| [ Index ] |
|
Code source de LifeType 1.2.4 |
1 <?php 2 3 lt_include( PLOG_CLASS_PATH.'class/config/config.class.php' ); 4 lt_include( PLOG_CLASS_PATH.'class/data/validator/templatesetvalidator.class.php' ); 5 6 define( 'TEMPLATE_SANDBOX_ERROR_UNPACKING', -100 ); 7 define( 'TEMPLATE_SANDBOX_ERROR_FORBIDDEN_EXTENSIONS', -101 ); 8 define( 'TEMPLATE_SANDBOX_ERROR_CREATING_WORKING_FOLDER', -102 ); 9 10 /** 11 * \ingroup Template 12 * 13 * This class checks that a file that is going to be added to a template, or 14 * a packed file with a template set has the right contents. 15 * 16 * Everything happens sandboxed because it could be possible that the user is 17 * trying to upload an executable file (.php, etc) as part of the template. Sandboxed 18 * means that everything happens in a random temporary folder and that in case of 19 * error, everything is removed from disk. 20 * 21 * @see TemplateSetValidator 22 */ 23 class TemplateSandbox 24 { 25 26 function TemplateSandbox() 27 { 28 29 } 30 31 /** 32 * Goes through all the files in the folder to see if any of the files 33 * has any of the forbidden extensions. 34 * 35 * @param folder The folder where files are, it will be scanned 36 * using a glob-like function 37 * @return Returns true if all files are ok or false otherwise. 38 */ 39 function checkForbiddenFiles( $folder ) 40 { 41 $config =& Config::getConfig(); 42 $forbiddenFilesStr = $config->getValue( 'upload_forbidden_files' ); 43 44 // return true if there's nothing to do 45 if( empty($forbiddenFilesStr) || !$forbiddenFilesStr ) 46 return true; 47 48 // otherwise, turn the thing into an array and go through all of them 49 lt_include( PLOG_CLASS_PATH.'class/misc/glob.class.php' ); 50 foreach( explode( " ", $forbiddenFilesStr ) as $file ) { 51 $files = Glob::myGlob( $folder, $file ); 52 if( count($files) > 0 ) 53 return false; 54 } 55 56 return true; 57 } 58 59 /** 60 * Makes sure that the file is a valid template set. The file can be packed 61 * in any of the formats supported by the Unpacker class (.tar.gz, .tar.bz2 62 * and .zip as of the time of writing these lines) 63 * Returns true if the template is valid or a negative value carrying an 64 * error code. 65 * 66 * @param file The file that contains the template set 67 * @return Returns true (positive value) if template set is ok or a negative 68 * value otherwise. 69 */ 70 function checkTemplateSet( $file, $filePath ) 71 { 72 // get the temporary folder 73 $config =& Config::getConfig(); 74 $tmpFolder = $config->getValue( 'temp_folder' ); 75 if( $tmpFolder[strlen($tmpFolder)-1] != '/' ) 76 $tmpFolder .= '/'; 77 78 // get the name of the file, which we will use in many places 79 $fileNameParts = explode( '.', $file ); 80 $fileNameNoExt = $fileNameParts[0]; 81 82 // create our working folder 83 $workFolder = $tmpFolder.File::getTempName().'/'; 84 if( !File::createDir( $workFolder, 0777 )) { 85 return TEMPLATE_SANDBOX_ERROR_CREATING_WORKING_FOLDER; 86 } 87 88 // now we can unpack the file to the temporary folder 89 $unpacker = new Unpacker(); 90 if( !$unpacker->unpack( $filePath.$file, $workFolder )) { 91 $this->cleanUp( $workFolder.$fileNameNoExt ); 92 if( File::exists( $workFolder)) File::delete( $workFolder ); 93 return TEMPLATE_SANDBOX_ERROR_UNPACKING; 94 } 95 96 // if the file was correctly unpacked, now we will need the TemplateSetValidator 97 // class to do some work for us 98 $fileNameNoExt = $this->toTemplateSetName( $file ); 99 100 // we can use the checkTenmplateFolder which will do all the rest of 101 // the work for us... 102 $res = $this->checkTemplateFolder( $fileNameNoExt, $workFolder ); 103 if( $res < 0 ) { 104 //$this->cleanUp( $workFolder.$fileNameNoExt ); 105 $this->cleanUp( $workFolder ); 106 if( File::isReadable( $workFolder ) && File::isDir( $workFolder )) 107 File::delete( $workFolder ); 108 return $res; 109 } 110 111 $this->cleanUp( $workFolder.$fileNameNoExt ); 112 File::delete( $workFolder ); 113 114 return true; 115 } 116 117 /** 118 * Once we have a folder with some template files, we make sure that what's 119 * inside is fine (no forbidden files, etc) 120 * 121 * @param templateName 122 * @param templateFolder 123 * @return 124 */ 125 function checkTemplateFolder( $templateName, $templateFolder ) 126 { 127 if( $templateFolder[strlen($templateFolder)-1] != '/') 128 $templateFolder .= '/'; 129 130 $tv = new TemplateSetValidator($templateName, $templateFolder ); 131 if( ($errorCode = $tv->validate()) < 0 ) { 132 return $errorCode; 133 } 134 135 // check if there isn't any file with a forbidden extension 136 if( !$this->checkForbiddenFiles( $templateFolder.$templateName )) { 137 return TEMPLATE_SANDBOX_ERROR_FORBIDDEN_EXTENSIONS; 138 } 139 140 return true; 141 } 142 143 /** 144 * Cleans all the temporary folders used by this class during 145 * its execution. 146 * 147 * @param $folder The name of the temporary folder used 148 * @return Returns true 149 */ 150 function cleanUp( $folder ) 151 { 152 if( !File::isDir( $folder )) 153 return true; 154 155 // recursively delete the folder 156 File::deleteDir( $folder, true ); 157 158 return true; 159 } 160 161 /** 162 * Convert the upload file name to template set name 163 * 164 * @param $uploadFile The name of the upload file 165 * @return Return the template set name 166 */ 167 function toTemplateSetName( $uploadFile ) 168 { 169 $fileWithoutVersion = preg_replace( '/^[0-9.]*_/', '', $uploadFile ); 170 $fileParts = explode( ".", $fileWithoutVersion ); 171 $templateName = $fileParts[0]; 172 return $templateName; 173 } 174 } 175 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Mon Nov 26 21:04:15 2007 | par Balluche grâce à PHPXref 0.7 |
|
|