OSDN Git Service

Include plugins which the original release includes and Mocchi modified these codes...
[nucleus-jp/nucleus-jp-ancient.git] / utf8 / nucleus / media.php
index 75814e6..ff2cc2a 100755 (executable)
@@ -1,26 +1,31 @@
 <?php
+/*
+ * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
+ * Copyright (C) 2002-2010 The Nucleus Group
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * (see nucleus/documentation/index.html#license for more info)
+ */
 /**
-  * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) 
-  * Copyright (C) 2002-2004 The Nucleus Group
-  *
-  * This program is free software; you can redistribute it and/or
-  * modify it under the terms of the GNU General Public License
-  * as published by the Free Software Foundation; either version 2
-  * of the License, or (at your option) any later version.
-  * (see nucleus/documentation/index.html#license for more info)
-  *
-  * Media popup window for Nucleus
-  *
-  * Purpose:
-  *   - can be openen from an add-item form or bookmarklet popup
-  *   - shows a list of recent files, allowing browsing, search and 
-  *     upload of new files
-  *   - close the popup by selecting a file in the list. The file gets
-  *     passed through to the add-item form (linkto, popupimg or inline img)
-  *
-  * $Id: media.php,v 1.1.1.1 2005-02-28 07:14:31 kimitake Exp $
-  */
-  
+ * Media popup window for Nucleus
+ *
+ * Purpose:
+ *   - can be openen from an add-item form or bookmarklet popup
+ *   - shows a list of recent files, allowing browsing, search and
+ *     upload of new files
+ *   - close the popup by selecting a file in the list. The file gets
+ *     passed through to the add-item form (linkto, popupimg or inline img)
+ *
+ * @license http://nucleuscms.org/license.txt GNU General Public License
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group
+ * @version $Id$
+ * $NucleusJP: media.php,v 1.8.2.1 2007/09/07 07:36:44 kimitake Exp $
+ *
+ */
+
 $CONF = array();
 
 // defines how much media items will be shown per page. You can override this
@@ -29,8 +34,10 @@ $CONF = array();
 $CONF['MediaPerPage'] = 10;
 
 // include all classes and config data
-include('../config.php');
-include($DIR_LIBS . 'MEDIA.php');      // media classes
+$DIR_LIBS = '';
+require_once('../config.php');
+//include($DIR_LIBS . 'MEDIA.php');    // media classes
+include_libs('MEDIA.php',false,false);
 
 sendContentType('application/xhtml+xml', 'media');
 
@@ -42,32 +49,40 @@ if (!$member->isLoggedIn()) {
 
 // check if member is on at least one teamlist
 $query = 'SELECT * FROM ' . sql_table('team'). ' WHERE tmember=' . $member->getID();
-$teams = mysql_query($query);
-if (mysql_num_rows($teams) == 0)
+$teams = sql_query($query);
+if (sql_num_rows($teams) == 0 && !$member->isAdmin())
        media_doError(_ERROR_DISALLOWEDUPLOAD);
-       
+
 // get action
 $action = requestVar('action');
 if ($action == '')
        $action = 'selectmedia';
-       
+
 // check ticket
 $aActionsNotToCheck = array('selectmedia', _MEDIA_FILTER_APPLY, _MEDIA_COLLECTION_SELECT);
 if (!in_array($action, $aActionsNotToCheck))
 {
        if (!$manager->checkTicket())
                media_doError(_ERROR_BADTICKET);
-} 
+}
 
 
 switch($action) {
        case 'chooseupload':
        case _MEDIA_UPLOAD_TO:
        case _MEDIA_UPLOAD_NEW:
-               media_choose();
+               if (!$member->isAdmin() and $CONF['AllowUpload'] != true) {
+                       media_doError(_ERROR_DISALLOWED);
+               } else {
+                       media_choose();
+               }
                break;
        case 'uploadfile':
-               media_upload();
+               if (!$member->isAdmin() and $CONF['AllowUpload'] != true) {
+                       media_doError(_ERROR_DISALLOWED);
+               } else {
+                       media_upload();
+               }
                break;
        case _MEDIA_FILTER_APPLY:
        case 'selectmedia':
@@ -80,10 +95,8 @@ switch($action) {
 // select a file
 function media_select() {
        global $member, $CONF, $DIR_MEDIA, $manager;
-       
-       media_head();
-       
-       // show 10 files + navigation buttons 
+
+       // show 10 files + navigation buttons
        // show msg when no files
        // show upload form
        // files sorted according to last modification date
@@ -92,8 +105,12 @@ function media_select() {
        $currentCollection = requestVar('collection');
        if (!$currentCollection || !@is_dir($DIR_MEDIA . $currentCollection))
                $currentCollection = $member->getID();
-               
-       
+
+       // avoid directory travarsal and accessing invalid directory
+       if (!MEDIA::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);
+
+       media_head();
+
        // get collection list
        $collections = MEDIA::getCollectionList();
 
@@ -121,11 +138,11 @@ function media_select() {
                        <input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />
                        <input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_UPLOAD_NEW) ?>" title="<?php echo htmlspecialchars(_MEDIA_UPLOADLINK) ?>" />
                        <?php $manager->addTicketHidden() ?>
-               </div></form>   
+               </div></form>
        <?php   } // if sizeof
-       
-       $filter = requestVar('filter'); 
-       $offset = intRequestVar('offset');      
+
+       $filter = requestVar('filter');
+       $offset = intRequestVar('offset');
        $arr = MEDIA::getMediaListByCollection($currentCollection, $filter);
 
        ?>
@@ -133,28 +150,28 @@ function media_select() {
                        <label for="media_filter"><?php echo htmlspecialchars(_MEDIA_FILTER_LABEL)?></label>
                        <input id="media_filter" type="text" name="filter" value="<?php echo htmlspecialchars($filter)?>" />
                        <input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_FILTER_APPLY) ?>" />
-                       <input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />                     
-                       <input type="hidden" name="offset" value="<?php echo intval($offset)?>" />                                              
-               </div></form>   
-       
+                       <input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />
+                       <input type="hidden" name="offset" value="<?php echo intval($offset)?>" />
+               </div></form>
+
        <?php
-       
-       ?>      
+
+       ?>
                <table width="100%">
                <caption><?php echo _MEDIA_COLLECTION_LABEL . htmlspecialchars($collections[$currentCollection])?></caption>
                <tr>
                 <th><?php echo _MEDIA_MODIFIED?></th><th><?php echo _MEDIA_FILENAME?></th><th><?php echo _MEDIA_DIMENSIONS?></th>
                </tr>
-       
-       <?php   
-       
+
+       <?php
+
        if (sizeof($arr)>0) {
-       
+
                if (($offset + $CONF['MediaPerPage']) >= sizeof($arr))
                        $offset = sizeof($arr) - $CONF['MediaPerPage'];
 
                if ($offset < 0) $offset = 0;
-               
+
                $idxStart = $offset;
                $idxEnd = $offset + $CONF['MediaPerPage'];
                $idxNext = $idxEnd;
@@ -170,52 +187,56 @@ function media_select() {
                        $filename = $DIR_MEDIA . $currentCollection . '/' . $obj->filename;
 
                        $old_level = error_reporting(0);
-                       $size = @GetImageSize($filename); 
+                       $size = @GetImageSize($filename);
                        error_reporting($old_level);
                        $width = $size[0];
                        $height = $size[1];
                        $filetype = $size[2];
-                       
+
                        echo "<tr>";
                        echo "<td>". date("Y-m-d",$obj->timestamp) ."</td>";
 
+                       // strings for javascript
+                       $jsCurrentCollection = str_replace("'","\\'",$currentCollection);
+                       $jsFileName = str_replace("'","\\'",$obj->filename);
+
                        if ($filetype != 0) {
                                // image (gif/jpg/png/swf)
-                               echo "<td><a href='media.php' onclick='chooseImage(\"$currentCollection\",\"$obj->filename\","
-                                                          . "\"$width\",\"$height\""
-                                                          . ")' title='" . htmlspecialchars($obj->filename). "'>"
+                               echo "<td><a href=\"media.php\" onclick=\"chooseImage('", htmlspecialchars($jsCurrentCollection), "','", htmlspecialchars($jsFileName), "',"
+                                                          . "'", htmlspecialchars($width), "','" , htmlspecialchars($height), "'"
+                                                          . ")\" title=\"" . htmlspecialchars($obj->filename). "\">"
                                                           . htmlspecialchars(shorten($obj->filename,25,'...'))
                                                           ."</a>";
                                echo ' (<a href="', htmlspecialchars($CONF['MediaURL'] . $currentCollection . '/' . $obj->filename), '" onclick="window.open(this.href); return false;" title="',htmlspecialchars(_MEDIA_VIEW_TT),'">',_MEDIA_VIEW,'</a>)';
                                echo "</td>";
                        } else {
                                // no image (e.g. mpg)
-                               echo "<td><a href='media.php' onclick='chooseOther(\"$currentCollection\",\"$obj->filename\""
-                                                          . ")' title='" . htmlspecialchars($obj->filename). "'>"
+                               echo "<td><a href='media.php' onclick=\"chooseOther('" , htmlspecialchars($jsCurrentCollection), "','", htmlspecialchars($jsFileName), "'"
+                                                          . ")\" title=\"" . htmlspecialchars($obj->filename). "\">"
                                                           . htmlspecialchars(shorten($obj->filename,30,'...'))
                                                           ."</a></td>";
 
                        }
-                       echo '<td>' , $width , 'x' , $height , '</td>';
+                       echo '<td>' , htmlspecialchars($width) , 'x' , htmlspecialchars($height) , '</td>';
                        echo '</tr>';
                }
        } // if (sizeof($arr)>0)
        ?>
-       
+
                </table>
-       <?php   
+       <?php
        if ($idxStart > 0)
                echo "<a href='media.php?offset=$idxPrev&amp;collection=".urlencode($currentCollection)."'>". _LISTS_PREV."</a> ";
        if ($idxEnd < sizeof($arr))
                echo "<a href='media.php?offset=$idxNext&amp;collection=".urlencode($currentCollection)."'>". _LISTS_NEXT."</a> ";
-       
+
        ?>
                <input id="typeradio0" type="radio" name="typeradio" onclick="setType(0);" checked="checked" /><label for="typeradio0"><?php echo _MEDIA_INLINE?></label>
                <input id="typeradio1" type="radio" name="typeradio" onclick="setType(1);" /><label for="typeradio1"><?php echo _MEDIA_POPUP?></label>
-       <?php   
+       <?php
        media_foot();
-     
-               
+
+
 }
 
 /**
@@ -225,19 +246,19 @@ function media_choose() {
        global $CONF, $member, $manager;
 
        $currentCollection = requestVar('collection');
-       
+
        $collections = MEDIA::getCollectionList();
 
        media_head();
        ?>
        <h1><?php echo _UPLOAD_TITLE?></h1>
-       
+
        <p><?php echo _UPLOAD_MSG?></p>
-       
+
        <form method="post" enctype="multipart/form-data" action="media.php">
        <div>
-         <input type="hidden" name="action" value="uploadfile" />
-         <?php $manager->addTicketHidden() ?>
+         <input type="hidden" name="action" value="uploadfile" />
+         <?php $manager->addTicketHidden() ?>
          <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $CONF['MaxUploadSize']?>" />
          File:
          <br />
@@ -257,15 +278,22 @@ function media_choose() {
                </select>
        <?php           } else {
        ?>
-               <input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" />                       
+               <input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" />
        <?php           } // if sizeof
-       ?>  
-         <br /><br />
-         <input type="submit" value="<?php echo _UPLOAD_BUTTON?>" />
+       ?>
+       <br /><br />
+       <?php
+       $manager->notify(
+               'MediaUploadFormExtras',
+               array()
+       );
+       ?>
+       <br /><br />
+       <input type="submit" value="<?php echo _UPLOAD_BUTTON?>" />
        </div>
        </form>
-       
-       <?php   
+
+       <?php
        media_foot();
 }
 
@@ -275,13 +303,36 @@ function media_choose() {
   */
 function media_upload() {
        global $DIR_MEDIA, $member, $CONF;
-
+       
        $uploadInfo = postFileInfo('uploadfile');
        
        $filename = $uploadInfo['name'];
        $filetype = $uploadInfo['type'];
        $filesize = $uploadInfo['size'];
        $filetempname = $uploadInfo['tmp_name'];
+       $fileerror = intval($uploadInfo['error']);
+       
+       // clean filename of characters that may cause trouble in a filename using cleanFileName() function from globalfunctions.php
+       $filename = cleanFileName($filename);
+       if ($filename === false) 
+               media_doError(_ERROR_BADFILETYPE);
+       
+       switch ($fileerror)
+       {
+               case 0: // = UPLOAD_ERR_OK
+                       break;
+               case 1: // = UPLOAD_ERR_INI_SIZE
+               case 2: // = UPLOAD_ERR_FORM_SIZE
+                       media_doError(_ERROR_FILE_TOO_BIG);
+               case 3: // = UPLOAD_ERR_PARTIAL
+               case 4: // = UPLOAD_ERR_NO_FILE
+               case 6: // = UPLOAD_ERR_NO_TMP_DIR
+               case 7: // = UPLOAD_ERR_CANT_WRITE
+               default:
+                       // include error code for debugging
+                       // (see http://www.php.net/manual/en/features.file-upload.errors.php)
+                       media_doError(_ERROR_BADREQUEST . ' (' . $fileerror . ')');
+       }
        
        if ($filesize > $CONF['MaxUploadSize'])
                media_doError(_ERROR_FILE_TOO_BIG);
@@ -289,13 +340,16 @@ function media_upload() {
        // check file type against allowed types
        $ok = 0;
        $allowedtypes = explode (',', $CONF['AllowedTypes']);
-       foreach ( $allowedtypes as $type ) 
-               if (eregi("\." .$type. "$",$filename)) $ok = 1;    
+       foreach ( $allowedtypes as $type )
+       {
+               //if (eregi("\." .$type. "$",$filename)) $ok = 1;
+               if (preg_match("#\." .$type. "$#i",$filename)) $ok = 1;
+       }
        if (!$ok) media_doError(_ERROR_BADFILETYPE);
-               
-       if (!is_uploaded_file($filetempname)) 
+       
+       if (!is_uploaded_file($filetempname))
                media_doError(_ERROR_BADREQUEST);
-
+       
        // prefix filename with current date (YYYY-MM-DD-)
        // this to avoid nameclashes
        if ($CONF['MediaPrefix'])
@@ -304,9 +358,9 @@ function media_upload() {
        $collection = requestVar('collection');
        $res = MEDIA::addMediaObject($collection, $filetempname, $filename);
 
-       if ($res != '') 
+       if ($res != '')
                media_doError($res);
-       
+
        // shows updated list afterwards
        media_select();
 }
@@ -315,11 +369,11 @@ function media_loginAndPassThrough() {
        media_head();
        ?>
                <h1><?php echo _LOGIN_PLEASE?></h1>
-       
+
                <form method="post" action="media.php">
                <div>
                        <input name="action" value="login" type="hidden" />
-                       <input name="collection" value="<?php echo htmlspecialchars(requestVar('collection'))?>" type="hidden" />                       
+                       <input name="collection" value="<?php echo htmlspecialchars(requestVar('collection'))?>" type="hidden" />
                        <?php echo _LOGINFORM_NAME?>: <input name="login" />
                        <br /><?php echo _LOGINFORM_PWD?>: <input name="password" type="password" />
                        <br /><input type="submit" value="<?php echo _LOGIN?>" />
@@ -344,41 +398,41 @@ function media_doError($msg) {
 function media_head() {
 ?>
        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-       <html xmlns="http://www.w3.org/1999/xhtml">
+       <html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>
        <head>
-               <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+               <meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />
                <title>Nucleus Media</title>
                <link rel="stylesheet" type="text/css" href="styles/popups.css" />
                <script type="text/javascript">
                        var type = 0;
                        function setType(val) { type = val; }
-                       
+
                        function chooseImage(collection, filename, width, height) {
-                               window.opener.focus(); 
+                               window.opener.focus();
                                window.opener.includeImage(collection,
-                                                                                  filename, 
-                                                          type == 0 ? 'inline' : 'popup',
-                                                          width,
-                                                          height
-                                                          );
+                                                                                  filename,
+                                                                                  type == 0 ? 'inline' : 'popup',
+                                                                                  width,
+                                                                                  height
+                                                                                  );
                                window.close();
                        }
-                       
+
                        function chooseOther(collection, filename) {
-                               window.opener.focus(); 
+                               window.opener.focus();
                                window.opener.includeOtherMedia(collection, filename);
                                window.close();
-                       
+
                        }
                </script>
        </head>
-       <body>          
+       <body>
 <?php }
 
 function media_foot() {
 ?>
        </body>
-       </html> 
-<?php }        
+       </html>
+<?php }
 
 ?>