Skip to content

Commit

Permalink
Input validation for media manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@whoopdedo
whoopdedo committed Jun 29, 2012
1 parent bfd0f59 commit 8108113
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 44 deletions.
66 changes: 40 additions & 26 deletions inc/media.php
View file
Expand Up @@ -226,8 +226,9 @@ function media_delete($id,$auth){
*/
function media_upload_xhr($ns,$auth){
if(!checkSecurityToken()) return false;
global $INPUT;

$id = $_GET['qqfile'];
$id = $INPUT->get->str('qqfile');
list($ext,$mime,$dl) = mimetype($id);
$input = fopen("php://input", "r");
if (!($tmp = io_mktmpdir())) return false;
Expand All @@ -247,7 +248,7 @@ function media_upload_xhr($ns,$auth){
'mime' => $mime,
'ext' => $ext),
$ns.':'.$id,
(($_REQUEST['ow'] == 'checked') ? true : false),
(($INPUT->get->str('ow') == 'checked') ? true : false),
$auth,
'copy'
);
Expand All @@ -270,9 +271,10 @@ function media_upload_xhr($ns,$auth){
function media_upload($ns,$auth,$file=false){
if(!checkSecurityToken()) return false;
global $lang;
global $INPUT;

// get file and id
$id = $_POST['mediaid'];
$id = $INPUT->post->str('mediaid');
if (!$file) $file = $_FILES['upload'];
if(empty($id)) $id = $file['name'];

Expand All @@ -294,7 +296,7 @@ function media_upload($ns,$auth,$file=false){
$res = media_save(array('name' => $file['tmp_name'],
'mime' => $imime,
'ext' => $iext), $ns.':'.$id,
$_REQUEST['ow'], $auth, 'move_uploaded_file');
$INPUT->post->bool('ow'), $auth, 'move_uploaded_file');
if (is_array($res)) {
msg($res[0], $res[1]);
return false;
Expand Down Expand Up @@ -641,16 +643,18 @@ function media_tabs_details($image, $selected_tab = ''){
* @author Kate Arzamastseva <pshns@ukr.net>
*/
function media_tab_files_options(){
global $lang, $NS;
global $lang;
global $NS;
global $INPUT;
$form = new Doku_Form(array('class' => 'options', 'method' => 'get',
'action' => wl($ID)));
$media_manager_params = media_managerURL(array(), '', false, true);
foreach($media_manager_params as $pKey => $pVal){
$form->addHidden($pKey, $pVal);
}
$form->addHidden('sectok', null);
if (isset($_REQUEST['q'])) {
$form->addHidden('q', $_REQUEST['q']);
if ($INPUT->has('q')) {
$form->addHidden('q', $INPUT->str('q'));
}
$form->addElement('<ul>'.NL);
foreach(array('list' => array('listType', array('thumbs', 'rows')),
Expand Down Expand Up @@ -694,9 +698,10 @@ function _media_get_list_type() {
}

function _media_get_display_param($param, $values) {
if (isset($_REQUEST[$param]) && in_array($_REQUEST[$param], $values)) {
global $INPUT;
if (in_array($INPUT->str($param), $values)) {
// FIXME: Set cookie
return $_REQUEST[$param];
return $INPUT->str($param);
} else {
$val = get_doku_pref($param, $values['default']);
if (!in_array($val, $values)) {
Expand Down Expand Up @@ -746,10 +751,10 @@ function media_tab_upload($ns,$auth=null,$jump='') {
*/
function media_tab_search($ns,$auth=null) {
global $lang;
global $INPUT;

$do = $_REQUEST['mediado'];
$query = $_REQUEST['q'];
if (!$query) $query = '';
$do = $INPUT->str('mediado');
$query = $INPUT->str('q');
echo '<div class="search">'.NL;

media_searchform($ns, $query, true);
Expand Down Expand Up @@ -801,14 +806,16 @@ function media_tab_edit($image, $ns, $auth=null) {
*/
function media_tab_history($image, $ns, $auth=null) {
global $lang;
global $INPUT;

if(is_null($auth)) $auth = auth_quickaclcheck("$ns:*");
$do = $_REQUEST['mediado'];
$do = $INPUT->str('mediado');

if ($auth >= AUTH_READ && $image) {
if ($do == 'diff'){
media_diff($image, $ns, $auth);
} else {
$first = isset($_REQUEST['first']) ? intval($_REQUEST['first']) : 0;
$first = $INPUT->int('first');
html_revisions($first, $image);
}
} else {
Expand Down Expand Up @@ -1002,21 +1009,22 @@ function media_details($image, $auth, $rev=false, $meta=false) {
function media_diff($image, $ns, $auth, $fromajax = false) {
global $lang;
global $conf;
global $INPUT;

if ($auth < AUTH_READ || !$image || !$conf['mediarevisions']) return '';

$rev1 = (int) $_REQUEST['rev'];
$rev1 = $INPUT->int('rev');

if(is_array($_REQUEST['rev2'])){
$rev1 = (int) $_REQUEST['rev2'][0];
$rev2 = (int) $_REQUEST['rev2'][1];
if(is_array($INPUT->ref('rev2'))){
$rev1 = (int) $INPUT->arr('rev2')[0];
$rev2 = (int) $INPUT->arr('rev2')[1];

if(!$rev1){
$rev1 = $rev2;
unset($rev2);
}
}else{
$rev2 = (int) $_REQUEST['rev2'];
$rev2 = $INPUT->int('rev2');
}

if ($rev1 && !file_exists(mediaFN($image, $rev1))) $rev1 = false;
Expand Down Expand Up @@ -1071,7 +1079,9 @@ function _media_file_diff($data) {
* @author Kate Arzamastseva <pshns@ukr.net>
*/
function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){
global $lang, $config_cascade;
global $lang;
global $config_cascade;
global $INPUT;

$l_meta = new JpegMeta(mediaFN($image, $l_rev));
$r_meta = new JpegMeta(mediaFN($image, $r_rev));
Expand All @@ -1082,7 +1092,7 @@ function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){
$r_size = media_image_preview_size($image, $r_rev, $r_meta);
$is_img = ($l_size && $r_size && ($l_size[0] >= 30 || $r_size[0] >= 30));

$difftype = $_REQUEST['difftype'];
$difftype = $INPUT->str('difftype');

if (!$fromajax) {
$form = new Doku_Form(array(
Expand Down Expand Up @@ -1527,11 +1537,12 @@ function media_printimgdetail($item, $fullscreen=false){
function media_managerURL($params=false, $amp='&amp;', $abs=false, $params_array=false) {
global $conf;
global $ID;
global $INPUT;

$gets = array('do' => 'media');
$media_manager_params = array('tab_files', 'tab_details', 'image', 'ns', 'list', 'sort');
foreach ($media_manager_params as $x) {
if (isset($_REQUEST[$x])) $gets[$x] = $_REQUEST[$x];
if ($INPUT->has($x)) $gets[$x] = $INPUT->str($x);
}

if ($params) {
Expand All @@ -1555,7 +1566,9 @@ function media_managerURL($params=false, $amp='&amp;', $abs=false, $params_array
* @author Kate Arzamastseva <pshns@ukr.net>
*/
function media_uploadform($ns, $auth, $fullscreen = false){
global $lang, $conf;
global $lang;
global $conf;
global $INPUT;

if($auth < AUTH_UPLOAD) {
echo '<div class="nothing">'.$lang['media_perm_upload'].'</div>'.NL;
Expand All @@ -1565,9 +1578,9 @@ function media_uploadform($ns, $auth, $fullscreen = false){

$update = false;
$id = '';
if ($auth >= $auth_ow && $fullscreen && $_REQUEST['mediado'] == 'update') {
if ($auth >= $auth_ow && $fullscreen && $INPUT->str('mediado') == 'update') {
$update = true;
$id = cleanID($_REQUEST['image']);
$id = cleanID($INPUT->str('image'));
}

// The default HTML upload form
Expand Down Expand Up @@ -1697,12 +1710,13 @@ function media_nstree($ns){
* @author Andreas Gohr <andi@splitbrain.org>
*/
function media_nstree_item($item){
global $INPUT;
$pos = strrpos($item['id'], ':');
$label = substr($item['id'], $pos > 0 ? $pos + 1 : 0);
if(!$item['label']) $item['label'] = $label;

$ret = '';
if (!($_REQUEST['do'] == 'media'))
if (!($INPUT->str('do') == 'media'))
$ret .= '<a href="'.DOKU_BASE.'lib/exe/mediamanager.php?ns='.idfilter($item['id']).'" class="idx_dir">';
else $ret .= '<a href="'.media_managerURL(array('ns' => idfilter($item['id'], false), 'tab_files' => 'files'))
.'" class="idx_dir">';
Expand Down
35 changes: 17 additions & 18 deletions lib/exe/mediamanager.php
View file
Expand Up @@ -11,24 +11,23 @@
session_write_close(); //close session

// handle passed message
if($_REQUEST['msg1']) msg(hsc($_REQUEST['msg1']),1);
if($_REQUEST['err']) msg(hsc($_REQUEST['err']),-1);
if($INPUT->str('msg1')) msg(hsc($INPUT->str('msg1')),1);
if($INPUT->str('err')) msg(hsc($INPUT->str('err')),-1);


// get namespace to display (either direct or from deletion order)
if($_REQUEST['delete']){
$DEL = cleanID($_REQUEST['delete']);
if($INPUT->str('delete')){
$DEL = cleanID($INPUT->str('delete'));
$IMG = $DEL;
$NS = getNS($DEL);
}elseif($_REQUEST['edit']){
$IMG = cleanID($_REQUEST['edit']);
}elseif($INPUT->str('edit')){
$IMG = cleanID($INPUT->str('edit'));
$NS = getNS($IMG);
}elseif($_REQUEST['img']){
$IMG = cleanID($_REQUEST['img']);
}elseif($INPUT->str('img')){
$IMG = cleanID($INPUT->str('img'));
$NS = getNS($IMG);
}else{
$NS = $_REQUEST['ns'];
$NS = cleanID($NS);
$NS = cleanID($INPUT->str('ns'));
}

// check auth
Expand Down Expand Up @@ -76,18 +75,18 @@
}

// handle meta saving
if($IMG && @array_key_exists('save', $_REQUEST['do'])){
$JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
if($IMG && @array_key_exists('save', $INPUT->arr('do'))){
$JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
}

if($IMG && ($_REQUEST['mediado'] == 'save' || @array_key_exists('save', $_REQUEST['mediado']))) {
$JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
if($IMG && ($INPUT->str('mediado') == 'save' || @array_key_exists('save', $INPUT->arr('mediado')))) {
$JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
}

if ($_REQUEST['rev'] && $conf['mediarevisions']) $REV = (int) $_REQUEST['rev'];
if ($INPUT->int('rev') && $conf['mediarevisions']) $REV = $INPUT->int('rev');

if($_REQUEST['mediado'] == 'restore' && $conf['mediarevisions']){
$JUMPTO = media_restore($_REQUEST['image'], $REV, $AUTH);
if($INPUT->str('mediado') == 'restore' && $conf['mediarevisions']){
$JUMPTO = media_restore($INPUT->str('image'), $REV, $AUTH);
}

// handle deletion
Expand All @@ -101,7 +100,7 @@
if ($res & DOKU_MEDIA_EMPTY_NS && !$fullscreen) {
// current namespace was removed. redirecting to root ns passing msg along
send_redirect(DOKU_URL.'lib/exe/mediamanager.php?msg1='.
rawurlencode($msg).'&edid='.$_REQUEST['edid']);
rawurlencode($msg).'&edid='.$INPUT->str('edid'));
}
msg($msg,1);
} elseif ($res & DOKU_MEDIA_INUSE) {
Expand Down

0 comments on commit 8108113

Please sign in to comment.