Skip to content

Commit

Permalink
Possible to upload non image files within ckeditor #1455
Browse files Browse the repository at this point in the history
  • Loading branch information
Fasse committed Jul 9, 2023
1 parent 3193c56 commit d66585d
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 17 deletions.
38 changes: 26 additions & 12 deletions adm_program/system/ckeditor_upload_handler.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@
$message = $gL10n->get('SYS_SERVER_NO_UPLOAD');
}

if (!FileSystemUtils::allowedFileExtension($_FILES['upload']['name'])) {
$message = $gL10n->get('SYS_FILE_EXTENSION_INVALID');
}

// if necessary create the module folders in adm_my_files
switch ($getCKEditor) {
case 'ann_description':
Expand All @@ -59,29 +63,39 @@
break;
}

try {
$imagesPath = ADMIDIO_PATH . FOLDER_DATA . '/' . $folderName . '/images';
if ($message === '') {
try {
$imagesPath = ADMIDIO_PATH . FOLDER_DATA . '/' . $folderName . '/images';

FileSystemUtils::createDirectoryIfNotExists($imagesPath);

// create a filename with a timestamp and 16 chars secure-random string,
// so we have a scheme for the filenames and the risk of duplicates is negligible.
// Format: 20180131-123456_0123456789abcdef.jpg
$fileName = FileSystemUtils::getGeneratedFilename($_FILES['upload']['name']);
$fileNamePath = $imagesPath . '/' . $fileName;

FileSystemUtils::createDirectoryIfNotExists($imagesPath);
$htmlUrl = SecurityUtils::encodeUrl(ADMIDIO_URL . '/adm_program/system/show_image.php', array('module' => $folderName, 'file' => $fileName));

// create a filename with a timestamp and a 16 chars secure-random string,
// so we have a scheme for the filenames and the risk of duplicates is negligible.
// Format: 20180131-123456_0123456789abcdef.jpg
$filename = FileSystemUtils::getGeneratedFilename($_FILES['upload']['name']);
move_uploaded_file($_FILES['upload']['tmp_name'], $fileNamePath);

$htmlUrl = SecurityUtils::encodeUrl(ADMIDIO_URL . '/adm_program/system/show_image.php', array('module' => $folderName, 'file' => $filename));
// check if the file contains a valid image
if (!getimagesize($fileNamePath)) {
$message = $gL10n->get('PHO_PHOTO_FORMAT_INVALID');
FileSystemUtils::deleteFileIfExists($fileNamePath);
}

move_uploaded_file($_FILES['upload']['tmp_name'], $imagesPath . '/' . $filename);
} catch (\RuntimeException $exception) {
$message = $exception->getMessage();
} catch (RuntimeException|AdmException $exception) {
$message = $exception->getMessage();
}
}

// now call CKEditor function and send photo data
echo '<!DOCTYPE html>
<html>
<body>
<script type="text/javascript">
window.parent.CKEDITOR.tools.callFunction('.$getCKEditorFuncNum.', "'.$htmlUrl.'", "'.$message.'");
window.parent.CKEDITOR.tools.callFunction('.$getCKEditorFuncNum.', "'.$htmlUrl.'", "'.$message.'")
</script>
</body>
</html>';
6 changes: 4 additions & 2 deletions adm_program/system/classes/FileSystemUtils.php
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,13 @@ final class FileSystemUtils
/**
* Check if the file extension of the current file format is allowed for upload and the
* documents and files module.
* @param string $fileExtension The file extension that should be checked.
* @param string $filename The name of the file that should be checked.
* @return bool Return true if the file extension is allowed to be used within Admidio.
*/
public static function allowedFileExtension($fileExtension)
public static function allowedFileExtension(string $filename): bool
{
$fileExtension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));

if (array_key_exists($fileExtension, self::$iconFileExtension)) {
return true;
}
Expand Down
4 changes: 2 additions & 2 deletions adm_program/system/classes/TableFile.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ public function __construct(Database $database, $filId = 0)
* documents and files module.
* @return bool Return true if the file extension is allowed to be used within Admidio.
*/
public function allowedFileExtension()
public function allowedFileExtension(): bool
{
return FileSystemUtils::allowedFileExtension($this->getFileExtension());
return FileSystemUtils::allowedFileExtension($this->getValue('fil_name', 'database'));
}

/**
Expand Down
2 changes: 1 addition & 1 deletion adm_program/system/classes/UploadHandlerPhoto.php
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error

$newPhotoFileNumber = $photoAlbum->getValue('pho_quantity') + 1;

// read image size
// check if the file contains a valid image and read image properties
$imageProperties = getimagesize($fileLocation);
if ($imageProperties === false) {
throw new AdmException('PHO_PHOTO_FORMAT_INVALID');
Expand Down

0 comments on commit d66585d

Please sign in to comment.