Commit 21d58706 authored by Jyhem's avatar Jyhem

[SEC] Article edition does not rely on tmpDir being world-accessible any more....

[SEC] Article edition does not rely on tmpDir being world-accessible any more. [ENH] Now preview works for image changes.
parent eca644b7
......@@ -9,6 +9,12 @@
// application to display an image from the database with
// option to resize the image dynamically creating a thumbnail on the fly.
// This handles three types of images, depending on the image_type parameter:
// "article": Images for articles
// "submission": Images for article submissions
// "preview": Images for article and article submissions previews
// Any other value is invalid
require_once ('tiki-setup.php');
if ($prefs['feature_articles'] != 'y') {
......@@ -33,18 +39,47 @@ if (!isset($_REQUEST["id"])) {
include_once ('lib/init/initlib.php');
include_once ('tiki-setup_base.php');
$topiccachefile = $prefs['tmpDir'];
switch ($_REQUEST["image_type"]) {
case "article":
$image_cache_prefix="article";
break;
case "submission":
$image_cache_prefix="article_submission";
break;
case "preview":
$image_cache_prefix="article_preview";
break;
default:
die;
}
if ($tikidomain) { $topiccachefile.= "/$tikidomain"; }
$topiccachefile.= "/article.".$_REQUEST["id"];
$cachefile = $prefs['tmpDir'];
if ($tikidomain) { $cachefile.= "/$tikidomain"; }
$cachefile.= "/$image_cache_prefix.".$_REQUEST["id"];
if (is_file($topiccachefile) and (!isset($_REQUEST["reload"]))) {
$size = getimagesize($topiccachefile);
header ("Content-type: ".$size['mime']); /* do not backport to 1.8 */
readfile($topiccachefile);
// If cached file exists, display cached file
if (is_file($cachefile) and (!isset($_REQUEST["reload"]))) {
$size = getimagesize($cachefile);
header ("Content-type: ".$size['mime']);
readfile($cachefile);
die();
} else {
$data = $tikilib->get_article_image($_REQUEST["id"]);
// Create cached file from database data for articles or submissions
switch ($_REQUEST["image_type"]) {
case "article":
$data = $tikilib->get_article_image($_REQUEST["id"]);
break;
case "submission":
$data = $tikilib->get_submission($_REQUEST["id"]);
break;
case "preview":
// We can't get the data from the database. No fallback solution.
// No image displayed
break;
default:
// Invalid value
die;
}
// if blank then die, otherwise we offer to download strangeness
// this also catches invalid id's
if (!$data) {
......@@ -53,15 +88,15 @@ if (is_file($topiccachefile) and (!isset($_REQUEST["reload"]))) {
$type = $data["image_type"];
$data = $data["image_data"];
if ($data["image_data"]) {
$fp = fopen($topiccachefile,"wb");
$fp = fopen($cachefile,"wb");
fputs($fp,$data);
fclose($fp);
}
}
header ("Content-type: $type");
if (is_file($topiccachefile)) {
readfile($topiccachefile);
if (is_file($cachefile)) {
readfile($cachefile);
} else {
echo $data;
}
......
......@@ -214,7 +214,7 @@ class ArtLib extends TikiLib {
(int) $image_x, (int) $image_y, $heading, $body, (int) $publishDate, (int) $expireDate, (int) $this->now, $user, $type, (float) $rating,
$topline, $subtitle, $linkto, $image_caption, $lang, (int) $articleId ) );
// Clear article image cache because image may just have been changed
$this->delete_image_cache($articleId);
$this->delete_image_cache("article",$articleId);
} else {
// Fixed query. -rlpowell
// Insert the article
......@@ -593,18 +593,31 @@ $show_expdate, $show_reads, $show_size, $show_topline, $show_subtitle, $show_lin
$msgs[] = sprintf(tra('Error line: %d'), $line);
}
}
return true;
return true;
}
function delete_image_cache($articleId) {
function delete_image_cache($image_type,$imageId) {
global $prefs;
// Input validation: articleID must be a number, and not 0
if(!ctype_digit("$articleId") || !($articleId>0)) {
// Input validation: imageId must be a number, and not 0
if(!ctype_digit("$imageId") || !($imageId>0)) {
return false;
}
switch ($image_type) {
case "article":
$image_cache_prefix="article";
break;
case "submission":
$image_cache_prefix="article_submission";
break;
case "preview":
$image_cache_prefix="article_preview";
break;
default:
return false;
}
$article_image_cache = $prefs['tmpDir'];
if ($tikidomain) { $article_image_cache.= "/$tikidomain"; }
$article_image_cache.= "/article.".$articleId;
$article_image_cache.= "/$image_cache_prefix.".$imageId;
if ( @unlink($article_image_cache) ) {
return true;
}else{
......
......@@ -42,6 +42,8 @@
<form enctype="multipart/form-data" method="post" action="tiki-edit_article.php" id='editpageform'>
<input type="hidden" name="articleId" value="{$articleId|escape}" />
<input type="hidden" name="previewId" value="{$previewId|escape}" />
<input type="hidden" name="imageIsChanged" value="{$imageIsChanged|escape}" />
<input type="hidden" name="image_data" value="{$image_data|escape}" />
<input type="hidden" name="useImage" value="{$useImage|escape}" />
<input type="hidden" name="image_type" value="{$image_type|escape}" />
......@@ -107,11 +109,14 @@
<input name="userfile1" type="file" onchange="document.getElementById('useImage').checked = true;"/></td></tr>
{if $hasImage eq 'y'}
<tr class="formcolor"><td>{tr}Own Image{/tr}</td><td>{$image_name} [{$image_type}] ({$image_size} bytes)</td></tr>
{if $tempimg ne 'n'}
<tr class="formcolor"><td>{tr}Own Image{/tr}</td><td>
<img alt="{tr}Article image{/tr}" border="0" src="{$tempimg}" {if $image_x > 0}width="{$image_x}"{/if}{if $image_y > 0 }height="{$image_y}"{/if}/>
</td></tr>
{/if}
<tr class="formcolor">
<td>{tr}Own Image{/tr}</td>
{if $imageIsChanged eq 'y'}
<td><img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=preview&amp;id={$previewId}" /></td>
{else}
<td><img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=article&amp;id={$articleId}" /></td>
{/if}
</tr>
{/if}
<tr id='show_image_2' {if $types.$type.show_image eq 'y'}style="display:;"{else}style="display:none;"{/if} class="formcolor"><td>{tr}Use own image{/tr}</td><td>
<input type="checkbox" name="useImage" id="useImage" {if $useImage eq 'y'}checked='checked'{/if}/>
......
......@@ -28,6 +28,8 @@
<form enctype="multipart/form-data" method="post" action="tiki-edit_submission.php" id='editpageform'>
<input type="hidden" name="subId" value="{$subId|escape}" />
<input type="hidden" name="previewId" value="{$previewId|escape}" />
<input type="hidden" name="changeImage" value="{$changeImage|escape}" />
<input type="hidden" name="image_data" value="{$image_data|escape}" />
<input type="hidden" name="useImage" value="{$useImage|escape}" />
<input type="hidden" name="image_type" value="{$image_type|escape}" />
......@@ -91,7 +93,7 @@
</select>
</td></tr>
<tr id='show_image_1' {if $types.$type.show_image eq 'y'}style="display:;"{else}style="display:none;"{/if} class="formcolor"><td>{tr}Own Image{/tr} *</td><td><input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
<input name="userfile1" type="file" /></td></tr>
<input name="userfile1" type="file" onchange="document.getElementById('useImage').checked = true;"/></td></tr>
{if $hasImage eq 'y'}
<tr class="formcolor"><td>{tr}Own Image{/tr}</td><td>{$image_name} [{$image_type}] ({$image_size} bytes)</td></tr>
{if $tempimg ne 'n'}
......@@ -101,7 +103,7 @@
{/if}
{/if}
<tr id='show_image_2' {if $types.$type.show_image eq 'y'}style="display:;"{else}style="display:none;"{/if} class="formcolor"><td>{tr}Use own image{/tr} *</td><td>
<input type="checkbox" name="useImage" {if $useImage eq 'y'}checked='checked'{/if}/>
<input type="checkbox" name="useImage" id="useImage" {if $useImage eq 'y'}checked='checked'{/if}/>
</td></tr>
<tr id='show_image_3' {if $types.$type.show_image eq 'y'}style="display:;"{else}style="display:none;"{/if} class="formcolor"><td>{tr}Float text around image{/tr} *</td><td>
<input type="checkbox" name="isfloat" {if $isfloat eq 'y'}checked='checked'{/if}/>
......@@ -124,9 +126,7 @@
{include file=categorize.tpl}
<tr class="formcolor">
<td>
{tr}Heading{/tr}
<br />
<td>{tr}Heading{/tr}<br />
{if $prefs.quicktags_over_textarea neq 'y'}
{include file=tiki-edit_help_tool.tpl area_name='heading' qtnum='1'}
{/if}
......
......@@ -24,10 +24,15 @@
<tr><td valign="top">
{if $useImage eq 'y'}
{if $hasImage eq 'y'}
{if $articleId gt 0}
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?id={$articleId}" />
{if $imageIsChanged eq 'y'}
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=preview&amp;id={$previewId}"
{if $image_x > 0}width="{$image_x}"{/if}{if $image_y > 0 }height="{$image_y}"{/if} />
{else}
<img alt="{tr}Article image{/tr}" border="0" src="{$tempimg}" />
{if $subId}
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=submission&amp;id={$subId}" />
{else}
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=article&amp;id={$articleId}" />
{/if}
{/if}
{else}
<img alt="{tr}Topic image{/tr}" border="0" src="topic_image.php?id={$topicId}" />
......
......@@ -13,7 +13,8 @@
<tr><td valign="top">
{if $useImage eq 'y'}
{if $hasImage eq 'y'}
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?id={$articleId}" />
<img alt="{tr}Article image{/tr}" border="0" src="article_image.php?image_type=article&amp;id={$articleId}"
{if $image_x > 0}width="{$image_x}"{/if}{if $image_y > 0 }height="{$image_y}"{/if} />
{else}
<img alt="{tr}Topic image{/tr}" border="0" src="topic_image.php?id={$topicId}" />
{/if}
......
......@@ -40,7 +40,7 @@
<a href="#" title="{if $show_image_caption and $image_caption}{$image_caption}{else}{tr}Article image{/tr}{/if}">
<img {if $isfloat eq 'y'}style="margin-right:4px;float:left;"{else}class="articleimage"{/if}
alt="{if $show_image_caption and $image_caption}{$image_caption}{else}{tr}Article image{/tr}{/if}"
border="0" src="article_image.php?id={$articleId}"{if $image_x > 0} width="{$image_x}"{/if}{if $image_y > 0 } height="{$image_y}"{/if} /></a>
border="0" src="article_image.php?image_type=article&amp;id={$articleId}"{if $image_x > 0} width="{$image_x}"{/if}{if $image_y > 0 } height="{$image_y}"{/if} /></a>
{else}
<img {if $isfloat eq 'y'}style="margin-right:4px;float:left;"{else}class="articleimage"{/if}
alt="{tr}Topic image{/tr}" border="0" src="topic_image.php?id={$topicId}" />
......
......@@ -56,7 +56,7 @@
$listpages[ix].image_caption}{$listpages[ix].image_caption}{else}{$listpages[ix].topicName}{/if}"><img
{if $listpages[ix].isfloat eq 'y'}style="margin-right:4px;float:left;"{else}class="articleimage"{/if}
alt="{if $listpages[ix].show_image_caption and $listpages[ix].image_caption}{$listpages[ix].image_caption}{else}{$listpages[ix].topicName}{/if}"
border="0" src="article_image.php?id={$listpages[ix].articleId}"
border="0" src="article_image.php?image_type=article&amp;id={$listpages[ix].articleId}"
{if $listpages[ix].image_x > 0} width="{$listpages[ix].image_x}"{/if}{if $listpages[ix].image_y > 0 } height="{$listpages[ix].image_y}"{/if} /></a>
{else}
<a href="tiki-read_article.php?articleId={$listpages[ix].articleId}" title="{if $listpages[ix].show_image_caption and
......
......@@ -37,7 +37,16 @@ if (isset($_REQUEST["articleId"])) {
$articleId = 0;
}
// We need separate numbering of previews, since we access preview images by this number
if (isset($_REQUEST["previewId"])) {
$previewId = $_REQUEST["previewId"];
} else {
$previewId = rand();
}
$smarty->assign('articleId', $articleId);
$smarty->assign('previewId', $previewId);
$smarty->assign('imageIsChanged', ($_REQUEST["imageIsChanged"]=='y')?'y':'n');
if (isset($_REQUEST["templateId"]) && $_REQUEST["templateId"] > 0) {
$template_data = $tikilib->get_template($_REQUEST["templateId"]);
......@@ -134,7 +143,7 @@ if (isset($_REQUEST["articleId"]) and $_REQUEST["articleId"] > 0) {
$imgname = $article_data["image_name"];
if ($hasImage == 'y') {
$smarty->assign('tempimg', 'article_image.php?id='.$_REQUEST["articleId"]);
$smarty->assign('tempimg', 'article_image.php?image_type=article&amp;id='.$_REQUEST["articleId"]);
} else {
$smarty->assign('tempimg', 'n');
}
......@@ -246,9 +255,9 @@ if (isset($_REQUEST["preview"]) or !empty($errors)) {
// Parse the information of an uploaded file and use it for the preview
if (isset($_FILES['userfile1']) && is_uploaded_file($_FILES['userfile1']['tmp_name'])) {
$fp = fopen($_FILES['userfile1']['tmp_name'], "rb");
$data = fread($fp, filesize($_FILES['userfile1']['tmp_name']));
fclose ($fp);
$imgtype = $_FILES['userfile1']['type'];
$imgsize = $_FILES['userfile1']['size'];
$imgname = $_FILES['userfile1']['name'];
......@@ -258,20 +267,17 @@ if (isset($_REQUEST["preview"]) or !empty($errors)) {
$smarty->assign('image_size', $imgsize);
$hasImage = 'y';
$smarty->assign('hasImage', 'y');
}
if ($hasImage == 'y') {
$tmpfname = $prefs['tmpDir'] . "/articleimage" . "." . $_REQUEST["articleId"];
$fp = fopen($tmpfname, "wb");
if ($fp) {
fwrite($fp, $data);
fclose ($fp);
$smarty->assign('tempimg', $tmpfname);
} else {
$smarty->assign('tempimg', 'n');
// Create preview cache image, for display afterwards
$cachefile = $prefs['tmpDir'];
if ($tikidomain) { $cachefile.= "/$tikidomain"; }
$cachefile.= "/article_preview.".$previewId;
if (move_uploaded_file($_FILES['userfile1']['tmp_name'], $cachefile)) {
$smarty->assign('imageIsChanged', 'y');
}
}
$smarty->assign('heading', $_REQUEST["heading"]);
$smarty->assign('edit_data', 'y');
......@@ -363,7 +369,6 @@ if (isset($_REQUEST['save']) && empty($errors)) {
$imgtype = $_FILES['userfile1']['type'];
$imgsize = $_FILES['userfile1']['size'];
$imgname = $_FILES['userfile1']['name'];
@$artlib->delete_image_cache($_REQUEST["id"]);
}
// Parse $edit and eliminate image references to external URIs (make them internal)
......@@ -390,10 +395,32 @@ if (isset($_REQUEST['save']) && empty($errors)) {
}
}
$artid = $artlib->replace_article(strip_tags($_REQUEST["title"], '<a><pre><p><img><hr><b><i>'), $_REQUEST["authorName"],
$_REQUEST["topicId"], $useImage, $imgname, $imgsize, $imgtype, $imgdata, $heading, $body, $publishDate, $expireDate, $user,
$articleId, $_REQUEST["image_x"], $_REQUEST["image_y"], $_REQUEST["type"], $_REQUEST["topline"], $_REQUEST["subtitle"],
$_REQUEST["linkto"], $_REQUEST["image_caption"], $_REQUEST["lang"], $_REQUEST["rating"], $isfloat, $emails);
$artid = $artlib->replace_article(strip_tags($_REQUEST["title"], '<a><pre><p><img><hr><b><i>')
, $_REQUEST["authorName"]
, $_REQUEST["topicId"]
, $useImage
, $imgname
, $imgsize
, $imgtype
, $imgdata
, $heading
, $body
, $publishDate
, $expireDate
, $user
, $articleId
, $_REQUEST["image_x"]
, $_REQUEST["image_y"]
, $_REQUEST["type"]
, $_REQUEST["topline"]
, $_REQUEST["subtitle"]
, $_REQUEST["linkto"]
, $_REQUEST["image_caption"]
, $_REQUEST["lang"]
, $_REQUEST["rating"]
, $isfloat
, $emails
);
$cat_type = 'article';
$cat_objid = $artid;
......@@ -402,6 +429,11 @@ if (isset($_REQUEST['save']) && empty($errors)) {
$cat_href = "tiki-read_article.php?articleId=" . $cat_objid;
include_once("categorize.php");
include_once ("freetag_apply.php");
// Remove image cache because image may have changed, and we
// don't want to show the old image
@$artlib->delete_image_cache("article",$_REQUEST["id"]);
// Remove preview cache because it won't be used any more
@$artlib->delete_image_cache("preview",$previewId);
header ("location: tiki-read_article.php?articleId=$artid");
}
......
......@@ -9,7 +9,6 @@
// Initialization
$section = 'cms';
require_once ('tiki-setup.php');
include_once ('lib/articles/artlib.php');
if ($prefs['feature_freetags'] == 'y') {
......@@ -44,8 +43,18 @@ if (isset($_REQUEST["subId"])) {
$subId = 0;
}
// We need separate numbering of previews, since we access preview images by this number
if (isset($_REQUEST["previewId"])) {
$previewId = $_REQUEST["previewId"];
} else {
$previewId = rand();
}
$smarty->assign('subId', $subId);
$smarty->assign('articleId', $subId);
$smarty->assign('previewId', $previewId);
$smarty->assign('imageIsChanged', ($_REQUEST["imageIsChanged"]=='y')?'y':'n');
$smarty->assign('allowhtml', 'y');
$publishDate = $tikilib->now;
$expireDate = $tikilib->make_time(0,0,0,$tikilib->date_format("%m"), $tikilib->date_format("%d"), $tikilib->date_format("%Y")+1);
......@@ -122,15 +131,9 @@ if (isset($_REQUEST["subId"])) {
$imgname = $article_data["image_name"];
if ($hasImage == 'y') {
$tmpfname = $prefs['tmpDir'] . "/articleimage" . "." . $_REQUEST["subId"];
$fp = fopen($tmpfname, "wb");
if ($fp) {
fwrite($fp, $data);
fclose ($fp);
$smarty->assign('tempimg', $tmpfname);
} else {
$smarty->assign('tempimg', 'n');
}
$smarty->assign('tempimg', 'article_image.php?image_type=submission&amp;id='.$_REQUEST["articleId"]);
} else {
$smarty->assign('tempimg', 'n');
}
$body = $article_data["body"];
......@@ -228,21 +231,11 @@ if (isset($_REQUEST["preview"])) {
$file_name = $_FILES['userfile1']['name'];
// Simple check if it's an image file
if (preg_match('/\.(gif|png|jpe?g)$/i',$file_name)) {
$file_tmp_name = $_FILES['userfile1']['tmp_name'];
$tmp_dest = $prefs['tmpDir'] . "/" . $file_name.".tmp";
if (!move_uploaded_file($file_tmp_name, $tmp_dest)) {
$smarty->assign('msg', tra('Errors detected'));
$smarty->display("error.tpl");
die();
}
$fp = fopen($tmp_dest, "rb");
$data = fread($fp, filesize($tmp_dest));
if (preg_match('/\.(gif|png|jpe?g)$/i',$file_name)) {
$fp = fopen($_FILES['userfile1']['tmp_name'], "rb");
$data = fread($fp, filesize($_FILES['userfile1']['tmp_name']));
fclose ($fp);
unlink($tmp_dest);
$imgtype = $_FILES['userfile1']['type'];
$imgsize = $_FILES['userfile1']['size'];
$imgname = $_FILES['userfile1']['name'];
......@@ -252,21 +245,17 @@ if (isset($_REQUEST["preview"])) {
$smarty->assign('image_size', $imgsize);
$hasImage = 'y';
$smarty->assign('hasImage', 'y');
// Create preview cache image, for display afterwards
$cachefile = $prefs['tmpDir'];
if ($tikidomain) { $cachefile.= "/$tikidomain"; }
$cachefile.= "/article_preview.".$previewId;
if (move_uploaded_file($_FILES['userfile1']['tmp_name'], $cachefile)) {
$smarty->assign('imageIsChanged', 'y');
}
}
if ($hasImage == 'y') {
$tmpfname = $prefs['tmpDir'] . "/articleimage" . "." . $_REQUEST["subId"];
$fp = fopen($tmpfname, "wb");
if ($fp) {
fwrite($fp, $data);
fclose ($fp);
$smarty->assign('tempimg', $tmpfname);
} else {
$smarty->assign('tempimg', 'n');
}
}
$smarty->assign('heading', $_REQUEST["heading"]);
$smarty->assign('edit_data', 'y');
......@@ -397,17 +386,6 @@ if (isset($_REQUEST["save"]) || isset($_REQUEST["submit"])) {
, $isfloat
);
/*
$links = $tikilib->get_links($body);
$notcachedlinks = $tikilib->get_links_nocache($body);
$cachedlinks = array_diff($links, $notcachedlinks);
$tikilib->cache_links($cachedlinks);
$links = $tikilib->get_links($heading);
$notcachedlinks = $tikilib->get_links_nocache($heading);
$cachedlinks = array_diff($links, $notcachedlinks);
$tikilib->cache_links($cachedlinks);
*/
$cat_type = 'submission';
$cat_objid = $subid;
$cat_desc = substr($_REQUEST["heading"], 0, 200);
......@@ -415,6 +393,11 @@ if (isset($_REQUEST["save"]) || isset($_REQUEST["submit"])) {
$cat_href = "tiki-edit_submission.php?subId=" . $cat_objid;
include_once ("categorize.php");
include_once ("freetag_apply.php");
// Remove image cache because image may have changed, and we
// don't want to show the old image
@$artlib->delete_image_cache("submission",$subId);
// Remove preview cache because it won't be used any more
@$artlib->delete_image_cache("preview",$previewId);
if ( isset($_REQUEST["save"]) && $tiki_p_autoapprove_submission == 'y' ) {
$artlib->approve_submission($subid);
header ("location: tiki-view_articles.php");
......@@ -432,6 +415,7 @@ $_SESSION["thedate"] = $tikilib->now;
$topics = $artlib->list_topics();
$smarty->assign_by_ref('topics', $topics);
// get list of valid types
$types = $artlib->list_types_byname();
$smarty->assign_by_ref('types', $types);
......
......@@ -59,6 +59,8 @@ if (isset($_REQUEST["articleId"])) {
$smarty->assign('image_name', $article_data["image_name"]);
$smarty->assign('image_type', $article_data["image_type"]);
$smarty->assign('image_size', $article_data["image_size"]);
$smarty->assign('image_x', $article_data["image_x"]);
$smarty->assign('image_y', $article_data["image_y"]);
$smarty->assign('image_data', urlencode($article_data["image_data"]));
$smarty->assign('reads', $article_data["nbreads"]);
$smarty->assign('size', $article_data["size"]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment