Browse Source

implement upload-related support for open_basedir

Andrew Dolgov 6 years ago
parent
commit
3306daecf4

+ 0 - 0
cache/upload/.empty


+ 27 - 3
classes/opml.php

@@ -461,11 +461,35 @@ class Opml extends Handler_Protected {
 
 #		if ($debug) $doc = DOMDocument::load("/tmp/test.opml");
 
-		if (is_file($_FILES['opml_file']['tmp_name'])) {
+		if ($_FILES['opml_file']['error'] != 0) {
+			print_error(T_sprintf("Upload failed with error code %d",
+				$_FILES['opml_file']['error']));
+			return;
+		}
+
+		$tmp_file = false;
+
+		if (is_uploaded_file($_FILES['opml_file']['tmp_name'])) {
+			$tmp_file = tempnam(CACHE_DIR . '/upload', 'opml');
+
+			$result = move_uploaded_file($_FILES['opml_file']['tmp_name'],
+				$tmp_file);
+
+			if (!$result) {
+				print_error(__("Unable to move uploaded file."));
+				return;
+			}
+		} else {
+			print_error(__('Error: please upload OPML file.'));
+			return;
+		}
+
+		if (is_file($tmp_file)) {
 			$doc = new DOMDocument();
-			$doc->load($_FILES['opml_file']['tmp_name']);
+			$doc->load($tmp_file);
+			unlink($tmp_file);
 		} else if (!$doc) {
-			print_error(__('Error: please upload OPML file.'));
+			print_error(__('Error: unable to find moved OPML file.'));
 			return;
 		}
 

+ 21 - 4
classes/pref/feeds.php

@@ -463,7 +463,7 @@ class Pref_Feeds extends Handler_Protected {
 			WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
 
 		if (db_num_rows($result) != 0) {
-			unlink(ICONS_DIR . "/$feed_id.ico");
+			@unlink(ICONS_DIR . "/$feed_id.ico");
 		}
 
 		return;
@@ -472,7 +472,22 @@ class Pref_Feeds extends Handler_Protected {
 	function uploadicon() {
 		header("Content-type: text/html");
 
-		$icon_file = $_FILES['icon_file']['tmp_name'];
+		$tmp_file = false;
+
+		if (is_uploaded_file($_FILES['icon_file']['tmp_name'])) {
+			$tmp_file = tempnam(CACHE_DIR . '/upload', 'icon');
+
+			$result = move_uploaded_file($_FILES['icon_file']['tmp_name'],
+				$tmp_file);
+
+			if (!$result) {
+				return;
+			}
+		} else {
+			return;
+		}
+
+		$icon_file = $tmp_file;
 		$feed_id = db_escape_string($this->link, $_REQUEST["feed_id"]);
 
 		if (is_file($icon_file) && $feed_id) {
@@ -482,8 +497,8 @@ class Pref_Feeds extends Handler_Protected {
 					WHERE id = '$feed_id' AND owner_uid = ". $_SESSION["uid"]);
 
 				if (db_num_rows($result) != 0) {
-					unlink(ICONS_DIR . "/$feed_id.ico");
-					move_uploaded_file($icon_file, ICONS_DIR . "/$feed_id.ico");
+					@unlink(ICONS_DIR . "/$feed_id.ico");
+					rename($icon_file, ICONS_DIR . "/$feed_id.ico");
 					$rc = 0;
 				} else {
 					$rc = 2;
@@ -495,6 +510,8 @@ class Pref_Feeds extends Handler_Protected {
 			$rc = 2;
 		}
 
+		@unlink($icon_file);
+
 		print "<script type=\"text/javascript\">";
 		print "parent.uploadIconHandler($rc);";
 		print "</script>";

+ 1 - 1
include/rssfuncs.php

@@ -1191,7 +1191,7 @@
 	}
 
 	function expire_cached_files($debug) {
-		foreach (array("simplepie", "images", "export") as $dir) {
+		foreach (array("simplepie", "images", "export", "upload") as $dir) {
 			$cache_dir = CACHE_DIR . "/$dir";
 
 			if ($debug) _debug("Expiring $cache_dir");

+ 4 - 4
include/sanity_check.php

@@ -55,6 +55,10 @@
 				array_push($errors, "Image cache is not writable (chmod -R 777 ".CACHE_DIR."/images)");
 			}
 
+			if (!is_writable(CACHE_DIR . "/upload")) {
+				array_push($errors, "Upload cache is not writable (chmod -R 777 ".CACHE_DIR."/upload)");
+			}
+
 			if (!is_writable(CACHE_DIR . "/export")) {
 				array_push($errors, "Data export cache is not writable (chmod -R 777 ".CACHE_DIR."/export)");
 			}
@@ -102,10 +106,6 @@
 				array_push($errors, "LOCK_DIRECTORY defined in config.php is not writable (chmod -R 777 ".LOCK_DIRECTORY.").\n");
 			}
 
-			if (ini_get("open_basedir")) {
-				array_push($errors, "PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini).");
-			}
-
 			if (!function_exists("curl_init") && !ini_get("allow_url_fopen")) {
 				array_push($errors, "PHP configuration option allow_url_fopen is disabled, and CURL functions are not present. Either enable allow_url_fopen or install PHP extension for CURL.");
 			}

+ 0 - 4
install/index.php

@@ -17,10 +17,6 @@
 			array_push($errors, "PHP version 5.3.0 or newer required.");
 		}
 
-		if (ini_get("open_basedir")) {
-			array_push($errors, "PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini).");
-		}
-
 		if (!function_exists("curl_init") && !ini_get("allow_url_fopen")) {
 			array_push($errors, "PHP configuration option allow_url_fopen is disabled, and CURL functions are not present. Either enable allow_url_fopen or install PHP extension for CURL.");
 		}

+ 26 - 2
plugins/googlereaderimport/init.php

@@ -66,8 +66,32 @@ class GoogleReaderImport extends Plugin {
 
 			$owner_uid = $_SESSION["uid"];
 
-			if (is_file($_FILES['starred_file']['tmp_name'])) {
-				$doc = json_decode(file_get_contents($_FILES['starred_file']['tmp_name']), true);
+			if ($_FILES['starred_file']['error'] != 0) {
+				print_error(T_sprintf("Upload failed with error code %d",
+					$_FILES['starred_file']['error']));
+				return;
+			}
+
+			$tmp_file = false;
+
+			if (is_uploaded_file($_FILES['starred_file']['tmp_name'])) {
+				$tmp_file = tempnam(CACHE_DIR . '/upload', 'starred');
+
+				$result = move_uploaded_file($_FILES['starred_file']['tmp_name'],
+					$tmp_file);
+
+				if (!$result) {
+					print_error(__("Unable to move uploaded file."));
+					return;
+				}
+			} else {
+				print_error(__('Error: please upload OPML file.'));
+				return;
+			}
+
+			if (is_file($tmp_file)) {
+				$doc = json_decode(file_get_contents($tmp_file), true);
+				unlink($tmp_file);
 			} else {
 				print_error(__('No file uploaded.'));
 				return;