Merge remote-tracking branch 'origin/file-upload-plugins' into develop

USER-FILES/.htaccess

@@ -0,0 +1,11 @@
+# Stop Apache doing directory indexing.
+Options -Indexes 
+
+
+# Try and tell Apache not to serve out any files within this directory as PHP - 
+# this helps close a potential security flaw - given people can upload almost anything into an LO.
+
+#RemoveHandler .php
+<FilesMatch "\.((php[0-9]?)|p?html?|pl|sh|java|cpp|c|h|js|rc)$">
+    SetHandler None
+</FilesMatch>

cron/.htaccess

@@ -0,0 +1 @@
+deny from all

cron/transcoder.php

@@ -0,0 +1,86 @@
+<?php
+
+/**
+ * Older versions of XOT allowed LO authors to upload .flv videos for embedding with the Learning Object.
+ * Unfortunately, flv videos aren't compatible with HTML5 based templates and will not display on e.g. tablets as
+ * Adobe Flash is not available. 
+ * This cron job, when run will look for all videos which do not have an '.mp4' extension, and attempt to transcode (i.e. reformat) them.
+ * the original file is left as is - so if you start with :
+ *
+ * USER-FILES/2-Test-Nottingham/media/something.flv
+ * 
+ * you'll end up with :
+ *
+ * USER-FILES/2-Test-Nottingham/media/something.flv
+ * USER-FILES/2-Test-Nottingham/media/something.mp4
+ *  
+ * When the script runs it looks to see if a .mp4 variant of the file already exists, and if it does, it does nothing.
+ *
+ * Note, depending on your media files, running this may consume quite a lot of CPU / disk resource.
+ * No 'intelligence' is included to cope with duplicated source media files - to reduce resource usage.
+ *
+ *
+ * You'll need to have something like 'avconv' or 'ffmpeg' installed. See comments inline below.
+ * It'll probably work best with ffmpeg. Perhaps.
+ *
+ */
+require_once dirname(__FILE__) . '/../config.php';
+
+if(!is_file('/usr/bin/avconv') && !is_File('/usr/bin/ffmpeg')) {
+    die("Cannot run; /usr/bin/avconv or /usr/bin/ffmpeg does not appear to be present");
+}
+
+$finfo = new finfo(FILEINFO_MIME_TYPE);
+
+$files = glob($xerte_toolkits_site->users_file_area_full . '*/media/*');
+
+foreach ($files as $filename) {
+
+    $mimeType = $finfo->file($filename);
+    $extension = pathinfo($filename, PATHINFO_EXTENSION);
+
+    if ($extension !== 'mp4' && preg_match('!video!', $mimeType)) {
+        // have a video that may need transcoding
+
+        // has video already been transcoded?
+        $mp4Filename = preg_replace('!' . preg_quote($extension, "!") . '$!', 'mp4', $filename, 1); // replace the extension with "mp4"
+        if (file_exists($mp4Filename)) {
+            // have a mp4 version.
+            continue;
+        }
+
+        // need to transcode a mp4 version
+        add_transcode_job($filename, $mp4Filename);
+    }
+}
+
+
+function add_transcode_job($inputFilename, $outputFilename)
+{   
+    // Ubuntu 14.04 - libav-tools, libavcodec-extra-54
+
+    if(is_file('/usr/bin/ffmpeg')) {
+        $cmd = 'ffmpeg -i ' . escapeshellarg($inputFilename) . ' -sameq -ar 22050 -vcodec libx264  ' . escapeshellarg($outputFilename) . ' 2>&1' ;
+    }
+    else {
+        $cmd = 'avconv '
+            . '-i ' . escapeshellarg($inputFilename)    // input filename
+            . ' -c:v h264 '                             // video codec
+            . '-b:v 2000k '                             // video bitrate
+            . '-c:a aac '                               // audio codec
+            . '-b:a 196k '                              // audio bitrate
+            . '-f mp4 '                                 // file format
+            . '-strict experimental '                   // enable aac codec
+            . escapeshellarg($outputFilename)           // output filename
+            . ' 2>&1';
+    }
+
+    _debug("Running: $cmd");
+
+    $output = array();
+    $return = null;
+
+    exec($cmd, $output, $return);
+
+    _debug("Returned: $return, Output: " . print_r($output, true));
+}

drawing.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * 
  * Drawing page, brings up the xerte drawing tool in another window
@@ -8,20 +9,30 @@
  * @copyright Copyright (c) 2008,2009 University of Nottingham
  * @package
  */
-
 require_once(dirname(__FILE__) . '/config.php');
 
-
 echo file_get_contents("modules/xerte/drawing_xerte_top");
 
+$string_for_flash_xml = '';
+$string_for_flash_media = '';
+$string_for_flash_xwd = '';
+$template_id = '';
+
+// XOT never passes any parameters into this ... so it's a fairly pointless page.
+// The drawing itself gets updated when you publish/exit the flash editor, at which point it 
+// posts stuff back to /website_code/php/versioncontrol/update_file.php
+
+if (isset($_GET['template_id'])) {
+    $string_for_flash_xml = '';
+    $string_for_flash_media = '';
+    $string_for_flash_xwd = '';
+    $template_id = (int) $_GET['template_id'];
+}
+
 echo "so.addVariable(\"xmlvariable\", \"$string_for_flash_xml\");";
 echo "so.addVariable(\"rlovariable\", \"$string_for_flash_media\");";
 echo "so.addVariable(\"originalpathvariable\", \"$string_for_flash_xwd\");";
-echo "so.addVariable(\"template_id\", \"" . $row['template_id'] . "\");";
-
+echo "so.addVariable(\"template_id\", \"" . $template_id . "\");";
 echo "so.write(\"flashcontent\");";
 echo "</script>";
-
 echo "</body></html>";
-
-?>

library/Xerte/Validate/FileExtension.php

@@ -0,0 +1,53 @@
+<?php
+
+class Xerte_Validate_FileExtension
+{
+
+    protected $messages = array();
+
+    public static $BLACKLIST = 'php,php5,pl,cgi,exe,vbs,pif,application,gadget,msi,msp,com,scr,hta,htaccess,ini,cpl,msc,jar,bat,cmd,vb,vbe,jsp,jse,ws,wsf,wsc,wsh,ps1,ps1xml,ps2,ps2xml,psc1,psc2,msh,msh1,msh2,mshxml,msh1xml,msh2xml,scf,lnk,inf,reg,docm,dotm,xlsm,xltm,xlam,pptm,potm,ppam,ppsm,sldm';
+
+
+
+    public static function canRun()
+    {
+        return function_exists('pathinfo');
+    }
+
+
+    public function isValid($filename)
+    {
+        $this->messages = array();
+
+        $blacklist = explode(',', strtolower(self::$BLACKLIST));
+        $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
+        _debug($blacklist);
+        _debug($extension);
+
+        if (empty($extension)) {
+            _debug("File extension not found for '$filename'.");
+            $this->messages['NO_EXTENSION'] = "File extension not found.";
+            return false;
+        }
+
+        if (in_array($extension, $blacklist)) {
+            _debug("Invalid file type uploaded - '$extension' matches entry in blacklist");
+            $this->messages["INVALID_EXTENSION"] = "Invalid file format - $extension is blacklisted";
+            return false;
+        }
+        return  true;
+    }
+
+
+    public function getMessages()
+    {
+        return $this->messages;
+    }
+
+
+    public function getErrors()
+    {
+        return array_keys($this->messages);
+    }
+}
+

library/Xerte/Validate/FileMimeType.php

@@ -0,0 +1,50 @@
+<?php
+
+/**
+ * Use this to validate the mime type of a file.
+ */
+class Xerte_Validate_FileMimeType {
+
+    public static $allowableMimeTypeList = array();
+
+    protected $messages = array();
+
+    /**
+     * we need to know if the PHP env supports this validator.
+     */
+    public static function canRun() {
+        return function_exists('mime_content_type');
+    }
+
+    /**
+     * @return boolean true if ok.
+     * @param string file name. e.g. /etc/passwd, /usr/bin/blah, c:/blah, /tmp/php_upload/blah
+     */
+    public function isValid($file_name) {
+        $this->messages = array();
+        if(self::canRun()) {
+            if(file_exists($file_name)) {
+                $mime_type = mime_content_type($file_name);
+                if(in_array($mime_type, self::$allowableMimeTypeList)) {
+                    return true;
+                }
+                $this->messages['INVALID_MIME_TYPE'] = "$mime_type is not in list of allowable types";
+            }
+            $this->messages['FILE_NOT_FOUND'] = "File not found - $file_name";
+        }
+        else {
+            $this->messages['UNSUPPORTED'] = "Can't run - function: mime_content_type not found";
+        }
+        return false;
+    }
+
+    /**
+     * @return array of error messages (if any).
+     */
+    public function getMessages() {
+        return $this->messages;
+    }
+    public function getErrors() {
+        return array_keys($this->messages);
+    }
+}

library/Xerte/Validate/VirusScanClamAv.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * @see modules/site/engine/upload.php
+ */
+
+class Xerte_Validate_VirusScanClamAv {
+
+    protected $messages = array();
+    // perhaps needs changing on other platforms.
+    public static $BINARY = '/usr/bin/clamscan';
+
+    public static function canRun() {
+        return file_exists(self::$BINARY);
+    }
+
+    public function isValid($filename) {
+        $this->messages = array();
+        if(file_exists($filename)) {
+            $command = self::$BINARY . " " . escapeshellarg($filename);
+            $retval = -1;
+            exec($command, $output, $retval);
+
+            if($retval == 0) {
+                return true;
+            }
+            else {
+                error_log("Virus found in file upload? $filename --- From " . __FILE__ . " - ClamAV output: {$retval} / {$output}");
+                _debug("Virus found? {$retval} / {$output} (When scanning : $filename)");
+                $this->messages[$retval] = "Virus found? $output";
+            }
+        }
+        else {
+            $this->messages['FILE_NOT_FOUND'] = "$filename doesn't exist. Cannot scan";
+        }
+        return false;
+    }
+
+    public function getMessages() {
+        return $this->messages;
+    }
+
+    public function getErrors() {
+        return array_keys($this->messages);
+    }
+}
+

library/Xerte/Validate/Xml.php

@@ -0,0 +1,65 @@
+<?php
+
+/**
+ * Use it to validate xml.
+ * <code>
+ * 
+ * $validator = new Xerte_Validate_Xml();
+ * if($validator->isValid($string)) { 
+ *     // $string is ok.
+ * }
+ * 
+ * </code>
+ * 
+ */
+class Xerte_Validate_Xml /* implements Zend_Validate_Interface */ { // silent dependency at the moment as we don't have all of ZF1
+
+    protected $messages = array();
+
+
+    /**
+     * @return boolean false if it's not valid.
+     * @param string $string - presumably some XML.
+     */
+    public function isValid($string) {
+        $return = false;
+        $this->messages = array();
+        if (extension_loaded('libxml') && extension_loaded('simplexml')) {
+            libxml_clear_errors();
+            $old_setting = libxml_use_internal_errors(true);
+            $xml = simplexml_load_string($string);
+            $errors = libxml_get_errors();
+            foreach ($errors as $error) {
+                $this->messages[$error->line] = $error->message;
+                _debug("XML Error on {$error->line} - {$error->level} - {$error->message}");
+                _debug($xml);
+            }
+
+            if($xml instanceof SimpleXMLElement) {
+                $return = true;
+            }
+
+            libxml_use_internal_errors($old_setting);
+            libxml_clear_errors();
+        } else {
+            _debug("Warning: simplexml extension not found");
+        }
+
+        return $return;
+    }
+
+    /**
+     * @return array
+     */
+    public function getMessages() {
+        return $this->messages;
+    }
+
+
+    /**
+     * @return array of line numbers where there was a problem, or an empty array.
+     */
+    public function getErrors() {
+        return array_keys($this->messages);
+    }
+}

modules/site/engine/file_exists.php

@@ -11,11 +11,8 @@
 
 require_once("../../../config.php");
 
-if(file_exists($xerte_toolkits_site->root_file_path . $_POST['file_name'])){
+if(!empty($_POST['file_name']) && file_exists($xerte_toolkits_site->root_file_path . $_POST['file_name'])){
     print("&return_value=true");
 }else{
     print("&return_value=false");
 }
-
-
-?>