Changeset 15453

Timestamp:

08/15/11 01:43:59 (10 months ago)

Author:

Alexander Trofimov

Message:

Storage Engine (allow deny by file extension)

Location:

trunk

Files:

• inc/classes/BxDolStorage.php (modified) (3 diffs)
• inc/classes/BxDolStorageLocal.php (modified) (2 diffs)
• inc/classes/BxDolStorageS3.php (modified) (2 diffs)
• inc/images.inc.php (modified) (1 diff)
• install/sql/v70.sql (modified) (2 diffs)

trunk/inc/classes/BxDolStorage.php

@@ -36 +36 @@
 define('BX_DOL_STORAGE_INVALID_FILE', 1002); ///< uploaded file is invalid or hack attempts
 define('BX_DOL_STORAGE_ERR_FILE_TOO_BIG', 1003); ///< file is too big
-define('BX_DOL_STORAGE_ERR_USER_QUOTA_EXCEEDED', 1004); ///< user quota exceeded
-define('BX_DOL_STORAGE_ERR_OBJECT_QUOTA_EXCEEDED', 1005); ///< storage object quota exceeded
-define('BX_DOL_STORAGE_ERR_SITE_QUOTA_EXCEEDED', 1006); ///< site quota exceeded
-define('BX_DOL_STORAGE_ERR_ENGINE_ADD', 1007); ///< some other error during file adding occured, related to particular storage engine
+define('BX_DOL_STORAGE_ERR_WRONG_EXT', 1004); ///< wrong file extension
+define('BX_DOL_STORAGE_ERR_USER_QUOTA_EXCEEDED', 1005); ///< user quota exceeded
+define('BX_DOL_STORAGE_ERR_OBJECT_QUOTA_EXCEEDED', 1006); ///< storage object quota exceeded
+define('BX_DOL_STORAGE_ERR_SITE_QUOTA_EXCEEDED', 1007); ///< site quota exceeded
+define('BX_DOL_STORAGE_ERR_ENGINE_ADD', 1008); ///< some other error during file adding occured, related to particular storage engine
 
 define('BX_DOL_STORAGE_ERR_FILE_NOT_FOUND', 2001); ///< file not found
@@ -277 +278 @@
 
     // ------------ internal functions
+
+    protected function storeUploadedFileBegin($aFile, $isPrivate = false, $iProfileId = 0) { 
+
+        if (!$aFile['size'] || !$aFile['tmp_name']) {
+            $this->setErrorCode(BX_DOL_STORAGE_ERR_NO_FILE);
+            return false;
+        }
+
+        if (UPLOAD_ERR_OK != $aFile['error']) {
+            $this->setErrorCode((int)$aFile['error']);
+            return false;
+        }
+
+        $sExt = $this->getFileExt($aFile['name']);
+        $sMimeType = $this->getMimeTypeByFileName($aFile['name']);
+
+        if (!$this->isValidExt($sExt)) {
+            $this->setErrorCode(BX_DOL_STORAGE_ERR_WRONG_EXT);
+            return false;
+        }
+
+        if (!$this->onBeforeFileAdd (array(
+            'profile_id' => $iProfileId,
+            'file_name' => $aFile['name'],
+            'mime_type' => $sMimeType,
+            'ext' => $sExt,
+            'size' => $aFile['size'],
+            'private' => $isPrivate ? 1 : 0,
+        ))) {
+            return false;
+        }
+
+        return true;
+    }
 
     protected function setErrorCode($i) {
@@ -313 +348 @@
         return $sMimeType;
     }
+
+    protected function isValidExt ($sExt) {
+        switch ($this->_aObject['ext_mode']) {
+            case 'allow-deny':
+                if ($this->isAllowedExt($sExt))
+                    return true;
+                return false;
+            case 'deny-allow':
+                if ($this->isDeniedExt($sExt))
+                    return false;
+                return true;
+            default:
+                return false;
+        }
+    }
+
+    protected function isAllowedExt ($sExt) {
+        return $this->isAllowedDeniedExt($sExt, 'ext_allow');
+    }
+
+    protected function isDeniedExt ($sExt) {
+        return $this->isAllowedDeniedExt($sExt, 'ext_deny');
+    }
+
+    protected function isAllowedDeniedExt ($sExt, $sExtMode) {
+        if ('' == $this->_aObject[$sExtMode])
+            return false;
+        if (!is_array($this->_aObject[$sExtMode]))    
+            $this->_aObject[$sExtMode] = explode(',', $this->_aObject[$sExtMode]);
+        return in_array ($sExt, $this->_aObject[$sExtMode]);
+    }
+
 }
 

trunk/inc/classes/BxDolStorageLocal.php

@@ -35 +35 @@
     public function storeUploadedFile($aFile, $isPrivate = false, $iProfileId = 0) { 
 
-        if (!$aFile['size'] || !$aFile['tmp_name']) {
-            $this->setErrorCode(BX_DOL_STORAGE_ERR_NO_FILE);
-            return false;
-        }
-
-        if (UPLOAD_ERR_OK != $aFile['error']) {
-            $this->setErrorCode((int)$aFile['error']);
-            return false;
-        }
+        if (!$this->storeUploadedFileBegin($aFile, $isPrivate, $iProfileId))
+            return false;
 
         $sExt = $this->getFileExt($aFile['name']);
         $sMimeType = $this->getMimeTypeByFileName($aFile['name']);
-
-        if (!$this->onBeforeFileAdd (array(
-            'profile_id' => $iProfileId,
-            'file_name' => $aFile['name'],
-            'mime_type' => $sMimeType,
-            'ext' => $sExt,
-            'size' => $aFile['size'],
-            'private' => $isPrivate ? 1 : 0,
-        ))) {
-            return false;
-        }
 
         $sLocalId = $this->genRandName();
@@ -131 +113 @@
             return false;
         }
- 
-        if (!is_writable($sFileLocation)) {
-            $this->setErrorCode(BX_DOL_STORAGE_ERR_FILESYSTEM_PERM);
-            return false;
-        }
 
         if (!$this->onBeforeFileDelete ($aFile, $iProfileId)) {

trunk/inc/classes/BxDolStorageS3.php

@@ -55 +55 @@
     public function storeUploadedFile($aFile, $isPrivate = false, $iProfileId = 0) { 
 
-        if (!$aFile['size'] || !$aFile['tmp_name']) {
-            $this->setErrorCode(BX_DOL_STORAGE_ERR_NO_FILE);
+        if (!$this->storeUploadedFileBegin($aFile, $isPrivate, $iProfileId))
             return false;
-        }
-
-        if (UPLOAD_ERR_OK != $aFile['error']) {
-            $this->setErrorCode((int)$aFile['error']);
-            return false;
-        }
 
         $sExt = $this->getFileExt($aFile['name']);
-        $sMimeType = $this->getMimeTypeByFileName($aFile['name']);        
-
-        if (!$this->onBeforeFileAdd (array(
-            'profile_id' => $iProfileId,
-            'file_name' => $aFile['name'],
-            'mime_type' => $sMimeType,
-            'ext' => $sExt,
-            'size' => $aFile['size'],
-            'private' => $isPrivate ? 1 : 0,
-        ))) {
-            return false;
-        }
+        $sMimeType = $this->getMimeTypeByFileName($aFile['name']);
         
         $sLocalId = $this->genRandName();
@@ -133 +115 @@
         ))) {
             $this->_oDb->deleteFile($iId);
-            unlink($sNewFilePath);
+            $this->_s3->deleteObject($this->_sBucket, $this->getObjectBaseDir($isPrivate) . $sRemoteNamePath);
             return false;
         }

trunk/inc/images.inc.php

@@ -52 +52 @@
 function produceSecurityImage( $text, $hash )
 {
-    $use_gd = false;
+    global $use_gd;
     global $gdInstalled;
 
+    bx_import('BxDolConfig');
     $sTmpPath = BxDolConfig::getInstance()->get('path_dynamic', 'tmp');
 

trunk/install/sql/v70.sql

@@ -3538 +3538 @@
   `levels` tinyint(4) NOT NULL,
   `table_files` varchar(64) NOT NULL,
+  `ext_mode` enum('allow-deny','deny-allow') NOT NULL,
+  `ext_allow` text NOT NULL,
+  `ext_deny` text NOT NULL,
   `quota_size` int(11) NOT NULL,
   `current_size` int(11) NOT NULL,
@@ -3545 +3548 @@
   `ts` int(11) NOT NULL,
   PRIMARY KEY (`id`)
-) ENGINE=MyISAM  DEFAULT CHARSET=utf8;
+) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 
 CREATE TABLE IF NOT EXISTS `sys_storage_user_quotas` (