From 10a8fe28e6d88dccf2ae168edec51055d1b7079d Mon Sep 17 00:00:00 2001 From: Savetheinternet Date: Wed, 13 Apr 2011 20:57:41 +1000 Subject: [PATCH] non-image uploads --- inc/config.php | 11 ++++-- inc/display.php | 22 +++++++----- inc/functions.php | 9 ++--- post.php | 86 +++++++++++++++++++++++++++------------------- static/file.png | Bin 0 -> 6162 bytes 5 files changed, 77 insertions(+), 51 deletions(-) create mode 100644 static/file.png diff --git a/inc/config.php b/inc/config.php index ef9adb80..3aa0b34f 100644 --- a/inc/config.php +++ b/inc/config.php @@ -116,6 +116,7 @@ $config['error']['toomanyreports'] = 'You can\'t report that many posts at once.'; $config['error']['invalidpassword'] = 'Wrong password…'; $config['error']['invalidimg'] = 'Invalid image.'; + $config['error']['unknownext'] = 'Unknown file extension.'; $config['error']['filesize'] = 'Maximum file size: %maxsz% bytes
Your file\'s size: %filesz% bytes'; $config['error']['maxsize'] = 'The file was too big.'; $config['error']['invalidzip'] = 'Invalid archive!'; @@ -516,8 +517,14 @@ // https://github.com/savetheinternet/Tinyboard/issues/20 $config['ie_mime_type_detection'] = '/<(?:body|head|html|img|plaintext|pre|script|table|title|a href|channel|scriptlet)/'; - // Allowed file extensions - $config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', ''); + // Allowed image file extensions + $config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', 'png'); + + // Allowed additional file extensions (not images; downloadable files) + $config['allowed_ext_files'] = Array('mp3'); + + // Thumbnail to use for the downloadable files (not images) + $config['file_thumb'] = 'static/file.png'; // The names on the post buttons. (On most imageboards, these are both "Post".) $config['button_newtopic'] = 'New Topic'; diff --git a/inc/display.php b/inc/display.php index b6722348..9ba5cac6 100644 --- a/inc/display.php +++ b/inc/display.php @@ -259,14 +259,16 @@ if(!empty($this->file) && $this->file != 'deleted') { $built .= '

File: ' . $this->file . ' (' . // Filesize - format_bytes($this->filesize) . ', ' . + format_bytes($this->filesize) . // File dimensions - $this->filex . 'x' . $this->filey; + ($this->filex && $this->filey ? + ', ' . $this->filex . 'x' . $this->filey + : '' ); // Aspect Ratio - if($config['show_ratio']) { - $fraction = fraction($this->filex, $this->filey, ':'); - $built .= ', ' . $fraction; - } + if($config['show_ratio'] && $this->filex && $this->filey) { + $fraction = fraction($this->filex, $this->filey, ':'); + $built .= ', ' . $fraction; + } // Filename $built .= ', ' . $this->filename . ')

' . @@ -377,11 +379,13 @@ $built = '

File: ' . $this->file . ' (' . // Filesize - format_bytes($this->filesize) . ', ' . + format_bytes($this->filesize) . // File dimensions - $this->filex . 'x' . $this->filey; + ($this->filex && $this->filey ? + ', ' . $this->filex . 'x' . $this->filey + : '' ); // Aspect Ratio - if($config['show_ratio']) { + if($config['show_ratio'] && $this->filex && $this->filey) { $fraction = fraction($this->filex, $this->filey, ':'); $built .= ', ' . $fraction; } diff --git a/inc/functions.php b/inc/functions.php index e37a367d..2a45c606 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -363,7 +363,7 @@ $query->bindValue(':height', $post['height'], PDO::PARAM_INT); $query->bindValue(':filesize', $post['filesize'], PDO::PARAM_INT); $query->bindValue(':filename', $post['filename']); - $query->bindValue(':filehash', $post['filehash']); + $query->bindValue(':filehash', $post['file']); } else { $query->bindValue(':thumb', null, PDO::PARAM_NULL); $query->bindValue(':thumbwidth', null, PDO::PARAM_NULL); @@ -1363,12 +1363,13 @@ } break; default: - error('Unknwon file extension.'); + error($config['error']['unknownext']); } return $image; } - function resize($src, $width, $height, $destination_pic, $max_width, $max_height, $ext) { + function resize($src, $width, $height, $destination_pic, $max_width, $max_height, $ext) { + global $config; $return = Array(); $x_ratio = $max_width / $width; @@ -1414,7 +1415,7 @@ imagebmp($tmp, $destination_pic); break; default: - error('Unknwon file extension.'); + error($config['error']['unknownext']); } imagedestroy($src); diff --git a/post.php b/post.php index 6833d1d6..15a87dd3 100644 --- a/post.php +++ b/post.php @@ -384,51 +384,65 @@ } if($post['has_file']) { + if(!in_array($post['extension'], $config['allowed_ext']) && !in_array($post['extension'], $config['allowed_ext_files'])) + error($config['error']['unknownext']); + + if(in_array($post['extension'], $config['allowed_ext_files'])) + $__file = true; + // Just trim the filename if it's too long if(strlen($post['filename']) > 30) $post['filename'] = substr($post['filename'], 0, 27).'…'; // Move the uploaded file if(!@move_uploaded_file($_FILES['file']['tmp_name'], $post['file'])) error($config['error']['nomove']); - $size = @getimagesize($post['file']); - $post['width'] = $size[0]; - $post['height'] = $size[1]; - - // Check if the image is valid - if($post['width'] < 1 || $post['height'] < 1) { - undoImage($post); - error($config['error']['invalidimg']); - } - - if($post['width'] > $config['max_width'] || $post['height'] > $config['max_height']) { - undoImage($post); - error($config['error']['maxsize']); - } - - // Check IE MIME type detection XSS exploit - $buffer = file_get_contents($post['file'], null, null, null, 255); - if(preg_match($config['ie_mime_type_detection'], $buffer)) { - undoImage($post); - error($config['error']['mime_exploit']); - } - - $post['filehash'] = $config['file_hash']($post['file']); - $post['filesize'] = filesize($post['file']); - - if($config['minimum_copy_resize'] && $post['width'] <= $config['thumb_width'] && $post['height'] <= $config['thumb_height'] && $post['extension'] == ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])) { - // Copy, because there's nothing to resize - copy($post['file'], $post['thumb']); + if(!isset($__file)) { + $size = @getimagesize($post['file']); + $post['width'] = $size[0]; + $post['height'] = $size[1]; - $post['thumbwidth'] = $post['width']; - $post['thumbheight'] = $post['height']; - } else { - $image = createimage($post['extension'], $post['file']); + // Check if the image is valid + if($post['width'] < 1 || $post['height'] < 1) { + undoImage($post); + error($config['error']['invalidimg']); + } - // Create a thumbnail - $thumb = resize($image, $post['width'], $post['height'], $post['thumb'], $config['thumb_width'], $config['thumb_height'], ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])); + if($post['width'] > $config['max_width'] || $post['height'] > $config['max_height']) { + undoImage($post); + error($config['error']['maxsize']); + } + + // Check IE MIME type detection XSS exploit + $buffer = file_get_contents($post['file'], null, null, null, 255); + if(preg_match($config['ie_mime_type_detection'], $buffer)) { + undoImage($post); + error($config['error']['mime_exploit']); + } - $post['thumbwidth'] = $thumb['width']; - $post['thumbheight'] = $thumb['height']; + if($config['minimum_copy_resize'] && $post['width'] <= $config['thumb_width'] && $post['height'] <= $config['thumb_height'] && $post['extension'] == ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])) { + // Copy, because there's nothing to resize + copy($post['file'], $post['thumb']); + + $post['thumbwidth'] = $post['width']; + $post['thumbheight'] = $post['height']; + } else { + $image = createimage($post['extension'], $post['file']); + + // Create a thumbnail + $thumb = resize($image, $post['width'], $post['height'], $post['thumb'], $config['thumb_width'], $config['thumb_height'], ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])); + + $post['thumbwidth'] = $thumb['width']; + $post['thumbheight'] = $thumb['height']; + } + } else { + copy($config['file_thumb'], $post['thumb']); + + $size = @getimagesize($post['thumb']); + $post['thumbwidth'] = $size[0]; + $post['thumbheight'] = $size[1]; } + + $post['filehash'] = $config['file_hash']($post['file']); + $post['filesize'] = filesize($post['file']); } if($post['has_file'] && $config['image_reject_repost'] && $p = getPostByHash($post['filehash'])) { diff --git a/static/file.png b/static/file.png new file mode 100644 index 0000000000000000000000000000000000000000..8060fe3c5fd54c105b598e851ccd87034f405a7c GIT binary patch literal 6162 zcmaJ_XIN9qx(+RLP`ZE^=`AF52rUwbAVsPaK|%?Ll!Oq0Aia0#Er1j$qDWH#=|w?7 zK|m0tOBEEPBkhKL&OYbS!>Gr-gmy4dDk~HE7r*HIwKu79RL7e)YZ{4A*Be? z?Lz}3J<|fEJV?nUytXCY6yuEdwa1|W*PJj8XppXly$jj|ZSO?zdWTj804PANW|nwM z1AUky#zV^f+(ydJ14}{!0IC{(SbIk|G#=!Dc5(GoJ37&X+Kd`5_ zz~2m7Xm3ZHD;DpH@dTYS+B;zGuRa-lkifmu1+u{Li!p4s;I0W zuc;|5tqs*wK*%CwWE5o(2sveGgyP>=EsW!R540!#Z>-aQvDf|)doBbIEU9HJG|trr z?S#Z(JV1YS80PxVz9{}9-@ma=|Llv>KVl&yXCUX(`oE_6?<$gZ&a?j!EvfJy*`qy4 zTE~$@O@`Bx0|3}!bhWOT`F<eSl?0XKoOCKM;v<5UnnVypEjgngBBFVrNA{4XnNm z9ABDQ`I4>*cQ*SlU;k=-nNMlW=-10Hokzb8zkL5WzZNf^6hjxICEdc-7v4fcxfL`? z+~1y7UdFW%N9j$5In;plMfP{uG@WO(+o>@l)0?)Bse(H(Rhw~h{*B~Y9lrwko(r&Xc9 zC2GJZz2Ca`?%f+jFssR7R)V!&vr&`Qk0gKs;$@0gq$$J zSBZ%z%K8r!->7{qc&v?8iM0Ls@pLRUmbRf6<>v0b{;k;;qwU}@pS3eF6FvnO>53`^ z^Acmhtn185*?D<+0yQuF!zN)cSkxXhEmU)MRr;Ojn^lXuS{+ zaVe=bct`-8kHsLMSK(Wy4&@O<^J-p%FQ8AZIHQ%iAm(#)nI2QC#T~j zB1Rn<+)OViW(I%uRbjTXth_w9N*=TmVcYDJzX%99xwtM+qY*n^S69bW($M!vBk0&q z<>W&%TbwSNj4Uw97_&uxTpN6LDum5+Jmg_yWDIO-YC>b$PkeY(FAIh3vRZ>G(wvFR&5w;)79Z0u+@&Fk%w8LRd&~KSkQv z&3wrO-!}XX@~T07M)e5^cOX0dbYf=>P$C`AclY;is{Za_U4Gl!I~8CzYn8Ku1rv~x z(qF8okbI|p$G>|`zt7K`o%GW~T8tPc$*89c_~wK+R;boGI$77;AMfjRT8D%%l0#g- zABjs!<}o(`soQuZBU`#}+d6lt>~!?Kxw1bK99+51j%hn|mQeF38e~p$d6BGWbM-FI2Yv2q0kQb0XG{MC(Y`GVS^2l#l--fhnQ{{H6Z=;%+Zc_>FV z4jL^9LPQORe^nxbYva~pmK|&n5*CoE&zxnP!(PN9eY;~*cpxHz(mV!#|9;|dx0eh< zqM^cy!g~S3_dHVM^sObAw+CLjjROzWx3{;cxF%9vEcwL!QGV2n0jRKclD>Eim`g-e zZR8FN-(Nil2(do6`iE%m|C2vxv-e7{8KE~<-i>$X0z#(1Fd|Ta5T*Evn424Q5I-?7 z;k5(J1x{R_{&by!PZ&hlUJ`~>_AnQy2U?pu6n!(GO#Vdi39*#yqE+99e%sj?p&>3V z{^u}$s940lNywM4yk4UZzFBLgi{GVzwjD0|6I5(K0yhXdr|0FdEj1RQc`6X^Pboi5*Qg1D0~pb$HjQ?{TrtJ zXId-^mcnaR%zZO-(}8l9e0|W=%IXPS#%<50$mK*XU{tBD88d@qj(i`lo12??<)}x) zROUcW0nI0y!y|sW4DK7nQev^fvQP&x7cDEWCC?kdVfV#>9N9`EveX4sK_@dTnPNY# z8;wSbLwT8^^ZPh|Vbmejx0V=7AX~yM8|`OzsDKI{{h6d_CYwC~pzT4l04TtZG}{y~ z(|H3lkMe(xEAVtQ>P*ZCwO>UCt4Ktie&olcD6D%}TU(o3qj>G(5HCNR_bl*fhF(wk??U6~BZ;Ka)ogcWVLjUS6WY z)6R~nq>hzEh?HHMsu(G5giR_HWOTt(E2IuzFBd$}st_#MG_|!2T)vHIefg@X=}?L? z3eZHP1da52YJsSk0uc9SeVWx$Q>u4B+ffg@`xe%cRDNARi4LkCt@GbyE75uyJlhdk zTFjz1<5Ew@fMGfLvsP{E*>GF?*{|1YQUxdBwCqmLK8sR~j*jlE3K~;QTaevft7<44 z>dqMb(MxIkMxTsAHYj{#HLs$&dSm>m9gZcD0Tlbgi_7ja^zI5rD7et4!&6v#n>s3* z^3LL9lXqqK?N)zz5xX$W68QE$>Ws$k**<5`OyGV#T|#<#diLbxWFvt4wS1~Gw>=e? z`k3E*5AEkpw3AcM;=)3Y5xI88k@Vspn{|y(--9XOr?%z1x8gR_W8W88iBX0l-be-T6q1_ zWRqc8OwrQ!Ryb+|xjoR?2bPZ7+L3ziH}e9-hzcIo9T^*!ReWNW-E#D<;~q*tAdgZ- zW4pQJ@jf>uYp+O)P3F+Zaqd5^0GarFp%h zl<+7@%Cyo!;VCJ)w0!S<_>_rBB)jmY?he}eo%h&t+x~L0RIv%VhUZ0OYq)F>_iG*5 z17sm;bR`9%6t7-P$$p&*>Fn$r;P3A*CvT^^s+|&IwtOAFH9qt~CmS?(FKj?#dUR9{ zBxF1jdPU9OtiS5=Gv40z;XpM+LD(nWfG#U^ET?YS&D+(ctbq$+S|Rp zzjeChMafmncFRr3_^o|pELgZHI;$SZJJE{(lzAO%(oQuRJ*UYfsB8oK(yV;E>C{# zR24vqN53XFvA4IcS&(?f!n02Ol!At;BxkQFPR`M}$6ga;XTO-3+_A|@M}w?Rf_^s= zu0CRO!CBsflZRZsm0FF`hylG=vBA%)U^Tk*%a94utr^jW3 zBNZl@en4`g#05QdQv!j|MnPRX`c!03Jk4T7-@X_~o|=-&=Xg%RFhzLCE^%w1DB97Q zbxd>pbF5eU`P=86o&wJR2;XT$@jE2znDu1g*k9Co=HicAE^=^LyTpB35Q9;D2a0h| zf{N*k7OV4~GD3Az%%lny#`*ifIat#F`J<9qa z3lb}?z1WVSR&1t-aa9l^rZs`*3wo0KsQ&Yb;)SV{VTsRX^ohw&-Z*v@m_{3l{kgFVv( z?h$Gvd8*W5>K6~41qmDIX4i!JI%0vq>{C{@!y~#^N4qAMSXTA*Vdg!vVN*>ZyScEr z<|oL4{aMa@UiARKxaAtFT87pZdu$4^{ek^3Lbur2=C?_S{6^Zjn@~a5w9R=|9ql)WokNc(3K5q5o3{&(j z6FI}9`mSBD&|Jyq9v}dtWvrC#>&HJ(oM3As@$}>G?PDtcNazCG68f zoFtem>t9;?Wo?q_ptZEdDFFNQ3AHe6hMeEpr^lU?~^Ov;zQKda^Q zb;1^aVF#myem3aA&s(@FMoE)Ce?J(K6qrj=v9YRgHC4vPSq$6SDwo1S*8&>D zS}$5bF#7ad*4upZ#jG$T<~MJw^@MLLudr zi#6_y-eq~jYHN>Eu0jgfhsK@hQF;o5hR%&3XLn5+RE4!%!CO>;H;R!JD<K z8(mgj23gs1+*jcX*t^d5p;t$AORfBRltS$!`m!eHp4+wG*?8`*hXdX$79ULhWqrf( zzMW*WBHU$Cw<9L*YK7uf+%tN^j@ICcpZEB5%`*W1b%8L9}(!sOna zW5|#g_PHLqn_WHrb`CE^8eYt&MR)0?m`l$>i%)J2SBPf%op+fvbmWChi{&^yXF9sf zy2ff*<$(@6Pev|0g}8nLkYz?>0=AD&J*45?qO5(p^wR(vi_zt0%Mh?e?A8hDv%Q(^ zvJxgI`nXZ1C~NB*#CTw_*f4YD0*EBlcXF{MwJn~9>VNK5CeiSIto3_o27n>iRn*k@ z-QRx6(|??yjL>d#T6|hq2#SpD2rzh#&3t&Ma-2dWuFXQm#>bhVRFCXh9O{QeKZuH4-8@8;9%EUZev_wT)WrI1m% zd%QgeDI%U_r5#q@C@j)k!yN-n-=y7C&+*@A-7nkTCyU`Q`&==cAoKQz@U|r_u&&pU zOMIj4=ofoaY4B=kR!`0`_2Qpl=}$L8^xgt4G%_eXcW$S%^cd#BwA6BolpfBs9L&dO zeeu#4O_MN7T3fy391$@+zv71#-F;wDp2dmF%3M9uZ))S$E7mFFK8i0n#)hbSZ`Stm zsXW0QV0MhZM7yAKxs{XNPeX6;^ z|LpX{Vzt!p-n%yr1MhmSLj?oe4hkRde|4*#I_RKamP~Ko-dgNGF)}wqRcq#BWaa%W zVqVebJ6SSitO5nXtoP2ed~B?(Ut7BYhJqS4zBN?y)dg2Sx1_%e!KM>#YMkt74lv^^ z{g#=nt)mJn(=9A4nA0SO;1rmv(A?EsGP+B8ofqg6XXy-@p{{(&I49enprFdJ8OLI^ z`#;PS8SXuwe&ZdR( zR|K5WD?IO$X5v%zlRd2_m&I{p4v`M(XIsCfn%6|-dWNUT*@~XV#g+$c(KTdz*4kuL z%#R#5K6pbh-RSlGQiU+*VonW8G0%o{f`!#O_9n$sYKbhy8gt_x$}}^|C|0h3`V_g&VVs%<2cIGS%wJZw2J78l=VLn?!XBj%p?7%9{1<)qO6qPo?@& z3^Uhy+;j#dB+0_bShQPd47D813CRakQos0`NMX7uGBQ$(w2NW_2-9uT8;FRTo13>9 zmU}aFJzeW&)>wCF{)LA7WtWKy_V}Q2FkJGq?_jnI6sjeYC;+dq@ua+cJ@7{1Hzgjd zBBQ%aPM)hb3&2)il>^QtMeRw;WzvX+o6xX59`0Y+x6uwPB5H=`6oxigK9oj=^E$wH zbY8C-f#9NXk!P^*vMW>TlKxx<93xTQ>F=l*(6Jx8-SgB%c7}t1W><19Jbc6dJE)i)-p=6ZH z6*rKixO&SNqVu*h8#N~_IT16OKp>}b5bm6v0kc(z3Qyvcjp!3-xi>3D6Qd}*+yMys zbebjUG+@JFpX6 dy>CGV1iS)n77D!dT|fUzud8jS^;{Db_CGM;Bsu^9 literal 0 HcmV?d00001