From 3306daecf4450555961490c11e70e7cf7fe7b86e Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Thu, 11 Apr 2013 19:12:00 +0400 Subject: [PATCH] implement upload-related support for open_basedir --- cache/upload/.empty | 0 classes/opml.php | 30 ++++++++++++++++++++++++++--- classes/pref/feeds.php | 25 ++++++++++++++++++++---- include/rssfuncs.php | 2 +- include/sanity_check.php | 8 ++++---- install/index.php | 4 ---- plugins/googlereaderimport/init.php | 28 +++++++++++++++++++++++++-- 7 files changed, 79 insertions(+), 18 deletions(-) create mode 100644 cache/upload/.empty diff --git a/cache/upload/.empty b/cache/upload/.empty new file mode 100644 index 00000000..e69de29b diff --git a/classes/opml.php b/classes/opml.php index 7a49f757..2ecae423 100644 --- a/classes/opml.php +++ b/classes/opml.php @@ -461,11 +461,35 @@ class Opml extends Handler_Protected { # if ($debug) $doc = DOMDocument::load("/tmp/test.opml"); - if (is_file($_FILES['opml_file']['tmp_name'])) { + if ($_FILES['opml_file']['error'] != 0) { + print_error(T_sprintf("Upload failed with error code %d", + $_FILES['opml_file']['error'])); + return; + } + + $tmp_file = false; + + if (is_uploaded_file($_FILES['opml_file']['tmp_name'])) { + $tmp_file = tempnam(CACHE_DIR . '/upload', 'opml'); + + $result = move_uploaded_file($_FILES['opml_file']['tmp_name'], + $tmp_file); + + if (!$result) { + print_error(__("Unable to move uploaded file.")); + return; + } + } else { + print_error(__('Error: please upload OPML file.')); + return; + } + + if (is_file($tmp_file)) { $doc = new DOMDocument(); - $doc->load($_FILES['opml_file']['tmp_name']); + $doc->load($tmp_file); + unlink($tmp_file); } else if (!$doc) { - print_error(__('Error: please upload OPML file.')); + print_error(__('Error: unable to find moved OPML file.')); return; } diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 469ca111..f57cc37d 100644 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -463,7 +463,7 @@ class Pref_Feeds extends Handler_Protected { WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]); if (db_num_rows($result) != 0) { - unlink(ICONS_DIR . "/$feed_id.ico"); + @unlink(ICONS_DIR . "/$feed_id.ico"); } return; @@ -472,7 +472,22 @@ class Pref_Feeds extends Handler_Protected { function uploadicon() { header("Content-type: text/html"); - $icon_file = $_FILES['icon_file']['tmp_name']; + $tmp_file = false; + + if (is_uploaded_file($_FILES['icon_file']['tmp_name'])) { + $tmp_file = tempnam(CACHE_DIR . '/upload', 'icon'); + + $result = move_uploaded_file($_FILES['icon_file']['tmp_name'], + $tmp_file); + + if (!$result) { + return; + } + } else { + return; + } + + $icon_file = $tmp_file; $feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]); if (is_file($icon_file) && $feed_id) { @@ -482,8 +497,8 @@ class Pref_Feeds extends Handler_Protected { WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]); if (db_num_rows($result) != 0) { - unlink(ICONS_DIR . "/$feed_id.ico"); - move_uploaded_file($icon_file, ICONS_DIR . "/$feed_id.ico"); + @unlink(ICONS_DIR . "/$feed_id.ico"); + rename($icon_file, ICONS_DIR . "/$feed_id.ico"); $rc = 0; } else { $rc = 2; @@ -495,6 +510,8 @@ class Pref_Feeds extends Handler_Protected { $rc = 2; } + @unlink($icon_file); + print ""; diff --git a/include/rssfuncs.php b/include/rssfuncs.php index 727e4289..7c2e1655 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -1191,7 +1191,7 @@ } function expire_cached_files($debug) { - foreach (array("simplepie", "images", "export") as $dir) { + foreach (array("simplepie", "images", "export", "upload") as $dir) { $cache_dir = CACHE_DIR . "/$dir"; if ($debug) _debug("Expiring $cache_dir"); diff --git a/include/sanity_check.php b/include/sanity_check.php index 99d3051f..69309290 100644 --- a/include/sanity_check.php +++ b/include/sanity_check.php @@ -55,6 +55,10 @@ array_push($errors, "Image cache is not writable (chmod -R 777 ".CACHE_DIR."/images)"); } + if (!is_writable(CACHE_DIR . "/upload")) { + array_push($errors, "Upload cache is not writable (chmod -R 777 ".CACHE_DIR."/upload)"); + } + if (!is_writable(CACHE_DIR . "/export")) { array_push($errors, "Data export cache is not writable (chmod -R 777 ".CACHE_DIR."/export)"); } @@ -102,10 +106,6 @@ array_push($errors, "LOCK_DIRECTORY defined in config.php is not writable (chmod -R 777 ".LOCK_DIRECTORY.").\n"); } - if (ini_get("open_basedir")) { - array_push($errors, "PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini)."); - } - if (!function_exists("curl_init") && !ini_get("allow_url_fopen")) { array_push($errors, "PHP configuration option allow_url_fopen is disabled, and CURL functions are not present. Either enable allow_url_fopen or install PHP extension for CURL."); } diff --git a/install/index.php b/install/index.php index 026e00d0..3b6a1f54 100644 --- a/install/index.php +++ b/install/index.php @@ -17,10 +17,6 @@ array_push($errors, "PHP version 5.3.0 or newer required."); } - if (ini_get("open_basedir")) { - array_push($errors, "PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini)."); - } - if (!function_exists("curl_init") && !ini_get("allow_url_fopen")) { array_push($errors, "PHP configuration option allow_url_fopen is disabled, and CURL functions are not present. Either enable allow_url_fopen or install PHP extension for CURL."); } diff --git a/plugins/googlereaderimport/init.php b/plugins/googlereaderimport/init.php index ac7a872f..f7d876b9 100644 --- a/plugins/googlereaderimport/init.php +++ b/plugins/googlereaderimport/init.php @@ -66,8 +66,32 @@ class GoogleReaderImport extends Plugin { $owner_uid = $_SESSION["uid"]; - if (is_file($_FILES['starred_file']['tmp_name'])) { - $doc = json_decode(file_get_contents($_FILES['starred_file']['tmp_name']), true); + if ($_FILES['starred_file']['error'] != 0) { + print_error(T_sprintf("Upload failed with error code %d", + $_FILES['starred_file']['error'])); + return; + } + + $tmp_file = false; + + if (is_uploaded_file($_FILES['starred_file']['tmp_name'])) { + $tmp_file = tempnam(CACHE_DIR . '/upload', 'starred'); + + $result = move_uploaded_file($_FILES['starred_file']['tmp_name'], + $tmp_file); + + if (!$result) { + print_error(__("Unable to move uploaded file.")); + return; + } + } else { + print_error(__('Error: please upload OPML file.')); + return; + } + + if (is_file($tmp_file)) { + $doc = json_decode(file_get_contents($tmp_file), true); + unlink($tmp_file); } else { print_error(__('No file uploaded.')); return; -- 2.39.5