restrictAccess(Auth::isManager()) ->setPageTitle(WT_I18N::translate('Upload media files')); $action = WT_Filter::post('action'); if ($action == "upload") { for ($i=1; $i<6; $i++) { if (!empty($_FILES['mediafile'.$i]["name"]) || !empty($_FILES['thumbnail'.$i]["name"])) { $folder = WT_Filter::post('folder' . $i); // Validate the media folder $folderName = str_replace('\\', '/', $folder); $folderName = trim($folderName, '/'); if ($folderName == '.') { $folderName = ''; } if ($folderName) { $folderName .= '/'; // Not allowed to use “../” if (strpos('/' . $folderName, '/../')!==false) { WT_FlashMessages::addMessage('Folder names are not allowed to include “../”'); break; } } // Make sure the media folder exists if (!is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY)) { if (WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY)) { WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s was created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . '')); } else { WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . '')); break; } } // Managers can create new media paths (subfolders). Users must use existing folders. if ($folderName && !is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName)) { if (WT_USER_GEDCOM_ADMIN) { if (WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName)) { WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s was created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . '')); } else { WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . '')); break; } } else { // Regular users should not have seen this option - so no need for an error message. break; } } // The media folder exists. Now create a thumbnail folder to match it. if (!is_dir(WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName)) { if (!WT_File::mkdir(WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName)) { WT_FlashMessages::addMessage(WT_I18N::translate('The folder %s does not exist, and it could not be created.', '' . WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName . '')); break; } } // A thumbnail file with no main image? if (!empty($_FILES['thumbnail' . $i]['name']) && empty($_FILES['mediafile' . $i]['name'])) { // Assume the user used the wrong field, and treat this as a main image $_FILES['mediafile' . $i] = $_FILES['thumbnail' . $i]; unset($_FILES['thumbnail' . $i]); } // Thumbnails must be images. if (!empty($_FILES['thumbnail' . $i]['name']) && !preg_match('/^image\/(png|gif|jpeg)/', $_FILES['thumbnail' . $i]['type'])) { WT_FlashMessages::addMessage(WT_I18N::translate('Thumbnails must be images.')); break; } // User-specified filename? $filename = WT_Filter::post('filename' . $i); // Use the name of the uploaded file? if (!$filename && !empty($_FILES['mediafile' . $i]['name'])) { $filename = $_FILES['mediafile' . $i]['name']; } // Validate the media path and filename if (preg_match('/([\/\\\\<>])/', $filename, $match)) { // Local media files cannot contain certain special characters WT_FlashMessages::addMessage(WT_I18N::translate('Filenames are not allowed to contain the character “%s”.', $match[1])); $filename = ''; break; } elseif (preg_match('/(\.(php|pl|cgi|bash|sh|bat|exe|com|htm|html|shtml))$/i', $filename, $match)) { // Do not allow obvious script files. WT_FlashMessages::addMessage(WT_I18N::translate('Filenames are not allowed to have the extension “%s”.', $match[1])); $filename = ''; break; } elseif (!$filename) { WT_FlashMessages::addMessage(WT_I18N::translate('No media file was provided.')); break; } else { $fileName = $filename; } // Now copy the file to the correct location. if (!empty($_FILES['mediafile' . $i]['name'])) { $serverFileName = WT_DATA_DIR . $MEDIA_DIRECTORY . $folderName . $fileName; if (file_exists($serverFileName)) { WT_FlashMessages::addMessage(WT_I18N::translate('The file %s already exists. Use another filename.', $folderName . $fileName)); $filename = ''; break; } if (move_uploaded_file($_FILES['mediafile' . $i]['tmp_name'], $serverFileName)) { WT_FlashMessages::addMessage(WT_I18N::translate('The file %s was uploaded.', '' . $serverFileName . '')); Log::addMediaLog('Media file ' . $serverFileName . ' uploaded'); } else { WT_FlashMessages::addMessage( WT_I18N::translate('There was an error uploading your file.') . '
' . file_upload_error_text($_FILES['mediafile' . $i]['error']) ); $filename = ''; break; } // Now copy the (optional thumbnail) if (!empty($_FILES['thumbnail' . $i]['name']) && preg_match('/^image\/(png|gif|jpeg)/', $_FILES['thumbnail' . $i]['type'], $match)) { $extension = $match[1]; $thumbFile = preg_replace('/\.[a-z0-9]{3,5}$/', '.' . $extension, $fileName); $serverFileName = WT_DATA_DIR . $MEDIA_DIRECTORY . 'thumbs/' . $folderName . $thumbFile; if (move_uploaded_file($_FILES['thumbnail' . $i]['tmp_name'], $serverFileName)) { WT_FlashMessages::addMessage(WT_I18N::translate('The file %s was uploaded.', '' . $serverFileName . '')); Log::addMediaLog('Thumbnail file ' . $serverFileName . ' uploaded'); } } } } } } $controller->pageHeader(); $mediaFolders = WT_Query_Media::folderListAll(); // Determine file size limit // TODO: do we need to check post_max_size size too? $filesize = ini_get('upload_max_filesize'); if (empty($filesize)) $filesize = "2M"; // Print the form echo '
'; echo ''; echo '

', WT_I18N::translate('Upload media files'), ':  ', WT_I18N::translate('Maximum upload size: '), '', $filesize, '

'; // Print 5 forms for uploading images for ($i=1; $i<6; $i++) { echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; if (WT_USER_GEDCOM_ADMIN) { echo ''; echo ''; } else { echo ''; } if (WT_USER_GEDCOM_ADMIN) { echo ''; echo ''; } else { echo ''; } echo '
', WT_I18N::translate('Media file'), ':  ', $i, '
'; echo WT_I18N::translate('Media file to upload'); echo ''; echo ''; echo '
'; echo WT_I18N::translate('Thumbnail to upload'), help_link('upload_thumbnail_file'); echo ''; echo ''; echo '
'; echo WT_I18N::translate('File name on server'), help_link('upload_server_file'); echo ''; echo ''; if ($i==1) echo "
", WT_I18N::translate('Do not change to keep original file name.'), ""; echo '
'; echo WT_I18N::translate('Folder name on server'), help_link('upload_server_folder'); echo ''; echo '"; if (Auth::isAdmin()) { echo '
'; } else { echo ''; } echo '
'; } // Print the Submit button for uploading the media echo ''; echo '
';