<?php
/*
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
- * Copyright (C) 2002-2009 The Nucleus Group
+ * Copyright (C) 2002-2010 The Nucleus Group
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* passed through to the add-item form (linkto, popupimg or inline img)
*
* @license http://nucleuscms.org/license.txt GNU General Public License
- * @copyright Copyright (C) 2002-2009 The Nucleus Group
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group
* @version $Id$
* $NucleusJP: media.php,v 1.8.2.1 2007/09/07 07:36:44 kimitake Exp $
*
$CONF['MediaPerPage'] = 10;
// include all classes and config data
-require('../config.php');
-include($DIR_LIBS . 'MEDIA.php'); // media classes
+$DIR_LIBS = '';
+require_once('../config.php');
+//include($DIR_LIBS . 'MEDIA.php'); // media classes
+include_libs('MEDIA.php',false,false);
sendContentType('application/xhtml+xml', 'media');
// check if member is on at least one teamlist
$query = 'SELECT * FROM ' . sql_table('team'). ' WHERE tmember=' . $member->getID();
$teams = sql_query($query);
-if (sql_num_rows($teams) == 0)
+if (sql_num_rows($teams) == 0 && !$member->isAdmin())
media_doError(_ERROR_DISALLOWEDUPLOAD);
// get action
<input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" />
<?php } // if sizeof
?>
- <br /><br />
- <input type="submit" value="<?php echo _UPLOAD_BUTTON?>" />
+ <br /><br />
+ <?php
+ $manager->notify(
+ 'MediaUploadFormExtras',
+ array()
+ );
+ ?>
+ <br /><br />
+ <input type="submit" value="<?php echo _UPLOAD_BUTTON?>" />
</div>
</form>
*/
function media_upload() {
global $DIR_MEDIA, $member, $CONF;
-
+
$uploadInfo = postFileInfo('uploadfile');
-
+
$filename = $uploadInfo['name'];
$filetype = $uploadInfo['type'];
$filesize = $uploadInfo['size'];
$filetempname = $uploadInfo['tmp_name'];
$fileerror = intval($uploadInfo['error']);
-
+
+ // clean filename of characters that may cause trouble in a filename using cleanFileName() function from globalfunctions.php
+ $filename = cleanFileName($filename);
+ if ($filename === false)
+ media_doError(_ERROR_BADFILETYPE);
+
switch ($fileerror)
{
case 0: // = UPLOAD_ERR_OK
// (see http://www.php.net/manual/en/features.file-upload.errors.php)
media_doError(_ERROR_BADREQUEST . ' (' . $fileerror . ')');
}
-
+
if ($filesize > $CONF['MaxUploadSize'])
media_doError(_ERROR_FILE_TOO_BIG);
-
+
// check file type against allowed types
$ok = 0;
$allowedtypes = explode (',', $CONF['AllowedTypes']);
foreach ( $allowedtypes as $type )
- if (eregi("\." .$type. "$",$filename)) $ok = 1;
+ {
+ //if (eregi("\." .$type. "$",$filename)) $ok = 1;
+ if (preg_match("#\." .$type. "$#i",$filename)) $ok = 1;
+ }
if (!$ok) media_doError(_ERROR_BADFILETYPE);
-
+
if (!is_uploaded_file($filetempname))
media_doError(_ERROR_BADREQUEST);
-
+
// prefix filename with current date (YYYY-MM-DD-)
// this to avoid nameclashes
if ($CONF['MediaPrefix'])
<div>
<input name="action" value="login" type="hidden" />
<input name="collection" value="<?php echo htmlspecialchars(requestVar('collection'))?>" type="hidden" />
- <?php echo _LOGINFORM_NAME?> <input name="login" />
- <br /><?php echo _LOGINFORM_PWD?> <input name="password" type="password" />
+ <?php echo _LOGINFORM_NAME?>: <input name="login" />
+ <br /><?php echo _LOGINFORM_PWD?>: <input name="password" type="password" />
<br /><input type="submit" value="<?php echo _LOGIN?>" />
</div>
</form>