Mercurial > defr > drupal > core
diff modules/blogapi/blogapi.module @ 9:acef7ccb09b5 6.4
Drupal 6.4
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:32:08 +0100 |
| parents | c1f4ac30525a |
| children | 589fb7c02327 |
line wrap: on
line diff
--- a/modules/blogapi/blogapi.module Tue Dec 23 14:30:28 2008 +0100 +++ b/modules/blogapi/blogapi.module Tue Dec 23 14:32:08 2008 +0100 @@ -1,5 +1,5 @@ <?php -// $Id: blogapi.module,v 1.115.2.1 2008/02/07 20:11:02 goba Exp $ +// $Id: blogapi.module,v 1.115.2.3 2008/08/13 23:59:13 drumm Exp $ /** * @file @@ -129,7 +129,7 @@ t('Retrieve information about the text formatting plugins supported by the server.')), array( 'mt.publishPost', - 'blogap_mti_publish_post', + 'blogapi_mt_publish_post', array('boolean', 'string', 'string', 'string'), t('Publish (rebuild) all of the static files related to an entry from your blog. Equivalent to saving an entry in the system (but without the ping).'))); } @@ -371,17 +371,64 @@ return blogapi_error($user); } + $usersize = 0; + $uploadsize = 0; + + $roles = array_intersect(user_roles(FALSE, 'administer content with blog api'), $user->roles); + + foreach ($roles as $rid => $name) { + $extensions .= ' '. strtolower(variable_get("blogapi_extensions_$rid", variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'))); + $usersize= max($usersize, variable_get("blogapi_usersize_$rid", variable_get('blogapi_usersize_default', 1)) * 1024 * 1024); + $uploadsize = max($uploadsize, variable_get("blogapi_uploadsize_$rid", variable_get('blogapi_uploadsize_default', 1)) * 1024 * 1024); + } + + $filesize = strlen($file['bits']); + + if ($filesize > $uploadsize) { + return blogapi_error(t('It is not possible to upload the file, because it exceeded the maximum filesize of @maxsize.', array('@maxsize' => format_size($uploadsize)))); + } + + if (_blogapi_space_used($user->uid) + $filesize > $usersize) { + return blogapi_error(t('The file can not be attached to this post, because the disk quota of @quota has been reached.', array('@quota' => format_size($usersize)))); + } + + // Only allow files with whitelisted extensions and convert remaining dots to + // underscores to prevent attacks via non-terminal executable extensions with + // files such as exploit.php.jpg. + + $whitelist = array_unique(explode(' ', trim($extensions))); + $name = basename($file['name']); + + if ($extension_position = strrpos($name, '.')) { + $filename = drupal_substr($name, 0, $extension_position); + $final_extension = drupal_substr($name, $extension_position + 1); + + if (!in_array(strtolower($final_extension), $whitelist)) { + return blogapi_error(t('It is not possible to upload the file, because it is only possible to upload files with the following extensions: @extensions', array('@extensions' => implode(' ', $whitelist)))); + } + + $filename = str_replace('.', '_', $filename); + $filename .= '.'. $final_extension; + } + $data = $file['bits']; if (!$data) { return blogapi_error(t('No file sent.')); } - if (!$file = file_save_data($data, $name)) { + if (!$file = file_save_data($data, $filename)) { return blogapi_error(t('Error storing file.')); } + $row = new stdClass(); + $row->uid = $user->uid; + $row->filepath = $file; + $row->filesize = $filesize; + + drupal_write_record('blogapi_files', $row); + // Return the successful result. return array('url' => file_create_url($file), 'struct'); } @@ -487,7 +534,7 @@ /** * Blogging API callback. Publishes the given node */ -function blogap_mti_publish_post($postid, $username, $password) { +function blogapi_mt_publish_post($postid, $username, $password) { $user = blogapi_validate_user($username, $password); if (!$user->uid) { return blogapi_error($user); @@ -568,6 +615,81 @@ '#description' => t('Select the content types available to external blogging clients via Blog API. If supported, each enabled content type will be displayed as a separate "blog" by the external client.') ); + $blogapi_extensions_default = variable_get('blogapi_extensions_default', 'jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp'); + $blogapi_uploadsize_default = variable_get('blogapi_uploadsize_default', 1); + $blogapi_usersize_default = variable_get('blogapi_usersize_default', 1); + + $form['settings_general'] = array( + '#type' => 'fieldset', + '#title' => t('File settings'), + '#collapsible' => TRUE, + ); + + $form['settings_general']['blogapi_extensions_default'] = array( + '#type' => 'textfield', + '#title' => t('Default permitted file extensions'), + '#default_value' => $blogapi_extensions_default, + '#maxlength' => 255, + '#description' => t('Default extensions that users can upload. Separate extensions with a space and do not include the leading dot.'), + ); + + $form['settings_general']['blogapi_uploadsize_default'] = array( + '#type' => 'textfield', + '#title' => t('Default maximum file size per upload'), + '#default_value' => $blogapi_uploadsize_default, + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The default maximum file size a user can upload.'), + '#field_suffix' => t('MB') + ); + + $form['settings_general']['blogapi_usersize_default'] = array( + '#type' => 'textfield', + '#title' => t('Default total file size per user'), + '#default_value' => $blogapi_usersize_default, + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The default maximum size of all files a user can have on the site.'), + '#field_suffix' => t('MB') + ); + + $form['settings_general']['upload_max_size'] = array('#value' => '<p>'. t('Your PHP settings limit the maximum file size per upload to %size.', array('%size' => format_size(file_upload_max_size()))).'</p>'); + + $roles = user_roles(0, 'administer content with blog api'); + $form['roles'] = array('#type' => 'value', '#value' => $roles); + + foreach ($roles as $rid => $role) { + $form['settings_role_'. $rid] = array( + '#type' => 'fieldset', + '#title' => t('Settings for @role', array('@role' => $role)), + '#collapsible' => TRUE, + '#collapsed' => TRUE, + ); + $form['settings_role_'. $rid]['blogapi_extensions_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Permitted file extensions'), + '#default_value' => variable_get('blogapi_extensions_'. $rid, $blogapi_extensions_default), + '#maxlength' => 255, + '#description' => t('Extensions that users in this role can upload. Separate extensions with a space and do not include the leading dot.'), + ); + $form['settings_role_'. $rid]['blogapi_uploadsize_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Maximum file size per upload'), + '#default_value' => variable_get('blogapi_uploadsize_'. $rid, $blogapi_uploadsize_default), + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The maximum size of a file a user can upload (in megabytes).'), + ); + $form['settings_role_'. $rid]['blogapi_usersize_'. $rid] = array( + '#type' => 'textfield', + '#title' => t('Total file size per user'), + '#default_value' => variable_get('blogapi_usersize_'. $rid, $blogapi_usersize_default), + '#size' => 5, + '#maxlength' => 5, + '#description' => t('The maximum size of all files a user can have on the site (in megabytes).'), + ); + } + return system_settings_form($form); } @@ -726,3 +848,7 @@ return $types; } + +function _blogapi_space_used($uid) { + return db_result(db_query('SELECT SUM(filesize) FROM {blogapi_files} f WHERE f.uid = %d', $uid)); +}