diff --git a/inc/config.php b/inc/config.php index 44dc60ec..9d09c53c 100644 --- a/inc/config.php +++ b/inc/config.php @@ -40,7 +40,7 @@ define('ERROR_NOMOVE', 'The server failed to handle your upload.'); define('ERROR_FILEEXT', 'Unsupported image format.'); define('ERR_INVALIDIMG','Invalid image.'); - define('ERR_FILSIZE', 'The file was too large.'); + define('ERR_FILESIZE', 'Maximum file size: %maxsz%
Your file\'s size: %sz%'); define('ERR_MAXSIZE', 'The file was too big.'); // For resizing, max values @@ -53,6 +53,10 @@ define('MAX_WIDTH', 10000); define('MAX_HEIGHT', MAX_WIDTH); + define('ALLOW_ZIP', true); + define('ZIP_IMAGE', 'src/zip.png'); + + /** Redraw the image using GD functions to strip any excess data (commonly ZIP archives) WARNING: Very beta. Currently strips animated GIFs too :( @@ -63,7 +67,7 @@ define('REDRAW_GIF', false); // Display the aspect ratio in a post's file info - define('SHOW_RATIO', false); + define('SHOW_RATIO', true); define('DIR_IMG', 'src/'); define('DIR_THUMB', 'thumb/'); @@ -92,7 +96,7 @@ define('URL_MATCH', '/^' . (@$_SERVER['HTTPS']?'https':'http').':\/\/'.$_SERVER['HTTP_HOST'] . '(' . preg_quote(ROOT, '/') . '|' . preg_quote(ROOT, '/') . '' . preg_quote(FILE_INDEX, '/') . '|' . preg_quote(ROOT, '/') . '' . str_replace('%d', '\d+', preg_quote(FILE_PAGE, '/')) . ')$/'); - if(!defined(IS_INSTALLATION)) { + if(!defined('IS_INSTALLATION')) { if(!file_exists(DIR_IMG)) @mkdir(DIR_IMG) or error("Couldn't create " . DIR_IMG . ". Install manually."); if(!file_exists(DIR_THUMB)) @mkdir(DIR_THUMB) or error("Couldn't create " . DIR_IMG . ". Install manually."); if(!file_exists(DIR_RES)) @mkdir(DIR_RES) or error("Couldn't create " . DIR_IMG . ". Install manually."); diff --git a/inc/functions.php b/inc/functions.php index b465488c..2454abb2 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1,4 +1,55 @@ 'Multi-disk zip archives not supported.', + 'ZIPARCHIVE::ER_RENAME' => 'Renaming temporary file failed.', + 'ZIPARCHIVE::ER_CLOSE' => 'Closing zip archive failed', + 'ZIPARCHIVE::ER_SEEK' => 'Seek error', + 'ZIPARCHIVE::ER_READ' => 'Read error', + 'ZIPARCHIVE::ER_WRITE' => 'Write error', + 'ZIPARCHIVE::ER_CRC' => 'CRC error', + 'ZIPARCHIVE::ER_ZIPCLOSED' => 'Containing zip archive was closed', + 'ZIPARCHIVE::ER_NOENT' => 'No such file.', + 'ZIPARCHIVE::ER_EXISTS' => 'File already exists', + 'ZIPARCHIVE::ER_OPEN' => 'Can\'t open file', + 'ZIPARCHIVE::ER_TMPOPEN' => 'Failure to create temporary file.', + 'ZIPARCHIVE::ER_ZLIB' => 'Zlib error', + 'ZIPARCHIVE::ER_MEMORY' => 'Memory allocation failure', + 'ZIPARCHIVE::ER_CHANGED' => 'Entry has been changed', + 'ZIPARCHIVE::ER_COMPNOTSUPP' => 'Compression method not supported.', + 'ZIPARCHIVE::ER_EOF' => 'Premature EOF', + 'ZIPARCHIVE::ER_INVAL' => 'Invalid argument', + 'ZIPARCHIVE::ER_NOZIP' => 'Not a zip archive', + 'ZIPARCHIVE::ER_INTERNAL' => 'Internal error', + 'ZIPARCHIVE::ER_INCONS' => 'Zip archive inconsistent', + 'ZIPARCHIVE::ER_REMOVE' => 'Can\'t remove file', + 'ZIPARCHIVE::ER_DELETED' => 'Entry has been deleted', + ); + $errmsg = 'unknown'; + foreach ($zipFileFunctionsErrors as $constName => $errorMessage) { + if (defined($constName) and constant($constName) === $errno) { + return 'Zip File Function error: '.$errorMessage; + } + } + return 'Zip File Function error: unknown'; + } + + function sprintf3($str, $vars, $delim = '%') { + $replaces = array(); + foreach($vars as $k => $v) { + $replaces[$delim . $k . $delim] = $v; + } + return str_replace(array_keys($replaces), + array_values($replaces), $str); + } + + function commaize($n) { + $n = strval($n); + return (intval($n) < 1000) ? $n : commaize(substr($n, 0, -3)) . ',' . substr($n, -3); + } + function sql_open() { global $sql; $sql = @mysql_connect(MY_SERVER, MY_USER, MY_PASSWORD) or error('Database error.'); @@ -15,6 +66,58 @@ } } + function post($post, $OP) { + global $sql; + if($OP) { + mysql_query( + sprintf("INSERT INTO `posts` VALUES ( NULL, NULL, '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s' )", + $post['subject'], + $post['email'], + $post['name'], + $post['trip'], + $post['body'], + time(), + time(), + $post['thumb'], + $post['thumbwidth'], + $post['thumbheight'], + $post['file'], + $post['width'], + $post['height'], + $post['filesize'], + $post['filename'], + $post['filehash'], + $post['password'], + mysql_real_escape_string($_SERVER['REMOTE_ADDR']) + ), $sql) or error(mysql_error($sql)); + return mysql_insert_id($sql); + } else { + mysql_query( + sprintf("INSERT INTO `posts` VALUES ( NULL, '%d', '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s' )", + $post['thread'], + $post['subject'], + $post['email'], + $post['name'], + $post['trip'], + $post['body'], + time(), + time(), + $post['has_file']?$post['thumb']:null, + $post['has_file']?$post['thumbwidth']:null, + $post['has_file']?$post['thumbheight']:null, + $post['has_file']?$post['file']:null, + $post['has_file']?$post['width']:null, + $post['has_file']?$post['height']:null, + $post['has_file']?$post['filesize']:null, + $post['has_file']?$post['filename']:null, + $post['has_file']?$post['filehash']:null, + $post['password'], + mysql_real_escape_string($_SERVER['REMOTE_ADDR']) + ), $sql) or error(mysql_error($sql)); + return mysql_insert_id($sql); + } + } + function index($page) { global $sql, $board; diff --git a/post.php b/post.php index 94b80f8c..e4303fca 100644 --- a/post.php +++ b/post.php @@ -74,8 +74,13 @@ $post['filename'] = $_FILES['file']['name']; $post['has_file'] = $OP || !empty($_FILES['file']['tmp_name']); - if($post['has_file'] && $_FILES['file']['size'] > MAX_FILESIZE) - error(ERR_FILSIZE); + if($post['has_file']) { + $size = $_FILES['file']['size']; + if($size > MAX_FILESIZE) + error(sprintf3(ERR_FILESIZE, array( + 'sz'=>commaize($size), + 'maxsz'=>commaize(MAX_FILESIZE)))); + } $trip = generate_tripcode($post['name']); $post['name'] = $trip[0]; @@ -91,7 +96,8 @@ $post['file_id'] = rand(0, 1000000000); $post['file'] = DIR_IMG . $post['file_id'] . '.' . $post['extension']; $post['thumb'] = DIR_THUMB . $post['file_id'] . '.png'; - if(!in_array($post['extension'], $allowed_ext)) error(ERROR_FILEEXT); + $post['zip'] = $OP && $post['has_file'] && ALLOW_ZIP && $post['extension'] == 'zip' ? $post['file'] : false; + if(!($post['zip'] || in_array($post['extension'], $allowed_ext))) error(ERROR_FILEEXT); } // Check string lengths @@ -102,8 +108,6 @@ if(!(!$OP && $post['has_file']) && strlen($post['body']) < 1) error(ERROR_TOOSHORTBODY); if(strlen($post['password']) > 20) error(sprintf(ERROR_TOOLONG, 'password')); - - markup($post['body']); if($post['has_file']) { @@ -112,6 +116,11 @@ // Move the uploaded file if(!@move_uploaded_file($_FILES['file']['tmp_name'], $post['file'])) error(ERROR_NOMOVE); + if($post['zip']) { + $post['file'] = ZIP_IMAGE; + $post['extension'] = strtolower(substr($post['file'], strrpos($post['file'], '.') + 1)); + } + $size = @getimagesize($post['file']); $post['width'] = $size[0]; $post['height'] = $size[1]; @@ -132,7 +141,7 @@ $image = createimage($post['extension'], $post['file']); - if(REDRAW_IMAGE) { + if(REDRAW_IMAGE && !$post['zip']) { switch($post['extension']) { case 'jpg': case 'jpeg': @@ -156,7 +165,6 @@ // Create a thumbnail $thumb = resize($image, $post['width'], $post['height'], $post['thumb'], THUMB_WIDTH, THUMB_HEIGHT); - $post['thumbwidth'] = $thumb['width']; $post['thumbheight'] = $thumb['height']; } @@ -167,54 +175,101 @@ sql_open(); mysql_safe_array($post); - if($OP) { - mysql_query( - sprintf("INSERT INTO `posts` VALUES ( NULL, NULL, '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s' )", - $post['subject'], - $post['email'], - $post['name'], - $post['trip'], - $post['body'], - time(), - time(), - $post['thumb'], - $post['thumbwidth'], - $post['thumbheight'], - $post['file'], - $post['width'], - $post['height'], - $post['filesize'], - $post['filename'], - $post['filehash'], - $post['password'], - mysql_real_escape_string($_SERVER['REMOTE_ADDR']) - ), $sql) or error(mysql_error($sql)); - } else { - mysql_query( - sprintf("INSERT INTO `posts` VALUES ( NULL, '%d', '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%s', '%d', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s' )", - $post['thread'], - $post['subject'], - $post['email'], - $post['name'], - $post['trip'], - $post['body'], - time(), - time(), - $post['has_file']?$post['thumb']:null, - $post['has_file']?$post['thumbwidth']:null, - $post['has_file']?$post['thumbheight']:null, - $post['has_file']?$post['file']:null, - $post['has_file']?$post['width']:null, - $post['has_file']?$post['height']:null, - $post['has_file']?$post['filesize']:null, - $post['has_file']?$post['filename']:null, - $post['has_file']?$post['filehash']:null, - $post['password'], - mysql_real_escape_string($_SERVER['REMOTE_ADDR']) - ), $sql) or error(mysql_error($sql)); + $id = post($post, $OP); + + if($post['zip']) { + // Open ZIP + $zip = zip_open($post['zip']); + // Read files + while($entry = zip_read($zip)) { + $filename = basename(zip_entry_name($entry)); + $extension = strtolower(substr($filename, strrpos($filename, '.') + 1)); + + if(in_array($extension, $allowed_ext)) { + if (zip_entry_open($zip, $entry, 'r')) { + + // Fake post + $dump_post = Array( + 'subject' => $post['subject'], + 'email' => $post['email'], + 'name' => $post['name'], + 'trip' => $post['trip'], + 'body' => '', + 'thread' => $id, + 'password' => '', + 'has_file' => true, + 'file_id' => rand(0, 1000000000), + 'filename' => $filename + ); + + $dump_post['file'] = DIR_IMG . $dump_post['file_id'] . '.' . $extension; + $dump_post['thumb'] = DIR_THUMB . $dump_post['file_id'] . '.png'; + + // Extract the image from the ZIP + $fp = fopen($dump_post['file'], 'w+'); + fwrite($fp, zip_entry_read($entry, zip_entry_filesize($entry))); + fclose($fp); + + $size = @getimagesize($dump_post['file']); + $dump_post['width'] = $size[0]; + $dump_post['height'] = $size[1]; + + // Check if the image is valid + if($dump_post['width'] < 1 || $dump_post['height'] < 1) { + unlink($dump_post['file']); + } else { + if($dump_post['width'] > MAX_WIDTH || $dump_post['height'] > MAX_HEIGHT) { + unlink($dump_post['file']); + error(ERR_MAXSIZE); + } else { + $dump_post['filehash'] = md5_file($dump_post['file']); + $dump_post['filesize'] = filesize($dump_post['file']); + + $image = createimage($extension, $dump_post['file']); + + $success = true; + if(REDRAW_IMAGE) { + switch($extension) { + case 'jpg': + case 'jpeg': + imagejpeg($image, $dump_post['file'], JPEG_QUALITY); + break; + case 'png': + imagepng($image, $dump_post['file'], 7); + break; + case 'gif': + if(REDRAW_GIF) + imagegif($image, $dump_post['file']); + break; + case 'bmp': + imagebmp($image, $dump_post['file']); + break; + default: + $success = false; + } + } + + + // Create a thumbnail + $thumb = resize($image, $dump_post['width'], $dump_post['height'], $dump_post['thumb'], THUMB_WIDTH, THUMB_HEIGHT); + + $dump_post['thumbwidth'] = $thumb['width']; + $dump_post['thumbheight'] = $thumb['height']; + + // Create the post + post($dump_post, false); + } + } + + // Close the ZIP + zip_entry_close($entry); + } + } + } + zip_close($zip); + unlink($post['zip']); } - $id = mysql_insert_id($sql); buildThread(($OP?$id:$post['thread'])); if(!$OP) { diff --git a/src/zip.png b/src/zip.png new file mode 100755 index 00000000..7886679a Binary files /dev/null and b/src/zip.png differ