. |
60 | | * @return A string containing the path to file, with file system directory |
61 | | * appended if necessary, or FALSE if the path is invalid (i.e. outside the |
62 | | * configured 'files' or temp directories). |
63 | | */ |
64 | | function file_create_path($dest = 0) { |
65 | | $file_path = file_directory_path(); |
66 | | if (!$dest) { |
67 | | return $file_path; |
68 | | } |
69 | | // file_check_location() checks whether the destination is inside the Drupal files directory. |
70 | | if (file_check_location($dest, $file_path)) { |
71 | | return $dest; |
72 | | } |
73 | | // check if the destination is instead inside the Drupal temporary files directory. |
74 | | else if (file_check_location($dest, file_directory_temp())) { |
75 | | return $dest; |
76 | | } |
77 | | // Not found, try again with prefixed directory path. |
78 | | else if (file_check_location($file_path .'/'. $dest, $file_path)) { |
79 | | return $file_path .'/'. $dest; |
80 | | } |
81 | | // File not found. |
82 | | return FALSE; |
83 | | } |
84 | |
|
85 | | /** |
86 | | * Check that the directory exists and is writable. Directories need to |
87 | | * have execute permissions to be considered a directory by FTP servers, etc. |
88 | | * |
89 | | * @param $directory A string containing the name of a directory path. |
90 | | * @param $mode A Boolean value to indicate if the directory should be created |
91 | | * if it does not exist or made writable if it is read-only. |
92 | | * @param $form_item An optional string containing the name of a form item that |
93 | | * any errors will be attached to. This is useful for settings forms that |
94 | | * require the user to specify a writable directory. If it can't be made to |
95 | | * work, a form error will be set preventing them from saving the settings. |
96 | | * @return FALSE when directory not found, or TRUE when directory exists. |
97 | | */ |
98 | | function file_check_directory(&$directory, $mode = 0, $form_item = NULL) { |
99 | | $directory = rtrim($directory, '/\\'); |
100 | |
|
101 | | // Check if directory exists. |
102 | | if (!is_dir($directory)) { |
103 | | if (($mode & FILE_CREATE_DIRECTORY) && @mkdir($directory)) { |
104 | | drupal_set_message(t('The directory %directory has been created.', array('%directory' => $directory))); |
105 | | @chmod($directory, 0775); // Necessary for non-webserver users. |
106 | | } |
107 | | else { |
108 | | if ($form_item) { |
109 | | form_set_error($form_item, t('The directory %directory does not exist.', array('%directory' => $directory))); |
110 | | } |
111 | | return FALSE; |
112 | | } |
113 | | } |
114 | |
|
115 | | // Check to see if the directory is writable. |
116 | | if (!is_writable($directory)) { |
117 | | if (($mode & FILE_MODIFY_PERMISSIONS) && @chmod($directory, 0775)) { |
118 | | drupal_set_message(t('The permissions of directory %directory have been changed to make it writable.', array('%directory' => $directory))); |
119 | | } |
120 | | else { |
121 | | form_set_error($form_item, t('The directory %directory is not writable', array('%directory' => $directory))); |
122 | | watchdog('file system', 'The directory %directory is not writable, because it does not have the correct permissions set.', array('%directory' => $directory), WATCHDOG_ERROR); |
123 | | return FALSE; |
124 | | } |
125 | | } |
126 | |
|
127 | | if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) { |
128 | | $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks"; |
129 | | if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) { |
130 | | fclose($fp); |
131 | | chmod($directory .'/.htaccess', 0664); |
132 | | } |
133 | | else { |
134 | | $variables = array('%directory' => $directory, '!htaccess' => '<br />'. nl2br(check_plain($htaccess_lines))); |
135 | | form_set_error($form_item, t("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables)); |
136 | | watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess</code>", $variables, WATCHDOG_ERROR); |
137 | | } |
138 | | } |
139 | |
|
140 | | return TRUE; |
141 | | } |
142 | |
|
143 | | /** |
144 | | * Checks path to see if it is a directory, or a dir/file. |
145 | | * |
146 | | * @param $path A string containing a file path. This will be set to the |
147 | | * directory's path. |
148 | | * @return If the directory is not in a Drupal writable directory, FALSE is |
149 | | * returned. Otherwise, the base name of the path is returned. |
150 | | */ |
151 | | function file_check_path(&$path) { |
152 | | // Check if path is a directory. |
153 | | if (file_check_directory($path)) { |
154 | | return ''; |
155 | | } |
156 | |
|
157 | | // Check if path is a possible dir/file. |
158 | | $filename = basename($path); |
159 | | $path = dirname($path); |
160 | | if (file_check_directory($path)) { |
161 | | return $filename; |
162 | | } |
163 | |
|
164 | | return FALSE; |
165 | | } |
166 | |
|
167 | | /** |
168 | | * Check if a file is really located inside $directory. Should be used to make |
169 | | * sure a file specified is really located within the directory to prevent |
170 | | * exploits. |
171 | | * |
172 | | * @code |
173 | | * // Returns FALSE: |
174 | | * file_check_location('/www/example.com/files/../../../etc/passwd', '/www/example.com/files'); |
175 | | * @endcode |
176 | | * |
177 | | * @param $source A string set to the file to check. |
178 | | * @param $directory A string where the file should be located. |
179 | | * @return 0 for invalid path or the real path of the source. |
180 | | */ |
181 | | function file_check_location($source, $directory = '') { |
182 | | $check = realpath($source); |
183 | | if ($check) { |
184 | | $source = $check; |
185 | | } |
186 | | else { |
187 | | // This file does not yet exist |
188 | | $source = realpath(dirname($source)) .'/'. basename($source); |
189 | | } |
190 | | $directory = realpath($directory); |
191 | | if ($directory && strpos($source, $directory) !== 0) { |
192 | | return 0; |
193 | | } |
194 | | return $source; |
195 | | } |
196 | |
|
197 | | /** |
198 | | * Copies a file to a new location. This is a powerful function that in many ways |
199 | | * performs like an advanced version of copy(). |
200 | | * - Checks if $source and $dest are valid and readable/writable. |
201 | | * - Performs a file copy if $source is not equal to $dest. |
202 | | * - If file already exists in $dest either the call will error out, replace the |
203 | | * file or rename the file based on the $replace parameter. |
204 | | * |
205 | | * @param $source A string specifying the file location of the original file. |
206 | | * This parameter will contain the resulting destination filename in case of |
207 | | * success. |
208 | | * @param $dest A string containing the directory $source should be copied to. |
209 | | * If this value is omitted, Drupal's 'files' directory will be used. |
210 | | * @param $replace Replace behavior when the destination file already exists. |
211 | | * - FILE_EXISTS_REPLACE - Replace the existing file |
212 | | * - FILE_EXISTS_RENAME - Append _{incrementing number} until the filename is unique |
213 | | * - FILE_EXISTS_ERROR - Do nothing and return FALSE. |
214 | | * @return True for success, FALSE for failure. |
215 | | */ |
216 | | function file_copy(&$source, $dest = 0, $replace = FILE_EXISTS_RENAME) { |
217 | | $dest = file_create_path($dest); |
218 | |
|
219 | | $directory = $dest; |
220 | | $basename = file_check_path($directory); |
221 | |
|
222 | | // Make sure we at least have a valid directory. |
223 | | if ($basename === FALSE) { |
224 | | $source = is_object($source) ? $source->filepath : $source; |
225 | | drupal_set_message(t('The selected file %file could not be uploaded, because the destination %directory is not properly configured.', array('%file' => $source, '%directory' => $dest)), 'error'); |
226 | | watchdog('file system', 'The selected file %file could not be uploaded, because the destination %directory could not be found, or because its permissions do not allow the file to be written.', array('%file' => $source, '%directory' => $dest), WATCHDOG_ERROR); |
227 | | return 0; |
228 | | } |
229 | |
|
230 | | // Process a file upload object. |
231 | | if (is_object($source)) { |
232 | | $file = $source; |
233 | | $source = $file->filepath; |
234 | | if (!$basename) { |
235 | | $basename = $file->filename; |
236 | | } |
237 | | } |
238 | |
|
239 | | $source = realpath($source); |
240 | | if (!file_exists($source)) { |
241 | | drupal_set_message(t('The selected file %file could not be copied, because no file by that name exists. Please check that you supplied the correct filename.', array('%file' => $source)), 'error'); |
242 | | return 0; |
243 | | } |
244 | |
|
245 | | // If the destination file is not specified then use the filename of the source file. |
246 | | $basename = $basename ? $basename : basename($source); |
247 | | $dest = $directory .'/'. $basename; |
248 | |
|
249 | | // Make sure source and destination filenames are not the same, makes no sense |
250 | | // to copy it if they are. In fact copying the file will most likely result in |
251 | | // a 0 byte file. Which is bad. Real bad. |
252 | | if ($source != realpath($dest)) { |
253 | | if (!$dest = file_destination($dest, $replace)) { |
254 | | drupal_set_message(t('The selected file %file could not be copied, because a file by that name already exists in the destination.', array('%file' => $source)), 'error'); |
255 | | return FALSE; |
256 | | } |
257 | |
|
258 | | if (!@copy($source, $dest)) { |
259 | | drupal_set_message(t('The selected file %file could not be copied.', array('%file' => $source)), 'error'); |
260 | | return 0; |
261 | | } |
262 | |
|
263 | | // Give everyone read access so that FTP'd users or |
264 | | // non-webserver users can see/read these files, |
265 | | // and give group write permissions so group members |
266 | | // can alter files uploaded by the webserver. |
267 | | @chmod($dest, 0664); |
268 | | } |
269 | |
|
270 | | if (isset($file) && is_object($file)) { |
271 | | $file->filename = $basename; |
272 | | $file->filepath = $dest; |
273 | | $source = $file; |
274 | | } |
275 | | else { |
276 | | $source = $dest; |
277 | | } |
278 | |
|
279 | | return 1; // Everything went ok. |
280 | | } |
281 | |
|
282 | | /** |
283 | | * Determines the destination path for a file depending on how replacement of |
284 | | * existing files should be handled. |
285 | | * |
286 | | * @param $destination A string specifying the desired path. |
287 | | * @param $replace Replace behavior when the destination file already exists. |
288 | | * - FILE_EXISTS_REPLACE - Replace the existing file |
289 | | * - FILE_EXISTS_RENAME - Append _{incrementing number} until the filename is |
290 | | * unique |
291 | | * - FILE_EXISTS_ERROR - Do nothing and return FALSE. |
292 | | * @return The destination file path or FALSE if the file already exists and |
293 | | * FILE_EXISTS_ERROR was specified. |
294 | | */ |
295 | | function file_destination($destination, $replace) { |
296 | | if (file_exists($destination)) { |
297 | | switch ($replace) { |
298 | | case FILE_EXISTS_RENAME: |
299 | | $basename = basename($destination); |
300 | | $directory = dirname($destination); |
301 | | $destination = file_create_filename($basename, $directory); |
302 | | break; |
303 | |
|
304 | | case FILE_EXISTS_ERROR: |
305 | | drupal_set_message(t('The selected file %file could not be copied, because a file by that name already exists in the destination.', array('%file' => $destination)), 'error'); |
306 | | return FALSE; |
307 | | } |
308 | | } |
309 | | return $destination; |
310 | | } |
311 | |
|
312 | | /** |
313 | | * Moves a file to a new location. |
314 | | * - Checks if $source and $dest are valid and readable/writable. |
315 | | * - Performs a file move if $source is not equal to $dest. |
316 | | * - If file already exists in $dest either the call will error out, replace the |
317 | | * file or rename the file based on the $replace parameter. |
318 | | * |
319 | | * @param $source A string specifying the file location of the original file. |
320 | | * This parameter will contain the resulting destination filename in case of |
321 | | * success. |
322 | | * @param $dest A string containing the directory $source should be copied to. |
323 | | * If this value is omitted, Drupal's 'files' directory will be used. |
324 | | * @param $replace Replace behavior when the destination file already exists. |
325 | | * - FILE_EXISTS_REPLACE - Replace the existing file |
326 | | * - FILE_EXISTS_RENAME - Append _{incrementing number} until the filename is unique |
327 | | * - FILE_EXISTS_ERROR - Do nothing and return FALSE. |
328 | | * @return True for success, FALSE for failure. |
329 | | */ |
330 | | function file_move(&$source, $dest = 0, $replace = FILE_EXISTS_RENAME) { |
331 | | $path_original = is_object($source) ? $source->filepath : $source; |
332 | |
|
333 | | if (file_copy($source, $dest, $replace)) { |
334 | | $path_current = is_object($source) ? $source->filepath : $source; |
335 | |
|
336 | | if ($path_original == $path_current || file_delete($path_original)) { |
337 | | return 1; |
338 | | } |
339 | | drupal_set_message(t('The removal of the original file %file has failed.', array('%file' => $path_original)), 'error'); |
340 | | } |
341 | | return 0; |
342 | | } |
343 | |
|
344 | | /** |
345 | | * Munge the filename as needed for security purposes. For instance the file |
346 | | * name "exploit.php.pps" would become "exploit.php_.pps". |
347 | | * |
348 | | * @param $filename The name of a file to modify. |
349 | | * @param $extensions A space separated list of extensions that should not |
350 | | * be altered. |
351 | | * @param $alerts Whether alerts (watchdog, drupal_set_message()) should be |
352 | | * displayed. |
353 | | * @return $filename The potentially modified $filename. |
354 | | */ |
355 | | function file_munge_filename($filename, $extensions, $alerts = TRUE) { |
356 | | $original = $filename; |
357 | |
|
358 | | // Allow potentially insecure uploads for very savvy users and admin |
359 | | if (!variable_get('allow_insecure_uploads', 0)) { |
360 | | $whitelist = array_unique(explode(' ', trim($extensions))); |
361 | |
|
362 | | // Split the filename up by periods. The first part becomes the basename |
363 | | // the last part the final extension. |
364 | | $filename_parts = explode('.', $filename); |
365 | | $new_filename = array_shift($filename_parts); // Remove file basename. |
366 | | $final_extension = array_pop($filename_parts); // Remove final extension. |
367 | |
|
368 | | // Loop through the middle parts of the name and add an underscore to the |
369 | | // end of each section that could be a file extension but isn't in the list |
370 | | // of allowed extensions. |
371 | | foreach ($filename_parts as $filename_part) { |
372 | | $new_filename .= '.'. $filename_part; |
373 | | if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { |
374 | | $new_filename .= '_'; |
375 | | } |
376 | | } |
377 | | $filename = $new_filename .'.'. $final_extension; |
378 | |
|
379 | | if ($alerts && $original != $filename) { |
380 | | drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $filename))); |
381 | | } |
382 | | } |
383 | |
|
384 | | return $filename; |
385 | | } |
386 | |
|
387 | | /** |
388 | | * Undo the effect of upload_munge_filename(). |
389 | | * |
390 | | * @param $filename string filename |
391 | | * @return string |
392 | | */ |
393 | | function file_unmunge_filename($filename) { |
394 | | return str_replace('_.', '.', $filename); |
395 | | } |
396 | |
|
397 | | /** |
398 | | * Create a full file path from a directory and filename. If a file with the |
399 | | * specified name already exists, an alternative will be used. |
400 | | * |
401 | | * @param $basename string filename |
402 | | * @param $directory string directory |
403 | | * @return |
404 | | */ |
405 | | function file_create_filename($basename, $directory) { |
406 | | $dest = $directory .'/'. $basename; |
407 | |
|
408 | | if (file_exists($dest)) { |
409 | | // Destination file already exists, generate an alternative. |
410 | | if ($pos = strrpos($basename, '.')) { |
411 | | $name = substr($basename, 0, $pos); |
412 | | $ext = substr($basename, $pos); |
413 | | } |
414 | | else { |
415 | | $name = $basename; |
416 | | } |
417 | |
|
418 | | $counter = 0; |
419 | | do { |
420 | | $dest = $directory .'/'. $name .'_'. $counter++ . $ext; |
421 | | } while (file_exists($dest)); |
422 | | } |
423 | |
|
424 | | return $dest; |
425 | | } |
426 | |
|
427 | | /** |
428 | | * Delete a file. |
429 | | * |
430 | | * @param $path A string containing a file path. |
431 | | * @return TRUE for success, FALSE for failure. |
432 | | */ |
433 | | function file_delete($path) { |
434 | | if (is_file($path)) { |
435 | | return unlink($path); |
436 | | } |
437 | | } |
438 | |
|
439 | | /** |
440 | | * Determine total disk space used by a single user or the whole filesystem. |
441 | | * |
442 | | * @param $uid |
443 | | * An optional user id. A NULL value returns the total space used |
444 | | * by all files. |
445 | | */ |
446 | | function file_space_used($uid = NULL) { |
447 | | if (isset($uid)) { |
448 | | return (int) db_result(db_query('SELECT SUM(filesize) FROM {files} WHERE uid = %d', $uid)); |
449 | | } |
450 | | return (int) db_result(db_query('SELECT SUM(filesize) FROM {files}')); |
451 | | } |
452 | |
|
453 | | /** |
454 | | * Saves a file upload to a new location. The source file is validated as a |
455 | | * proper upload and handled as such. |
456 | | * |
457 | | * The file will be added to the files table as a temporary file. Temporary files |
458 | | * are periodically cleaned. To make the file permanent file call |
459 | | * file_set_status() to change its status. |
460 | | * |
461 | | * @param $source |
462 | | * A string specifying the name of the upload field to save. |
463 | | * @param $validators |
464 | | * An optional, associative array of callback functions used to validate the |
465 | | * file. The keys are function names and the values arrays of callback |
466 | | * parameters which will be passed in after the user and file objects. The |
467 | | * functions should return an array of error messages, an empty array |
468 | | * indicates that the file passed validation. The functions will be called in |
469 | | * the order specified. |
470 | | * @param $dest |
471 | | * A string containing the directory $source should be copied to. If this is |
472 | | * not provided or is not writable, the temporary directory will be used. |
473 | | * @param $replace |
474 | | * A boolean indicating whether an existing file of the same name in the |
475 | | * destination directory should overwritten. A false value will generate a |
476 | | * new, unique filename in the destination directory. |
477 | | * @return |
478 | | * An object containing the file information, or 0 in the event of an error. |
479 | | */ |
480 | | function file_save_upload($source, $validators = array(), $dest = FALSE, $replace = FILE_EXISTS_RENAME) { |
481 | | global $user; |
482 | | static $upload_cache; |
483 | |
|
484 | | // Add in our check of the the file name length. |
485 | | $validators['file_validate_name_length'] = array(); |
486 | |
|
487 | | // Return cached objects without processing since the file will have |
488 | | // already been processed and the paths in _FILES will be invalid. |
489 | | if (isset($upload_cache[$source])) { |
490 | | return $upload_cache[$source]; |
491 | | } |
492 | |
|
493 | | // If a file was uploaded, process it. |
494 | | if (isset($_FILES['files']) && $_FILES['files']['name'][$source] && is_uploaded_file($_FILES['files']['tmp_name'][$source])) { |
495 | | // Check for file upload errors and return FALSE if a |
496 | | // lower level system error occurred. |
497 | | switch ($_FILES['files']['error'][$source]) { |
498 | | // @see http://php.net/manual/en/features.file-upload.errors.php |
499 | | case UPLOAD_ERR_OK: |
500 | | break; |
501 | |
|
502 | | case UPLOAD_ERR_INI_SIZE: |
503 | | case UPLOAD_ERR_FORM_SIZE: |
504 | | drupal_set_message(t('The file %file could not be saved, because it exceeds %maxsize, the maximum allowed size for uploads.', array('%file' => $source, '%maxsize' => format_size(file_upload_max_size()))), 'error'); |
505 | | return 0; |
506 | |
|
507 | | case UPLOAD_ERR_PARTIAL: |
508 | | case UPLOAD_ERR_NO_FILE: |
509 | | drupal_set_message(t('The file %file could not be saved, because the upload did not complete.', array('%file' => $source)), 'error'); |
510 | | return 0; |
511 | |
|
512 | | // Unknown error |
513 | | default: |
514 | | drupal_set_message(t('The file %file could not be saved. An unknown error has occurred.', array('%file' => $source)), 'error'); |
515 | | return 0; |
516 | | } |
517 | |
|
518 | | // Build the list of non-munged extensions. |
519 | | // @todo: this should not be here. we need to figure out the right place. |
520 | | $extensions = ''; |
521 | | foreach ($user->roles as $rid => $name) { |
522 | | $extensions .= ' '. variable_get("upload_extensions_$rid", |
523 | | variable_get('upload_extensions_default', 'jpg jpeg gif png txt html doc xls pdf ppt pps odt ods odp')); |
524 | | } |
525 | |
|
526 | | // Begin building file object. |
527 | | $file = new stdClass(); |
528 | | $file->filename = file_munge_filename(trim(basename($_FILES['files']['name'][$source]), '.'), $extensions); |
529 | | $file->filepath = $_FILES['files']['tmp_name'][$source]; |
530 | | $file->filemime = $_FILES['files']['type'][$source]; |
531 | |
|
532 | | // Rename potentially executable files, to help prevent exploits. |
533 | | if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { |
534 | | $file->filemime = 'text/plain'; |
535 | | $file->filepath .= '.txt'; |
536 | | $file->filename .= '.txt'; |
537 | | } |
538 | |
|
539 | | // If the destination is not provided, or is not writable, then use the |
540 | | // temporary directory. |
541 | | if (empty($dest) || file_check_path($dest) === FALSE) { |
542 | | $dest = file_directory_temp(); |
543 | | } |
544 | |
|
545 | | $file->source = $source; |
546 | | $file->destination = file_destination(file_create_path($dest .'/'. $file->filename), $replace); |
547 | | $file->filesize = $_FILES['files']['size'][$source]; |
548 | |
|
549 | | // Call the validation functions. |
550 | | $errors = array(); |
551 | | foreach ($validators as $function => $args) { |
552 | | array_unshift($args, $file); |
553 | | $errors = array_merge($errors, call_user_func_array($function, $args)); |
554 | | } |
555 | |
|
556 | | // Check for validation errors. |
557 | | if (!empty($errors)) { |
558 | | $message = t('The selected file %name could not be uploaded.', array('%name' => $file->filename)); |
559 | | if (count($errors) > 1) { |
560 | | $message .= '<ul><li>'. implode('</li><li>', $errors) .'</li></ul>'; |
561 | | } |
562 | | else { |
563 | | $message .= ' '. array_pop($errors); |
564 | | } |
565 | | form_set_error($source, $message); |
566 | | return 0; |
567 | | } |
568 | |
|
569 | | // Move uploaded files from PHP's upload_tmp_dir to Drupal's temporary directory. |
570 | | // This overcomes open_basedir restrictions for future file operations. |
571 | | $file->filepath = $file->destination; |
572 | | if (!move_uploaded_file($_FILES['files']['tmp_name'][$source], $file->filepath)) { |
573 | | form_set_error($source, t('File upload error. Could not move uploaded file.')); |
574 | | watchdog('file', 'Upload error. Could not move uploaded file %file to destination %destination.', array('%file' => $file->filename, '%destination' => $file->filepath)); |
575 | | return 0; |
576 | | } |
577 | |
|
578 | | // If we made it this far it's safe to record this file in the database. |
579 | | $file->uid = $user->uid; |
580 | | $file->status = FILE_STATUS_TEMPORARY; |
581 | | $file->timestamp = time(); |
582 | | drupal_write_record('files', $file); |
583 | |
|
584 | | // Add file to the cache. |
585 | | $upload_cache[$source] = $file; |
586 | | return $file; |
587 | | } |
588 | | return 0; |
589 | | } |
590 | |
|
591 | | /** |
592 | | * Check for files with names longer than we can store in the database. |
593 | | * |
594 | | * @param $file |
595 | | * A Drupal file object. |
596 | | * @return |
597 | | * An array. If the file name is too long, it will contain an error message. |
598 | | */ |
599 | | function file_validate_name_length($file) { |
600 | | $errors = array(); |
601 | |
|
602 | | if (strlen($file->filename) > 255) { |
603 | | $errors[] = t('Its name exceeds the 255 characters limit. Please rename the file and try again.'); |
604 | | } |
605 | | return $errors; |
606 | | } |
607 | |
|
608 | | /** |
609 | | * Check that the filename ends with an allowed extension. This check is not |
610 | | * enforced for the user #1. |
611 | | * |
612 | | * @param $file |
613 | | * A Drupal file object. |
614 | | * @param $extensions |
615 | | * A string with a space separated |
616 | | * @return |
617 | | * An array. If the file extension is not allowed, it will contain an error message. |
618 | | */ |
619 | | function file_validate_extensions($file, $extensions) { |
620 | | global $user; |
621 | |
|
622 | | $errors = array(); |
623 | |
|
624 | | // Bypass validation for uid = 1. |
625 | | if ($user->uid != 1) { |
626 | | $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; |
627 | | if (!preg_match($regex, $file->filename)) { |
628 | | $errors[] = t('Only files with the following extensions are allowed: %files-allowed.', array('%files-allowed' => $extensions)); |
629 | | } |
630 | | } |
631 | | return $errors; |
632 | | } |
633 | |
|
634 | | /** |
635 | | * Check that the file's size is below certain limits. This check is not |
636 | | * enforced for the user #1. |
637 | | * |
638 | | * @param $file |
639 | | * A Drupal file object. |
640 | | * @param $file_limit |
641 | | * An integer specifying the maximum file size in bytes. Zero indicates that |
642 | | * no limit should be enforced. |
643 | | * @param $$user_limit |
644 | | * An integer specifying the maximum number of bytes the user is allowed. Zero |
645 | | * indicates that no limit should be enforced. |
646 | | * @return |
647 | | * An array. If the file size exceeds limits, it will contain an error message. |
648 | | */ |
649 | | function file_validate_size($file, $file_limit = 0, $user_limit = 0) { |
650 | | global $user; |
651 | |
|
652 | | $errors = array(); |
653 | |
|
654 | | // Bypass validation for uid = 1. |
655 | | if ($user->uid != 1) { |
656 | | if ($file_limit && $file->filesize > $file_limit) { |
657 | | $errors[] = t('The file is %filesize exceeding the maximum file size of %maxsize.', array('%filesize' => format_size($file->filesize), '%maxsize' => format_size($file_limit))); |
658 | | } |
659 | |
|
660 | | $total_size = file_space_used($user->uid) + $file->filesize; |
661 | | if ($user_limit && $total_size > $user_limit) { |
662 | | $errors[] = t('The file is %filesize which would exceed your disk quota of %quota.', array('%filesize' => format_size($file->filesize), '%quota' => format_size($user_limit))); |
663 | | } |
664 | | } |
665 | | return $errors; |
666 | | } |
667 | |
|
668 | | /** |
669 | | * Check that the file is recognized by image_get_info() as an image. |
670 | | * |
671 | | * @param $file |
672 | | * A Drupal file object. |
673 | | * @return |
674 | | * An array. If the file is not an image, it will contain an error message. |
675 | | */ |
676 | | function file_validate_is_image(&$file) { |
677 | | $errors = array(); |
678 | |
|
679 | | $info = image_get_info($file->filepath); |
680 | | if (!$info || empty($info['extension'])) { |
681 | | $errors[] = t('Only JPEG, PNG and GIF images are allowed.'); |
682 | | } |
683 | |
|
684 | | return $errors; |
685 | | } |
686 | |
|
687 | | /** |
688 | | * If the file is an image verify that its dimensions are within the specified |
689 | | * maximum and minimum dimensions. Non-image files will be ignored. |
690 | | * |
691 | | * @param $file |
692 | | * A Drupal file object. This function may resize the file affecting its size. |
693 | | * @param $maximum_dimensions |
694 | | * An optional string in the form WIDTHxHEIGHT e.g. '640x480' or '85x85'. If |
695 | | * an image toolkit is installed the image will be resized down to these |
696 | | * dimensions. A value of 0 indicates no restriction on size, so resizing |
697 | | * will be attempted. |
698 | | * @param $minimum_dimensions |
699 | | * An optional string in the form WIDTHxHEIGHT. This will check that the image |
700 | | * meets a minimum size. A value of 0 indicates no restriction. |
701 | | * @return |
702 | | * An array. If the file is an image and did not meet the requirements, it |
703 | | * will contain an error message. |
704 | | */ |
705 | | function file_validate_image_resolution(&$file, $maximum_dimensions = 0, $minimum_dimensions = 0) { |
706 | | $errors = array(); |
707 | |
|
708 | | // Check first that the file is an image. |
709 | | if ($info = image_get_info($file->filepath)) { |
710 | | if ($maximum_dimensions) { |
711 | | // Check that it is smaller than the given dimensions. |
712 | | list($width, $height) = explode('x', $maximum_dimensions); |
713 | | if ($info['width'] > $width || $info['height'] > $height) { |
714 | | // Try to resize the image to fit the dimensions. |
715 | | if (image_get_toolkit() && image_scale($file->filepath, $file->filepath, $width, $height)) { |
716 | | drupal_set_message(t('The image was resized to fit within the maximum allowed dimensions of %dimensions pixels.', array('%dimensions' => $maximum_dimensions))); |
717 | |
|
718 | | // Clear the cached filesize and refresh the image information. |
719 | | clearstatcache(); |
720 | | $info = image_get_info($file->filepath); |
721 | | $file->filesize = $info['file_size']; |
722 | | } |
723 | | else { |
724 | | $errors[] = t('The image is too large; the maximum dimensions are %dimensions pixels.', array('%dimensions' => $maximum_dimensions)); |
725 | | } |
726 | | } |
727 | | } |
728 | |
|
729 | | if ($minimum_dimensions) { |
730 | | // Check that it is larger than the given dimensions. |
731 | | list($width, $height) = explode('x', $minimum_dimensions); |
732 | | if ($info['width'] < $width || $info['height'] < $height) { |
733 | | $errors[] = t('The image is too small; the minimum dimensions are %dimensions pixels.', array('%dimensions' => $minimum_dimensions)); |
734 | | } |
735 | | } |
736 | | } |
737 | |
|
738 | | return $errors; |
739 | | } |
740 | |
|
741 | | /** |
742 | | * Save a string to the specified destination. |
743 | | * |
744 | | * @param $data A string containing the contents of the file. |
745 | | * @param $dest A string containing the destination location. |
746 | | * @param $replace Replace behavior when the destination file already exists. |
747 | | * - FILE_EXISTS_REPLACE - Replace the existing file |
748 | | * - FILE_EXISTS_RENAME - Append _{incrementing number} until the filename is unique |
749 | | * - FILE_EXISTS_ERROR - Do nothing and return FALSE. |
750 | | * |
751 | | * @return A string containing the resulting filename or 0 on error |
752 | | */ |
753 | | function file_save_data($data, $dest, $replace = FILE_EXISTS_RENAME) { |
754 | | $temp = file_directory_temp(); |
755 | | // On Windows, tempnam() requires an absolute path, so we use realpath(). |
756 | | $file = tempnam(realpath($temp), 'file'); |
757 | | if (!$fp = fopen($file, 'wb')) { |
758 | | drupal_set_message(t('The file could not be created.'), 'error'); |
759 | | return 0; |
760 | | } |
761 | | fwrite($fp, $data); |
762 | | fclose($fp); |
763 | |
|
764 | | if (!file_move($file, $dest, $replace)) { |
765 | | return 0; |
766 | | } |
767 | |
|
768 | | return $file; |
769 | | } |
770 | |
|
771 | | /** |
772 | | * Set the status of a file. |
773 | | * |
774 | | * @param file A Drupal file object |
775 | | * @param status A status value to set the file to. |
776 | | * @return FALSE on failure, TRUE on success and $file->status will contain the |
777 | | * status. |
778 | | */ |
779 | | function file_set_status(&$file, $status) { |
780 | | if (db_query('UPDATE {files} SET status = %d WHERE fid = %d', $status, $file->fid)) { |
781 | | $file->status = $status; |
782 | | return TRUE; |
783 | | } |
784 | | return FALSE; |
785 | | } |
786 | |
|
787 | | /** |
788 | | * Transfer file using http to client. Pipes a file through Drupal to the |
789 | | * client. |
790 | | * |
791 | | * @param $source File to transfer. |
792 | | * @param $headers An array of http headers to send along with file. |
793 | | */ |
794 | | function file_transfer($source, $headers) { |
795 | | ob_end_clean(); |
796 | |
|
797 | | foreach ($headers as $header) { |
798 | | // To prevent HTTP header injection, we delete new lines that are |
799 | | // not followed by a space or a tab. |
800 | | // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 |
801 | | $header = preg_replace('/\r?\n(?!\t| )/', '', $header); |
802 | | drupal_set_header($header); |
803 | | } |
804 | |
|
805 | | $source = file_create_path($source); |
806 | |
|
807 | | // Transfer file in 1024 byte chunks to save memory usage. |
808 | | if ($fd = fopen($source, 'rb')) { |
809 | | while (!feof($fd)) { |
810 | | print fread($fd, 1024); |
811 | | } |
812 | | fclose($fd); |
813 | | } |
814 | | else { |
815 | | drupal_not_found(); |
816 | | } |
817 | | exit(); |
818 | | } |
819 | |
|
820 | | /** |
821 | | * Call modules that implement hook_file_download() to find out if a file is |
822 | | * accessible and what headers it should be transferred with. If a module |
823 | | * returns -1 drupal_access_denied() will be returned. If one or more modules |
824 | | * returned headers the download will start with the returned headers. If no |
825 | | * modules respond drupal_not_found() will be returned. |
826 | | */ |
827 | | function file_download() { |
828 | | // Merge remainder of arguments from GET['q'], into relative file path. |
829 | | $args = func_get_args(); |
830 | | $filepath = implode('/', $args); |
831 | |
|
832 | | // Maintain compatibility with old ?file=paths saved in node bodies. |
833 | | if (isset($_GET['file'])) { |
834 | | $filepath = $_GET['file']; |
835 | | } |
836 | |
|
837 | | if (file_exists(file_create_path($filepath))) { |
838 | | $headers = module_invoke_all('file_download', $filepath); |
839 | | if (in_array(-1, $headers)) { |
840 | | return drupal_access_denied(); |
841 | | } |
842 | | if (count($headers)) { |
843 | | file_transfer($filepath, $headers); |
844 | | } |
845 | | } |
846 | | return drupal_not_found(); |
847 | | } |
848 | |
|
849 | |
|
850 | | /** |
851 | | * Finds all files that match a given mask in a given directory. |
852 | | * Directories and files beginning with a period are excluded; this |
853 | | * prevents hidden files and directories (such as SVN working directories) |
854 | | * from being scanned. |
855 | | * |
856 | | * @param $dir |
857 | | * The base directory for the scan, without trailing slash. |
858 | | * @param $mask |
859 | | * The regular expression of the files to find. |
860 | | * @param $nomask |
861 | | * An array of files/directories to ignore. |
862 | | * @param $callback |
863 | | * The callback function to call for each match. |
864 | | * @param $recurse |
865 | | * When TRUE, the directory scan will recurse the entire tree |
866 | | * starting at the provided directory. |
867 | | * @param $key |
868 | | * The key to be used for the returned array of files. Possible |
869 | | * values are "filename", for the path starting with $dir, |
870 | | * "basename", for the basename of the file, and "name" for the name |
871 | | * of the file without an extension. |
872 | | * @param $min_depth |
873 | | * Minimum depth of directories to return files from. |
874 | | * @param $depth |
875 | | * Current depth of recursion. This parameter is only used internally and should not be passed. |
876 | | * |
877 | | * @return |
878 | | * An associative array (keyed on the provided key) of objects with |
879 | | * "path", "basename", and "name" members corresponding to the |
880 | | * matching files. |
881 | | */ |
882 | | function file_scan_directory($dir, $mask, $nomask = array('.', '..', 'CVS'), $callback = 0, $recurse = TRUE, $key = 'filename', $min_depth = 0, $depth = 0) { |
883 | 1 | $key = (in_array($key, array('filename', 'basename', 'name')) ? $key : 'filename'); |
884 | | $files = array(); |
885 | |
|
886 | 1 | if (is_dir($dir) && $handle = opendir($dir)) { |
887 | 1 | while ($file = readdir($handle)) { |
888 | 1 | if (!in_array($file, $nomask) && $file[0] != '.') { |
889 | 1 | if (is_dir("$dir/$file") && $recurse) { |
890 | | // Give priority to files in this folder by merging them in after any subdirectory files. |
891 | 1 | $files = array_merge(file_scan_directory("$dir/$file", $mask, $nomask, $callback, $recurse, $key, $min_depth, $depth + 1), $files); |
892 | | } |
893 | 1 | elseif ($depth >= $min_depth && ereg($mask, $file)) { |
894 | | // Always use this match over anything already set in $files with the same $$key. |
895 | 1 | $filename = "$dir/$file"; |
896 | 1 | $basename = basename($file); |
897 | 1 | $name = substr($basename, 0, strrpos($basename, '.')); |
898 | 1 | $files[$$key] = new stdClass(); |
899 | 1 | $files[$$key]->filename = $filename; |
900 | 1 | $files[$$key]->basename = $basename; |
901 | 1 | $files[$$key]->name = $name; |
902 | 1 | if ($callback) { |
903 | | $callback($filename); |
904 | | } |
905 | | } |
906 | | } |
907 | | } |
908 | |
|
909 | 1 | closedir($handle); |
910 | | } |
911 | |
|
912 | 1 | return $files; |
913 | | } |
914 | |
|
915 | | /** |
916 | | * Determine the default temporary directory. |
917 | | * |
918 | | * @return A string containing a temp directory. |
919 | | */ |
920 | | function file_directory_temp() { |
921 | | $temporary_directory = variable_get('file_directory_temp', NULL); |
922 | |
|
923 | | if (is_null($temporary_directory)) { |
924 | | $directories = array(); |
925 | |
|
926 | | // Has PHP been set with an upload_tmp_dir? |
927 | | if (ini_get('upload_tmp_dir')) { |
928 | | $directories[] = ini_get('upload_tmp_dir'); |
929 | | } |
930 | |
|
931 | | // Operating system specific dirs. |
932 | | if (substr(PHP_OS, 0, 3) == 'WIN') { |
933 | | $directories[] = 'c:\\windows\\temp'; |
934 | | $directories[] = 'c:\\winnt\\temp'; |
935 | | $path_delimiter = '\\'; |
936 | | } |
937 | | else { |
938 | | $directories[] = '/tmp'; |
939 | | $path_delimiter = '/'; |
940 | | } |
941 | |
|
942 | | foreach ($directories as $directory) { |
943 | | if (!$temporary_directory && is_dir($directory)) { |
944 | | $temporary_directory = $directory; |
945 | | } |
946 | | } |
947 | |
|
948 | | // if a directory has been found, use it, otherwise default to 'files/tmp' or 'files\\tmp'; |
949 | | $temporary_directory = $temporary_directory ? $temporary_directory : file_directory_path() . $path_delimiter .'tmp'; |
950 | | variable_set('file_directory_temp', $temporary_directory); |
951 | | } |
952 | |
|
953 | | return $temporary_directory; |
954 | | } |
955 | |
|
956 | | /** |
957 | | * Determine the default 'files' directory. |
958 | | * |
959 | | * @return A string containing the path to Drupal's 'files' directory. |
960 | | */ |
961 | | function file_directory_path() { |
962 | | return variable_get('file_directory_path', conf_path() .'/files'); |
963 | | } |
964 | |
|
965 | | /** |
966 | | * Determine the maximum file upload size by querying the PHP settings. |
967 | | * |
968 | | * @return |
969 | | * A file size limit in bytes based on the PHP upload_max_filesize and post_max_size |
970 | | */ |
971 | | function file_upload_max_size() { |
972 | | static $max_size = -1; |
973 | |
|
974 | | if ($max_size < 0) { |
975 | | $upload_max = parse_size(ini_get('upload_max_filesize')); |
976 | | $post_max = parse_size(ini_get('post_max_size')); |
977 | | $max_size = ($upload_max < $post_max) ? $upload_max : $post_max; |
978 | | } |
979 | | return $max_size; |
980 | | } |
981 | |
|
982 | | /** |
983 | | * @} End of "defgroup file". |
984 | | */ |