Fixed bug #16136: make it possible to really restrict to certain file extensions...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_basicfilefunc.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 1999-2010 Kasper Skårhøj (kasperYYYY@typo3.com)
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the textfile GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27 /**
28 * Contains class with basic file management functions
29 *
30 * $Id$
31 * Revised for TYPO3 3.6 July/2003 by Kasper Skårhøj
32 *
33 * @author Kasper Skårhøj <kasperYYYY@typo3.com>
34 */
35 /**
36 * [CLASS/FUNCTION INDEX of SCRIPT]
37 *
38 *
39 *
40 * 81: class t3lib_basicFileFunctions
41 *
42 * SECTION: Checking functions
43 * 133: function init($mounts, $f_ext)
44 * 152: function getTotalFileInfo($wholePath)
45 * 172: function is_allowed($iconkey,$type)
46 * 197: function checkIfFullAccess($theDest)
47 * 211: function is_webpath($path)
48 * 231: function checkIfAllowed($ext, $theDest, $filename='')
49 * 241: function checkFileNameLen($fileName)
50 * 251: function is_directory($theDir)
51 * 268: function isPathValid($theFile)
52 * 283: function getUniqueName($theFile, $theDest, $dontCheckForUnique=0)
53 * 326: function checkPathAgainstMounts($thePath)
54 * 342: function findFirstWebFolder()
55 * 362: function blindPath($thePath)
56 * 378: function findTempFolder()
57 *
58 * SECTION: Cleaning functions
59 * 412: function cleanDirectoryName($theDir)
60 * 422: function rmDoubleSlash($string)
61 * 432: function slashPath($path)
62 * 446: function cleanFileName($fileName,$charset='')
63 * 480: function formatSize($sizeInBytes)
64 *
65 * TOTAL FUNCTIONS: 19
66 * (This index is automatically created/updated by the extension "extdeveval")
67 *
68 */
69
70
71
72 /**
73 * Contains functions for management, validation etc of files in TYPO3, using the concepts of web- and ftp-space. Please see the comment for the init() function
74 *
75 * @author Kasper Skårhøj <kasperYYYY@typo3.com>
76 * @package TYPO3
77 * @subpackage t3lib
78 * @see t3lib_basicFileFunctions::init()
79 */
80 class t3lib_basicFileFunctions {
81 var $getUniqueNamePrefix = ''; // Prefix which will be prepended the file when using the getUniqueName-function
82 var $maxNumber = 99; // This number decides the highest allowed appended number used on a filename before we use naming with unique strings
83 var $uniquePrecision = 6; // This number decides how many characters out of a unique MD5-hash that is appended to a filename if getUniqueName is asked to find an available filename.
84 var $maxInputNameLen = 60; // This is the maximum length of names treated by cleanFileName()
85 var $tempFN = '_temp_'; // Temp-foldername. A folder in the root of one of the mounts with this name is regarded a TEMP-folder (used for upload from clipboard)
86
87 // internal
88 var $f_ext = Array(); // See comment in header
89 var $mounts = Array(); // See comment in header
90 var $webPath =''; // Set to DOCUMENT_ROOT.
91 var $isInit = 0; // Set to true after init()/start();
92
93
94
95 /**********************************
96 *
97 * Checking functions
98 *
99 **********************************/
100
101 /**
102 * Constructor
103 * This function should be called to initialise the internal arrays $this->mounts and $this->f_ext
104 *
105 * A typical example of the array $mounts is this:
106 * $mounts[xx][path] = (..a mounted path..)
107 * the 'xx'-keys is just numerical from zero. There are also a [name] and [type] value that just denotes the mountname and type. Not used for athentication here.
108 * $this->mounts is traversed in the function checkPathAgainstMounts($thePath), and it is checked that $thePath is actually below one of the mount-paths
109 * The mountpaths are with a trailing '/'. $thePath must be with a trailing '/' also!
110 * As you can see, $this->mounts is very critical! This is the array that decides where the user will be allowed to copy files!!
111 * Typically the global var $WEBMOUNTS would be passed along as $mounts
112 *
113 * A typical example of the array $f_ext is this:
114 * $f_ext['webspace']['allow']='';
115 * $f_ext['webspace']['deny']= PHP_EXTENSIONS_DEFAULT;
116 * $f_ext['ftpspace']['allow']='*';
117 * $f_ext['ftpspace']['deny']='';
118 * The control of fileextensions goes in two catagories. Webspace and Ftpspace. Webspace is folders accessible from a webbrowser (below TYPO3_DOCUMENT_ROOT) and ftpspace is everything else.
119 * The control is done like this: If an extension matches 'allow' then the check returns true. If not and an extension matches 'deny' then the check return false. If no match at all, returns true.
120 * You list extensions comma-separated. If the value is a '*' every extension is allowed
121 * The list is case-insensitive when used in this class (see init())
122 * Typically TYPO3_CONF_VARS['BE']['fileExtensions'] would be passed along as $f_ext.
123 *
124 * Example:
125 * $basicff->init($GLOBALS['FILEMOUNTS'],$TYPO3_CONF_VARS['BE']['fileExtensions']);
126 *
127 * @param array Contains the paths of the file mounts for the current BE user. Normally $GLOBALS['FILEMOUNTS'] is passed. This variable is set during backend user initialization; $FILEMOUNTS = $BE_USER->returnFilemounts(); (see typo3/init.php)
128 * @param array Array with information about allowed and denied file extensions. Typically passed: $TYPO3_CONF_VARS['BE']['fileExtensions']
129 * @return void
130 * @see typo3/init.php, t3lib_userAuthGroup::returnFilemounts()
131 */
132 function init($mounts, $f_ext) {
133 $this->f_ext['webspace']['allow'] = t3lib_div::uniqueList(strtolower($f_ext['webspace']['allow']));
134 $this->f_ext['webspace']['deny'] = t3lib_div::uniqueList(strtolower($f_ext['webspace']['deny']));
135 $this->f_ext['ftpspace']['allow'] = t3lib_div::uniqueList(strtolower($f_ext['ftpspace']['allow']));
136 $this->f_ext['ftpspace']['deny'] = t3lib_div::uniqueList(strtolower($f_ext['ftpspace']['deny']));
137
138 $this->mounts = $mounts;
139 $this->webPath = t3lib_div::getIndpEnv('TYPO3_DOCUMENT_ROOT');
140 $this->isInit = 1;
141
142 $this->maxInputNameLen = $GLOBALS['TYPO3_CONF_VARS']['SYS']['maxFileNameLength'] ? $GLOBALS['TYPO3_CONF_VARS']['SYS']['maxFileNameLength'] : $this->maxInputNameLen;
143 }
144
145 /**
146 * Returns an array with a whole lot of fileinformation.
147 * Information includes:
148 * - path : path part of give file
149 * - file : filename
150 * - filebody : filename without extension
151 * - fileext : lowercase extension
152 * - realFileext : extension
153 * - tstamp : timestamp of modification
154 * - size : file size
155 * - type : file type (block/char/dir/fifo/file/link)
156 * - owner : user ID of owner of file
157 * - perms : numerical representation of file permissions
158 * - writable : is file writeable by web user (FALSE = yes; TRUE = no) *)
159 * - readable : is file readable by web user (FALSE = yes; TRUE = no) *)
160 *
161 * *) logic is reversed because of handling by functions in class.file_list.inc
162 *
163 * @param string Filepath to existing file. Should probably be absolute. Filefunctions are performed on this value.
164 * @return array Information about the file in the filepath
165 */
166 function getTotalFileInfo($wholePath) {
167 $theuser = getmyuid();
168 $info = t3lib_div::split_fileref($wholePath);
169 $info['tstamp'] = @filemtime($wholePath);
170 $info['size'] = @filesize($wholePath);
171 $info['type'] = @filetype($wholePath);
172 $info['owner'] = @fileowner($wholePath);
173 $info['perms'] = @fileperms($wholePath);
174 $info['writable'] = !@is_writable($wholePath);
175 $info['readable'] = !@is_readable($wholePath);
176 return $info;
177 }
178
179 /**
180 * Checks if a file extension is allowed according to $this->f_ext.
181 *
182 * @param string $fileExtension The extension to check, eg. "php" or "html" etc.
183 * @param string $type Either "webspage" or "ftpspace" - points to a key in $this->f_ext
184 * @return boolean TRUE if file extension is allowed.
185 */
186 function is_allowed($fileExtension, $type) {
187 $fileExtension = strtolower($fileExtension);
188
189 if (!isset($this->f_ext[$type])) {
190 return FALSE;
191 }
192
193 if (t3lib_div::inList($this->f_ext[$type]['deny'], '*')) {
194 return FALSE;
195 }
196
197 // file name without extension
198 if (!$fileExtension && !t3lib_div::inList($this->f_ext[$type]['allow'], '*')) {
199 return FALSE;
200 }
201
202 // extension is found amongst the denied types
203 if (t3lib_div::inList($this->f_ext[$type]['deny'], $fileExtension)) {
204 return FALSE;
205 }
206
207 // if allowed types are set, check against them
208 if ($this->f_ext[$type]['allow'] !== '' && !t3lib_div::inList($this->f_ext[$type]['allow'], '*') &&
209 !t3lib_div::inList($this->f_ext[$type]['allow'], $fileExtension)) {
210 return FALSE;
211 }
212
213 return TRUE;
214 }
215
216 /**
217 * Returns true if you can operate of ANY file ('*') in the space $theDest is in ('webspace' / 'ftpspace')
218 *
219 * @param string Absolute path
220 * @return boolean
221 */
222 function checkIfFullAccess($theDest) {
223 $type = $this->is_webpath($theDest)?'webspace':'ftpspace';
224 if (isset($this->f_ext[$type])) {
225 if ((string)$this->f_ext[$type]['deny']=='' || $this->f_ext[$type]['allow']=='*') return true;
226 }
227 }
228
229 /**
230 * Checks if $this->webPath (should be TYPO3_DOCUMENT_ROOT) is in the first part of $path
231 * Returns true also if $this->init is not set or if $path is empty...
232 *
233 * @param string Absolute path to check
234 * @return boolean
235 */
236 function is_webpath($path) {
237 if ($this->isInit) {
238 $testPath = $this->slashPath($path);
239 $testPathWeb = $this->slashPath($this->webPath);
240 if ($testPathWeb && $testPath) {
241 return t3lib_div::isFirstPartOfStr($testPath,$testPathWeb);
242 }
243 }
244 return true; // Its more safe to return true (as the webpath is more restricted) if something went wrong...
245 }
246
247 /**
248 * If the filename is given, check it against the TYPO3_CONF_VARS[BE][fileDenyPattern] +
249 * Checks if the $ext fileextension is allowed in the path $theDest (this is based on whether $theDest is below the $this->webPath)
250 *
251 * @param string File extension, eg. "php" or "html"
252 * @param string Absolute path for which to test
253 * @param string Filename to check against TYPO3_CONF_VARS[BE][fileDenyPattern]
254 * @return boolean True if extension/filename is allowed
255 */
256 function checkIfAllowed($ext, $theDest, $filename='') {
257 return t3lib_div::verifyFilenameAgainstDenyPattern($filename) && $this->is_allowed($ext,($this->is_webpath($theDest)?'webspace':'ftpspace'));
258 }
259
260 /**
261 * Returns true if the input filename string is shorter than $this->maxInputNameLen.
262 *
263 * @param string Filename, eg "somefile.html"
264 * @return boolean
265 */
266 function checkFileNameLen($fileName) {
267 return strlen($fileName) <= $this->maxInputNameLen;
268 }
269
270 /**
271 * Cleans $theDir for slashes in the end of the string and returns the new path, if it exists on the server.
272 *
273 * @param string Directory path to check
274 * @return string Returns the cleaned up directory name if OK, otherwise false.
275 */
276 function is_directory($theDir) {
277 if ($this->isPathValid($theDir)) {
278 $theDir=$this->cleanDirectoryName($theDir);
279 if (@is_dir($theDir)) {
280 return $theDir;
281 }
282 }
283 return false;
284 }
285
286 /**
287 * Wrapper for t3lib_div::validPathStr()
288 *
289 * @param string Filepath to evaluate
290 * @return boolean True, if no '//', '..' or '\' is in the $theFile
291 * @see t3lib_div::validPathStr()
292 */
293 function isPathValid($theFile) {
294 return t3lib_div::validPathStr($theFile);
295 }
296
297 /**
298 * Returns the destination path/filename of a unique filename/foldername in that path.
299 * If $theFile exists in $theDest (directory) the file have numbers appended up to $this->maxNumber. Hereafter a unique string will be appended.
300 * This function is used by fx. TCEmain when files are attached to records and needs to be uniquely named in the uploads/* folders
301 *
302 * @param string The input filename to check
303 * @param string The directory for which to return a unique filename for $theFile. $theDest MUST be a valid directory. Should be absolute.
304 * @param boolean If set the filename is returned with the path prepended without checking whether it already existed!
305 * @return string The destination absolute filepath (not just the name!) of a unique filename/foldername in that path.
306 * @see t3lib_TCEmain::checkValue()
307 */
308 function getUniqueName($theFile, $theDest, $dontCheckForUnique=0) {
309 $theDest = $this->is_directory($theDest); // $theDest is cleaned up
310 $origFileInfo = t3lib_div::split_fileref($theFile); // Fetches info about path, name, extention of $theFile
311 if ($theDest) {
312 if ($this->getUniqueNamePrefix) { // Adds prefix
313 $origFileInfo['file'] = $this->getUniqueNamePrefix.$origFileInfo['file'];
314 $origFileInfo['filebody'] = $this->getUniqueNamePrefix.$origFileInfo['filebody'];
315 }
316
317 // Check if the file exists and if not - return the filename...
318 $fileInfo = $origFileInfo;
319 $theDestFile = $theDest.'/'.$fileInfo['file']; // The destinations file
320 if (!file_exists($theDestFile) || $dontCheckForUnique) { // If the file does NOT exist we return this filename
321 return $theDestFile;
322 }
323
324 // Well the filename in its pure form existed. Now we try to append numbers / unique-strings and see if we can find an available filename...
325 $theTempFileBody = preg_replace('/_[0-9][0-9]$/','',$origFileInfo['filebody']); // This removes _xx if appended to the file
326 $theOrigExt = $origFileInfo['realFileext'] ? '.'.$origFileInfo['realFileext'] : '';
327
328 for ($a=1; $a<=($this->maxNumber+1); $a++) {
329 if ($a<=$this->maxNumber) { // First we try to append numbers
330 $insert = '_'.sprintf('%02d', $a);
331 } else { // .. then we try unique-strings...
332 $insert = '_'.substr(md5(uniqId('')),0,$this->uniquePrecision);
333 }
334 $theTestFile = $theTempFileBody.$insert.$theOrigExt;
335 $theDestFile = $theDest.'/'.$theTestFile; // The destinations file
336 if (!file_exists($theDestFile)) { // If the file does NOT exist we return this filename
337 return $theDestFile;
338 }
339 }
340 }
341 }
342
343 /**
344 * Checks if $thePath is a path under one of the paths in $this->mounts
345 * See comment in the header of this class.
346 *
347 * @param string $thePath MUST HAVE a trailing '/' in order to match correctly with the mounts
348 * @return string The key to the first mount found, otherwise nothing is returned.
349 * @see init()
350 */
351 function checkPathAgainstMounts($thePath) {
352 if ($thePath && $this->isPathValid($thePath) && is_array($this->mounts)) {
353 foreach ($this->mounts as $k => $val) {
354 if (t3lib_div::isFirstPartOfStr($thePath,$val['path'])) {
355 return $k;
356 }
357 }
358 }
359 }
360
361 /**
362 * Find first web folder (relative to PATH_site.'fileadmin') in filemounts array
363 *
364 * @return string The key to the first mount inside PATH_site."fileadmin" found, otherwise nothing is returned.
365 */
366 function findFirstWebFolder() {
367 global $TYPO3_CONF_VARS;
368
369 if (is_array($this->mounts)) {
370 foreach ($this->mounts as $k => $val) {
371 if (t3lib_div::isFirstPartOfStr($val['path'], PATH_site.$TYPO3_CONF_VARS['BE']['fileadminDir'])) {
372 return $k;
373 }
374 }
375 }
376 }
377
378 /**
379 * Removes filemount part of a path, thus blinding the position.
380 * Takes a path, $thePath, and removes the part of the path which equals the filemount.
381 *
382 * @param string $thePath is a path which MUST be found within one of the internally set filemounts, $this->mounts
383 * @return string The processed input path
384 */
385 function blindPath($thePath) {
386 $k=$this->checkPathAgainstMounts($thePath);
387 if ($k) {
388 $name='';
389 $name.='['.$this->mounts[$k]['name'].']: ';
390 $name.=substr($thePath,strlen($this->mounts[$k]['path']));
391 return $name;
392 }
393 }
394
395 /**
396 * Find temporary folder
397 * Finds the first $this->tempFN ('_temp_' usually) -folder in the internal array of filemounts, $this->mounts
398 *
399 * @return string Returns the path if found, otherwise nothing if error.
400 */
401 function findTempFolder() {
402 if ($this->tempFN && is_array($this->mounts)) {
403 foreach ($this->mounts as $k => $val) {
404 $tDir = $val['path'].$this->tempFN;
405 if (@is_dir($tDir)) {
406 return $tDir;
407 }
408 }
409 }
410 }
411
412
413
414
415
416
417
418
419
420
421
422 /*********************
423 *
424 * Cleaning functions
425 *
426 *********************/
427
428 /**
429 * Removes all dots, slashes and spaces after a path...
430 *
431 * @param string Input string
432 * @return string Output string
433 */
434 function cleanDirectoryName($theDir) {
435 return preg_replace('/[\/\. ]*$/','',$this->rmDoubleSlash($theDir));
436 }
437
438 /**
439 * Converts any double slashes (//) to a single slash (/)
440 *
441 * @param string Input value
442 * @return string Returns the converted string
443 */
444 function rmDoubleSlash($string) {
445 return str_replace('//','/',$string);
446 }
447
448 /**
449 * Returns a string which has a slash '/' appended if it doesn't already have that slash
450 *
451 * @param string Input string
452 * @return string Output string with a slash in the end (if not already there)
453 */
454 function slashPath($path) {
455 if (substr($path,-1)!='/') {
456 return $path.'/';
457 }
458 return $path;
459 }
460
461 /**
462 * Returns a string where any character not matching [.a-zA-Z0-9_-] is substituted by '_'
463 * Trailing dots are removed
464 *
465 * @param string Input string, typically the body of a filename
466 * @param string Charset of the a filename (defaults to current charset; depending on context)
467 * @return string Output string with any characters not matching [.a-zA-Z0-9_-] is substituted by '_' and trailing dots removed
468 */
469 function cleanFileName($fileName, $charset = '') {
470 // Handle UTF-8 characters
471 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['forceCharset'] == 'utf-8' && $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem']) {
472 // allow ".", "-", 0-9, a-z, A-Z and everything beyond U+C0 (latin capital letter a with grave)
473 $cleanFileName = preg_replace('/[\x00-\x2C\/\x3A-\x3F\x5B-\x60\x7B-\xBF]/u', '_', trim($fileName));
474
475 // Handle other character sets
476 } else {
477 // Get conversion object or initialize if needed
478 if (!is_object($this->csConvObj)) {
479 if (TYPO3_MODE=='FE') {
480 $this->csConvObj = $GLOBALS['TSFE']->csConvObj;
481 } elseif (is_object($GLOBALS['LANG'])) { // BE assumed:
482 $this->csConvObj = $GLOBALS['LANG']->csConvObj;
483 } else { // The object may not exist yet, so we need to create it now. Happens in the Install Tool for example.
484 $this->csConvObj = t3lib_div::makeInstance('t3lib_cs');
485 }
486 }
487
488 // Define character set
489 if (!$charset) {
490 if (TYPO3_MODE == 'FE') {
491 $charset = $GLOBALS['TSFE']->renderCharset;
492 } elseif (is_object($GLOBALS['LANG'])) { // BE assumed:
493 $charset = $GLOBALS['LANG']->charSet;
494 } else { // best guess
495 $charset = $GLOBALS['TYPO3_CONF_VARS']['BE']['forceCharset'];
496 }
497 }
498
499 // If a charset was found, convert filename
500 if ($charset) {
501 $fileName = $this->csConvObj->specCharsToASCII($charset, $fileName);
502 }
503
504 // Replace unwanted characters by underscores
505 $cleanFileName = preg_replace('/[^.[:alnum:]_-]/', '_', trim($fileName));
506 }
507 // Strip trailing dots and return
508 return preg_replace('/\.*$/', '', $cleanFileName);
509 }
510
511 /**
512 * Formats an integer, $sizeInBytes, to Mb or Kb or just bytes
513 *
514 * @param integer Bytes to be formated
515 * @return string Formatted with M,K or &nbsp;&nbsp; appended.
516 * @deprecated since at least TYPO3 4.2, will be removed in TYPO3 4.6 - Use t3lib_div::formatSize() instead
517 */
518 function formatSize($sizeInBytes) {
519 t3lib_div::logDeprecatedFunction();
520
521 if ($sizeInBytes>900) {
522 if ($sizeInBytes>900000) { // MB
523 $val = $sizeInBytes/(1024*1024);
524 return number_format($val, (($val<20)?1:0), '.', '').' M';
525 } else { // KB
526 $val = $sizeInBytes/(1024);
527 return number_format($val, (($val<20)?1:0), '.', '').' K';
528 }
529 } else { // Bytes
530 return $sizeInBytes.'&nbsp;&nbsp;';
531 }
532 }
533 }
534
535
536
537 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_basicfilefunc.php']) {
538 include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_basicfilefunc.php']);
539 }
540
541 ?>