<?php
/*
* ***********************************************************************************************
* Filename: admin_module_upload.inc.php
* Module: Admin-Module
* Subcategory: Upload pictures/images
* Description: Lets you upload your images to the specific album (sec-checks!)
* Remark: Idea and great parts of the sourcecode from Kim Le (Thank You!)
* ***********************************************************************************************
*
*
* Project: yappa-ng : yet another php photo album - next generation
* Author: Fritz Berger <hide@address.com>
* Copyright: 2003 Fritz Berger
* $Header: /cvsroot/yappa-ng/yappa-ng/admin_modules/admin_module_upload.inc.php,v 1.18 2005/04/25 18:02:07 zirkon13 Exp $
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* You may contact the author of yappa-ng by e-mail at:
* hide@address.com
*
* The latest version of yappa-ng can be obtained from:
* http://www.zirkon.at/zirkon/scripts/yappa-ng/yappa-ng_main_ger.html (german)
* http://www.zirkon.at/zirkon/scripts/yappa-ng/yappa-ng_main_eng.html (english)
*
* ***********************************************************************************************
* ***********************************************************************************************
* *** ***
* *** yappa-ng is based on "YAPPA v1.7 devel - 22.April 2002" ***
* *** released on http://sourceforge.net/projects/yappa/ ***
* *** YAPPA is Copyright Federico 'pix' Feroldi (hide@address.com) ***
* *** YAPPA is released under the GNU GPL ***
* *** ***
* ***********************************************************************************************
* ***********************************************************************************************
*/
?>
<?php
/*
* Standard Security Check
*/
if (!defined('SecCheck')) {
die("You Cannot Access This Script Directly - Have a Nice Day.");
}
/* Cleanup the file name removing any special characters. */
/* Code for this function submitted by:
* Marc Andrew Pawlowsky (marcpawl at users dot sourceforge dot net)
*/
function CleanFileName($old_name) {
$first_letter_good = false;
while ( (! $first_letter_good) && ($old_name != "") ) {
$first_letter = substr($old_name, 0, 1);
if ($first_letter == '.') {
// We do not allow the first letter to be a period since this is
// special indicating a hidden file in Unix.
$old_name = substr($old_name, 1);
} else {
$first_letter_good = true;
}
}
/* In this section we only let through characters we know as safe.
* The dangerous alternative is to try to filter out characters,
* but that makes it possible to make mistakes such having
* special HTML characters, e.g. < or >
*
* changed by Fritz Berger
* the following could be solved by a good erig_replace - but i'm not so good with regular expressions.
*
* Keep only alphanumeric letters
* and SOME special chars:
* blank will get changed to "_" (underscore)
* "_", "-" and "." will be allowed
* AND the dot only one at a time!
*/
$new_name = "";
$i = 0;
// check that there are not 2 or more dots in row
$l_one_dot_check = 0;
// be sure that after deleting some bad chars there is not a dot in first place AGAIN!
$l_dot_is_now_first = 1;
$len = strlen($old_name);
while ($i < $len) {
$letter = substr($old_name, $i, 1);
/* because the ctype_alnum is still not widely spread (january 2004) and many
* server have the PHP compiled without the ctype_alnum option I stop using it
* (for the moment) and reset to "conventional" (but slower) methods */
// if ( ctype_alnum($letter) ) {
if ( ereg("[A-Za-z0-9]", $letter) ) {
$new_name = $new_name . $letter;
$l_one_dot_check = 0;
$l_dot_is_now_first = 0;
} else {
if ($letter == " ") {
$letter = "_";
}
if (($letter == ".") && ($l_one_dot_check == 0) && ($l_dot_is_now_first == 0)) {
$new_name = $new_name . $letter;
$l_one_dot_check = 1;
}
if (($letter == "_") || ($letter == "-")) {
$new_name = $new_name . $letter;
$l_one_dot_check = 0;
$l_dot_is_now_first = 0;
}
}
$i = $i + 1;
}
return $new_name;
}
$config['lang_intuitive'] = "no";
$album->clear_album_comment();
$album->read_album_info();
$page["album_title"] = $album->_album_title;
$uri_base = str_replace("&admintask=Upload","",$global_var['self_url']);
$num_files = $config["upload_number"];
$l_album = rawurldecode($_GET["album"]);
$dir = singleslash($config["photo_root"] . "/" . $l_album);
// list the permitted filetypes to display
$l_permitted = "";
$l_first = 0;
foreach($config['permitted_filetypes'] as $ok) {
if ($l_first == 0) {
$l_permitted .= $ok;
$l_first = 1;
} else {
$l_permitted .= "|" . $ok;
}
}
if(isset($_FILES['fupload'])) {
for ($i=0; $i<$num_files; $i++ ) {
if (($_FILES['fupload']['name'][$i]) && ($_FILES['fupload']['size'][$i] != "0")) {
$l_original_filename = $_FILES['fupload']['name'][$i];
$l_original_filesize = $_FILES['fupload']['size'][$i];
$l_dest_filename = CleanFileName($l_original_filename);
$dest = singleslash($dir . "/" . $l_dest_filename);
// if file does not start with a dot, has one or more chars before the image-extension
// accept the file
if (eregi("^[^.].+\.($l_permitted)$",$l_dest_filename)) {
if (!copy($_FILES['fupload']['tmp_name'][$i], $dest)) {
// copy error!
$msg[$i] = $lang_akt["admin_upload_file"] . ($i+1). ": " . $l_original_filename . " / " . $l_original_filesize . " Bytes: " . $lang_akt["admin_upload_error"] . "<br>";
// log level: Warning
if((int)"8" & (int)$config["loglevel"]) {
$log_msg = date("U") . "|Warning|" . "AlbumAdmin Upload: Could not upload file '" . $l_original_filename . "' into album '" . $l_album . "'|" . $_SERVER['REMOTE_ADDR'] . "|-|admin_module_upload.inc.php|" . __LINE__ . "\n";
@error_log($log_msg, 3, "yappa-ng.log");
}
} else {
//upload ok!
$msg[$i] = $lang_akt["admin_upload_file"] . ($i+1). ": " . $l_dest_filename . " / " . $l_original_filesize . " Bytes " . $lang_akt["admin_upload_ok"] . "<br>";
if ($l_original_filename != $l_dest_filename) {
// log level 1: Administration
if((int)"1" & (int)$config["loglevel"]) {
$log_msg = date("U") . "|Administration|" . "AlbumAdmin Upload: CHANGED filename from '" . $l_original_filename . "' to '" . $l_dest_filename . "' !|" . $_SERVER['REMOTE_ADDR'] . "|-|admin_module_upload.inc.php|" . __LINE__ . "\n";
@error_log($log_msg, 3, "yappa-ng.log");
}
}
// log level 1: Administration
if((int)"1" & (int)$config["loglevel"]) {
$log_msg = date("U") . "|Administration|" . "AlbumAdmin Upload: UPLOAD of file '" . $l_dest_filename . "' into album '" . $l_album . "' successful.|" . $_SERVER['REMOTE_ADDR'] . "|-|admin_module_upload.inc.php|" . __LINE__ . "\n";
@error_log($log_msg, 3, "yappa-ng.log");
}
if (!@chmod($dest, intval("0644", 8))) {
if((int)"8" & (int)$config["loglevel"]) {
$log_msg = date("U") . "|Warning|" . "AlbumAdmin Upload: Failed to CHMOD successfully uploaded file '" . $l_dest_filename . "' into album '" . $l_album . "'|-|-|admin_module_upload.inc.php|" . __LINE__ . "\n";
@error_log($log_msg, 3, "yappa-ng.log");
}
}
}
} else {
// upload is NOT a permitted filetype!!!!
$msg[$i] =$lang_akt["admin_upload_file"] . ($i+1). ": " . $l_original_filename . " / " . $l_original_filesize . " Bytes " . $lang_akt["admin_upload_noimage"] . "<br>";
// log level: Warning
if((int)"8" & (int)$config["loglevel"]) {
$log_msg = date("U") . "|Warning|" . "AlbumAdmin Upload: Uploaded file is NOT a permitted filetype '" . $l_original_filename . "' into album '" . $l_album . "'|" . $_SERVER['REMOTE_ADDR'] . "|-|admin_module_upload.inc.php|" . __LINE__ . "\n";
@error_log($log_msg, 3, "yappa-ng.log");
}
}
}
}
}
?>
<form action="<?php print $global_var['self_url']; ?>" enctype="multipart/form-data" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="<?php print $config["upload_limit"]; ?>">
<table cellspacing="0" cellpadding="5" border="0" width="100%">
<tr valign="top">
<td class="thumbnailCell">
<table width="100%" border="0" cellspacing="0" cellpadding="3">
<tr><td colspan=2 align="center" class="adminHeading"><?php print $lang_akt["admin_upload_hmain"]; ?></td></tr>
<tr><td colspan=4 align="center" class="adminDescription"><?php print $lang_akt["admin_upload_album"]; ?></td></tr>
<tr><td colspan=4 align="center" class="adminAlbum"> " <?php print $page["album_title"] ? $page["album_title"] : $page["album_name"]; ?> " </td></tr>
<tr><td colspan=4 align="center" class="adminComments"><?php print $lang_akt["admin_upload_expl1"]; ?></td></tr>
<tr><td colspan=4 align="center" class="adminComments"><?php $l_help = str_replace("|",", ",$l_permitted); print $l_help; ?></td></tr>
<tr><td colspan=4 align="center" class="adminComments"><?php print $lang_akt["admin_upload_expl2a"] . $config["upload_limit"] . $lang_akt["admin_upload_expl2b"]; ?></td></tr>
<tr><td colspan="2" class="passwdAdminCancel" align="center" >
[ <b><a href="<?php echo $uri_base ?>"><?php echo $lang_akt["passwd_admin_cancel"]; ?></b></a> ]</td></tr>
<tr><td width="10%"> </td><td> </td></tr>
<tr><td colspan="2" align="center" class="adminStatus">
<?php if(isset($_POST['BeenSubmitted'])) {
for ($i=0; $i<$num_files; $i++ ) {
if(isset($msg[$i])) {
print $msg[$i];
}
}
} ?>
</td></tr>
<?php for ($i=0; $i<$num_files; $i++) { ?>
<tr><td width="10%" nowrap><?php print $lang_akt["admin_upload_file"] . ($i+1). ": " ; ?></td>
<td><input type=file size=30 name="fupload[<?php print $i; ?>]"></td></tr>
<?php }
/* <td><input type=file size=30 name="fupload_<?=$i?>"></td></tr> */
?>
<tr><td colspan="2"> </td></tr>
<tr><td colspan="2" align="center">
<input type="hidden" name="BeenSubmitted" value="true">
<input type="submit" name="submit" value="<?php print $lang_akt['submit']; ?>">
</td>
</tr>
</table>
</td>
</tr>
</table>
</form>