Remove file path in error images to avoid path disclosure [security].
[Packages/TYPO3.CMS.git] / t3lib / thumbs.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 1999-2004 Kasper Skaarhoj (kasperYYYY@typo3.com)
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the textfile GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27 /**
28 * Generates a thumbnail and returns an image stream, either GIF/PNG or JPG
29 *
30 * $Id$
31 * Revised for TYPO3 3.6 July/2003 by Kasper Skaarhoj
32 *
33 * @author Kasper Skaarhoj <kasperYYYY@typo3.com>
34 */
35 /**
36 * [CLASS/FUNCTION INDEX of SCRIPT]
37 *
38 *
39 *
40 * 114: class SC_t3lib_thumbs
41 * 135: function init()
42 * 165: function main()
43 *
44 * SECTION: OTHER FUNCTIONS:
45 * 268: function errorGif($l1,$l2,$l3)
46 * 320: function fontGif($font)
47 * 367: function wrapFileName($inputName)
48 *
49 * TOTAL FUNCTIONS: 5
50 * (This index is automatically created/updated by the extension "extdeveval")
51 *
52 */
53
54
55 // *******************************
56 // Set error reporting
57 // *******************************
58 error_reporting (E_ALL ^ E_NOTICE);
59
60
61
62 // ******************
63 // Constants defined
64 // ******************
65 define('TYPO3_OS', stristr(PHP_OS,'win')&&!stristr(PHP_OS,'darwin')?'WIN':'');
66 define('TYPO3_MODE','BE');
67 define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));
68
69 define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript)); // the path to the website folder (see init.php)
70 define('PATH_typo3conf', PATH_site.'typo3conf/');
71 define('PATH_t3lib', PATH_site.'t3lib/');
72 define('TYPO3_mainDir', 'typo3/'); // This is the directory of the backend administration for the sites of this TYPO3 installation.
73
74 // ******************
75 // Including config
76 // ******************
77 require(PATH_t3lib.'class.t3lib_div.php');
78 require(PATH_t3lib.'class.t3lib_extmgm.php');
79
80 require(PATH_t3lib.'config_default.php');
81 if (!defined ('TYPO3_db')) die ('The configuration file was not included.');
82 if (!$TYPO3_CONF_VARS['GFX']['image_processing']) die ('ImageProcessing was disabled!');
83
84 require(PATH_t3lib.'class.t3lib_db.php'); // The database library
85 $TYPO3_DB = t3lib_div::makeInstance('t3lib_DB');
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102 /**
103 * Class for generating a thumbnail from the input parameters given to the script
104 *
105 * Input GET var, &file: relative or absolute reference to an imagefile. WILL be validated against PATH_site / lockRootPath
106 * Input GET var, &size: integer-values defining size of thumbnail, format '[int]' or '[int]x[int]'
107 *
108 * Relative paths MUST BE the first two characters ONLY: eg: '../dir/file.gif', otherwise it is expect to be absolute
109 *
110 * @author Kasper Skaarhoj <kasperYYYY@typo3.com>
111 * @package TYPO3
112 * @subpackage t3lib
113 */
114 class SC_t3lib_thumbs {
115 var $include_once=array();
116
117 var $outdir = 'typo3temp/'; // The output directory of temporary files in PATH_site
118 var $output = '';
119 var $sizeDefault='56x56';
120
121 var $imageList; // Coming from $TYPO3_CONF_VARS['GFX']['imagefile_ext']
122 var $input; // Contains the absolute path to the file for which to make a thumbnail (after init())
123
124 // Internal, static: GPvar:
125 var $file; // Holds the input filename (GET: file)
126 var $size; // Holds the input size (GET: size)
127
128
129 /**
130 * Initialize; reading parameters with GPvar and checking file path
131 * Results in internal var, $this->input, being set to the absolute path of the file for which to make the thumbnail.
132 *
133 * @return void
134 */
135 function init() {
136 global $TYPO3_CONF_VARS;
137
138 // Setting GPvars:
139 $this->file = t3lib_div::_GP('file');
140 $this->size = t3lib_div::_GP('size');
141
142 // Image extension list is set:
143 $this->imageList = $TYPO3_CONF_VARS['GFX']['imagefile_ext']; // valid extensions. OBS: No spaces in the list, all lowercase...
144
145 // if the filereference $this->file is relative, we correct the path
146 if (substr($this->file,0,3)=='../') {
147 $this->input = PATH_site.substr($this->file,3);
148 } else {
149 $this->input = $this->file;
150 }
151
152 // Now the path is absolute.
153 // Checking for backpath and double slashes + the thumbnail can be made from files which are in the PATH_site OR the lockRootPath only!
154 if (!t3lib_div::isAllowedAbsPath($this->input)) {
155 $this->input='';
156 }
157 }
158
159 /**
160 * Create the thumbnail
161 * Will exit before return if all is well.
162 *
163 * @return void
164 */
165 function main() {
166 global $TYPO3_CONF_VARS;
167
168 // If file exists, we make a thumbsnail of the file.
169 if ($this->input && @file_exists($this->input)) {
170
171 // Check file extension:
172 if (ereg('(.*)\.([^\.]*$)',$this->input,$reg)) {
173 $ext=strtolower($reg[2]);
174 $ext=($ext=='jpeg')?'jpg':$ext;
175 if ($ext=='ttf') {
176 $this->fontGif($this->input); // Make font preview... (will not return)
177 } elseif (!t3lib_div::inList($this->imageList, $ext)) {
178 $this->errorGif('Not imagefile!',$ext,basename($this->input));
179 }
180 } else {
181 $this->errorGif('Not imagefile!','No ext!',basename($this->input));
182 }
183
184 // ... so we passed the extension test meaning that we are going to make a thumbnail here:
185 $this->size = $this->size ? $this->size : $this->sizeDefault; // default
186
187 //I added extra check, so that the size input option could not be fooled to pass other values. That means the value is exploded, evaluated to an integer and the imploded to [value]x[value]. Furthermore you can specify: size=340 and it'll be translated to 340x340.
188 $sizeParts = explode('x', $this->size.'x'.$this->size); // explodes the input size (and if no "x" is found this will add size again so it is the same for both dimensions)
189 $sizeParts = array(t3lib_div::intInRange($sizeParts[0],1,1000),t3lib_div::intInRange($sizeParts[1],1,1000)); // Cleaning it up, only two parameters now.
190 $this->size = implode('x',$sizeParts); // Imploding the cleaned size-value back to the internal variable
191 $sizeMax = max($sizeParts); // Getting max value
192
193 // Init
194 $mtime = filemtime($this->input);
195 $outpath = PATH_site.$this->outdir;
196
197 // Should be - ? 'png' : 'gif' - , but doesn't work (ImageMagick prob.?)
198 // René: png work for me
199 $thmMode = t3lib_div::intInRange($TYPO3_CONF_VARS['GFX']['thumbnails_png'],0);
200 $outext = ($ext!='jpg' || ($thmMode & 2)) ? ($thmMode & 1 ? 'png' : 'gif') : 'jpg';
201
202 $outfile = 'tmb_'.substr(md5($this->input.$mtime.$this->size),0,10).'.'.$outext;
203 $this->output = $outpath.$outfile;
204
205 if ($TYPO3_CONF_VARS['GFX']['im']) {
206 // If thumbnail does not exist, we generate it
207 if (!@file_exists($this->output)) {
208 /* if (strstr($this->input,' ') || strstr($this->output,' ')) {
209 $this->errorGif('Spaces in','filepath',basename($this->input));
210 }
211 */ // 16 colors for small (56) thumbs, 64 for bigger and all for jpegs
212 if ($outext=='jpg') {
213 $colors = '';
214 } else {
215 $colors = ($sizeMax>56)?'-colors 64':'-colors 16';
216 }
217 $cmd = ($TYPO3_CONF_VARS['GFX']['im_path_lzw'] ? $TYPO3_CONF_VARS['GFX']['im_path_lzw'] : $TYPO3_CONF_VARS['GFX']['im_path']).
218 'convert -sample '.$this->size.' '.$colors.' '.$this->wrapFileName($this->input.'[0]').' '.$this->wrapFileName($this->output);
219
220 // echo $cmd;
221 exec($cmd);
222 if (!@file_exists($this->output)) {
223 $this->errorGif('No thumb','generated!',basename($this->input));
224 }
225 }
226 // The thumbnail is read and output to the browser
227 if($fd = @fopen($this->output,'rb')) {
228 Header('Content-type: image/'.$outext);
229 while (!feof($fd)) {
230 echo fread( $fd, 10000 );
231 }
232 fclose( $fd );
233 } else {
234 $this->errorGif('Read problem!','',$this->output);
235 }
236 } else exit;
237 } else {
238 $this->errorGif('No valid','inputfile!',basename($this->input));
239 }
240 }
241
242
243
244
245
246
247
248
249
250
251
252 /***************************
253 *
254 * OTHER FUNCTIONS:
255 *
256 ***************************/
257
258 /**
259 * Creates error image based on gfx/notfound_thumb.png
260 * Requires GD lib enabled, otherwise it will exit with the three textstrings outputted as text.
261 * Outputs the image stream to browser and exits!
262 *
263 * @param string Text line 1
264 * @param string Text line 2
265 * @param string Text line 3
266 * @return void
267 */
268 function errorGif($l1,$l2,$l3) {
269 global $TYPO3_CONF_VARS;
270
271 if (!$TYPO3_CONF_VARS['GFX']['gdlib']) die($l1.' '.$l2.' '.$l3);
272
273 // Creates the basis for the error image
274 if ($TYPO3_CONF_VARS['GFX']['gdlib_png']) {
275 Header('Content-type: image/png');
276 $im = imagecreatefrompng(PATH_t3lib.'gfx/notfound_thumb.png');
277 } else {
278 Header('Content-type: image/gif');
279 $im = imagecreatefromgif(PATH_t3lib.'gfx/notfound_thumb.gif');
280 }
281 // Sets background color and print color.
282 $white = ImageColorAllocate($im, 0,0,0);
283 $black = ImageColorAllocate($im, 255,255,0);
284
285 // Prints the text strings with the build-in font functions of GD
286 $x=0;
287 $font=0;
288 if ($l1) {
289 imagefilledrectangle($im, $x, 9, 56, 16, $black);
290 ImageString($im,$font,$x,9,$l1,$white);
291 }
292 if ($l2) {
293 imagefilledrectangle($im, $x, 19, 56, 26, $black);
294 ImageString($im,$font,$x,19,$l2,$white);
295 }
296 if ($l3) {
297 imagefilledrectangle($im, $x, 29, 56, 36, $black);
298 ImageString($im,$font,$x,29,substr($l3,-14),$white);
299 }
300
301 // Outputting the image stream and exit
302 if ($TYPO3_CONF_VARS['GFX']['gdlib_png']) {
303 imagePng($im);
304 } else {
305 imageGif($im);
306 }
307 imagedestroy($im);
308 exit;
309 }
310
311 /**
312 * Creates a font-preview thumbnail.
313 * This means a PNG/GIF file with the text "AaBbCc...." set with the font-file given as input and in various sizes to show how the font looks
314 * Requires GD lib enabled.
315 * Outputs the image stream to browser and exits!
316 *
317 * @param string The filepath to the font file (absolute, probably)
318 * @return void
319 */
320 function fontGif($font) {
321 global $TYPO3_CONF_VARS;
322
323 if (!$TYPO3_CONF_VARS['GFX']['gdlib']) die('');
324
325 // Create image and set background color to white.
326 $im = ImageCreate(250,76);
327 $white = ImageColorAllocate($im, 255,255,255);
328 $col = ImageColorAllocate($im, 0,0,0);
329
330 // The test string and offset in x-axis.
331 $string = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZzÆæØøÅåÄäÖöÜüß';
332 $x=13;
333
334 // Print (with non-ttf font) the size displayed
335 imagestring ($im, 1, 0, 2, '10', $col);
336 imagestring ($im, 1, 0, 15, '12', $col);
337 imagestring ($im, 1, 0, 30, '14', $col);
338 imagestring ($im, 1, 0, 47, '18', $col);
339 imagestring ($im, 1, 0, 68, '24', $col);
340
341 // Print with ttf-font the test string
342 imagettftext ($im, t3lib_div::freetypeDpiComp(10), 0, $x, 8, $col, $font, $string);
343 imagettftext ($im, t3lib_div::freetypeDpiComp(12), 0, $x, 21, $col, $font, $string);
344 imagettftext ($im, t3lib_div::freetypeDpiComp(14), 0, $x, 36, $col, $font, $string);
345 imagettftext ($im, t3lib_div::freetypeDpiComp(18), 0, $x, 53, $col, $font, $string);
346 imagettftext ($im, t3lib_div::freetypeDpiComp(24), 0, $x, 74, $col, $font, $string);
347
348 // Output PNG or GIF based on $TYPO3_CONF_VARS['GFX']['gdlib_png']
349 if ($TYPO3_CONF_VARS['GFX']['gdlib_png']) {
350 Header('Content-type: image/png');
351 imagePng($im);
352 } else {
353 Header('Content-type: image/gif');
354 imageGif($im);
355 }
356 imagedestroy($im);
357 exit;
358 }
359
360 /**
361 * Wrapping the input filename in double-quotes
362 *
363 * @param string Input filename
364 * @return string The output wrapped in "" (if there are spaces in the filepath)
365 * @access private
366 */
367 function wrapFileName($inputName) {
368 if (strstr($inputName,' ')) {
369 $inputName='"'.$inputName.'"';
370 }
371 return $inputName;
372 }
373 }
374
375 // Include extension class?
376 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/thumbs.php']) {
377 include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/thumbs.php']);
378 }
379
380
381
382
383 // Make instance:
384 $SOBE = t3lib_div::makeInstance('SC_t3lib_thumbs');
385 $SOBE->init();
386 $SOBE->main();
387 ?>