Fixed lots of issues related to safe_mode and open_basedir. Should all work now!
authorKasper Skårhøj <kasper@typo3.org>
Wed, 28 Jan 2004 23:06:02 +0000 (23:06 +0000)
committerKasper Skårhøj <kasper@typo3.org>
Wed, 28 Jan 2004 23:06:02 +0000 (23:06 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@120 709f56b5-9817-0410-a4d7-c38de5d9e867

t3lib/class.t3lib_diff.php
t3lib/class.t3lib_div.php
t3lib/class.t3lib_extfilefunc.php
t3lib/class.t3lib_install.php
t3lib/class.t3lib_svbase.php
t3lib/class.t3lib_tcemain.php
t3lib/config_default.php
typo3/mod/tools/em/index.php
typo3/sysext/cms/tslib/class.tslib_fe.php

index 6b76b07..dd4d980 100755 (executable)
@@ -159,15 +159,15 @@ class t3lib_diff {
        function getDiff($str1,$str2)   {
                if (TYPO3_OS!='WIN')    {
                                // Create file 1 and write string
-                       $file1 = tempnam('','');
+                       $file1 = t3lib_div::tempnam('diff1_');
                        t3lib_div::writeFile($file1,$str1);
                                // Create file 2 and write string
-                       $file2 = tempnam('','');
+                       $file2 = t3lib_div::tempnam('diff2_');
                        t3lib_div::writeFile($file2,$str2);
                                // Perform diff.
                        $cmd = $GLOBALS['TYPO3_CONF_VARS']['BE']['diff_path'].' '.$file1.' '.$file2;
                        exec($cmd,$res);
-       
+
                        unlink($file1);
                        unlink($file2);
                        
index e619e1d..d2194bf 100755 (executable)
  * 2551:     function isAbsPath($path) 
  * 2563:     function isAllowedAbsPath($path)  
  * 2581:     function verifyFilenameAgainstDenyPattern($filename)      
  * 2598:     function stdAuthCode($uid_or_record,$fields='')   
  * 2632:     function loadTCA($table)  
  * 2651:     function resolveSheetDefInDS($dataStructArray,$sheet='sDEF')      
@@ -2051,15 +2052,21 @@ class t3lib_div {
         */
        function upload_copy_move($source,$destination) {
                if (is_uploaded_file($source))  {
+                       $uploaded = TRUE;
                        // Return the value of move_uploaded_file, and if false the temporary $source is still around so the user can use unlink to delete it:
-                       return move_uploaded_file($source, $destination);
-               } else @copy($source,$destination);
+                       $uploadedResult = move_uploaded_file($source, $destination);
+               } else {
+                       $uploaded = FALSE;
+                       @copy($source,$destination);
+               }
                
                        // Setting file system mode of file:
-               if (@is_file($destination) && TYPO3_OS!='WIN')  { @chmod ($destination, octdec($GLOBALS['TYPO3_CONF_VARS']['BE']['fileCreateMask'])); }
+               if (@is_file($destination) && TYPO3_OS!='WIN')  { 
+                       @chmod ($destination, octdec($GLOBALS['TYPO3_CONF_VARS']['BE']['fileCreateMask'])); 
+               }
 
                        // If here the file is copied and the temporary $source is still around, so when returning false the user can try unlink to delete the $source
-               return false;
+               return $uploaded ? $uploadedResult : FALSE;
        }
        
        /**
@@ -2666,6 +2673,17 @@ class t3lib_div {
                $authCode = substr(md5($authCode),0,8);
                return $authCode;
        }       
+       
+       /**
+        * Create temporary filename (Create file with unique file name)
+        * This function should be used for getting temporary filenames - will make your applications safe for open_basedir = on
+        *
+        * @param       string  Prefix to temp file (which will have no extension btw)
+        * @return      string  result from PHP function tempnam() with PATH_site.'typo3temp/' set for temp path.
+        */
+       function tempnam($filePrefix)   {
+               return tempnam(PATH_site.'typo3temp/',$filePrefix);     
+       }
 
        /**
         * Loads the $TCA (Table Configuration Array) for the $table
index ef170bc..8eadb04 100755 (executable)
@@ -356,10 +356,11 @@ top.goToModule("file_list");
                $id = $cmds['data'];
                if ($GLOBALS['HTTP_POST_FILES']['upload_'.$id]['name']) {
                        $theFile = $GLOBALS['HTTP_POST_FILES']['upload_'.$id]['tmp_name'];                              // filename of the uploaded file
+                       $theFileSize = $GLOBALS['HTTP_POST_FILES']['upload_'.$id]['size'];                              // filesize of the uploaded file
                        $theName = $this->cleanFileName(stripslashes($GLOBALS['HTTP_POST_FILES']['upload_'.$id]['name']));      // The original filename
-                       if (@is_file($theFile) && $theName)     {       // Check the file
+                       if (is_uploaded_file($theFile) && $theName)     {       // Check the file
                                if ($this->actionPerms['uploadFile'])   {
-                                       if (filesize($theFile)<($this->maxUploadFileSize*1024)) {
+                                       if ($theFileSize<($this->maxUploadFileSize*1024))       {
                                                $fI = t3lib_div::split_fileref($theName);
                                                $theTarget = $this->is_directory($cmds['target']);      // Check the target dir
                                                if ($theTarget && $this->checkPathAgainstMounts($theTarget.'/'))        {
index bda8040..9848176 100755 (executable)
@@ -1650,7 +1650,8 @@ Number of files at a time:
                while(list($k,$v)=each($paths)) {
                        reset($programs);
                        while(list(,$filename)=each($programs)) {
-                               if (@file_exists($v) && @is_file($v.$filename.$isExt))    {       // file_exists was necessary on windows, because is_file issued a warning if the path was not correct.
+#                              if (@file_exists($v) && @is_file($v.$filename.$isExt))    {       // file_exists was necessary on windows, because is_file issued a warning if the path was not correct.
+                               if($this->_checkImageMagick_getVersion($v.$filename.$isExt) > 0 ) {
                                        $index[$v][$filename]=$this->_checkImageMagick_getVersion($v.$filename.$isExt);
                                }
                        }
index e4bfec4..4cb7e41 100755 (executable)
@@ -427,7 +427,7 @@ function available()        {
                $ret = TRUE;
 
                if (!$absFile) {
-                       $absFile = tempnam ('', $this->prefixId);
+                       $absFile = t3lib_div::tempnam($this->prefixId);
                        if(!$absFile) {
                                $this->errorPush(T3_ERR_SV_FILE_WRITE, 'Can not create temp file.');
                                $ret = FALSE;
index accb653..12ebaa0 100755 (executable)
@@ -1503,8 +1503,16 @@ class t3lib_TCEmain      {
                                        $theDestFile='';                // Must be cleared. Else a faulty fileref may be inserted if the below code returns an error!! (Change: 22/12/2000)
 
                                                // Check various things before copying file:
-                                       if (@is_dir($dest) && @is_file($theFile))       {               // File and destination must exist
-                                               if (!$maxSize || filesize($theFile)<=($maxSize*1024))   {       // Check file size:
+                                       if (@is_dir($dest) && (@is_file($theFile) || @is_uploaded_file($theFile)))      {               // File and destination must exist
+                                       
+                                                       // Finding size. For safe_mode we have to rely on the size in the upload array if the file is uploaded.
+                                               if (is_uploaded_file($theFile) && $theFile==$uploadedFileArray['tmp_name'])     {
+                                                       $fileSize = $uploadedFileArray['size'];
+                                               } else {
+                                                       $fileSize = filesize($theFile);
+                                               }
+                                               
+                                               if (!$maxSize || $fileSize<=($maxSize*1024))    {       // Check file size:
                                                                // Prepare filename:
                                                        $theEndFileName = isset($this->alternativeFileName[$theFile]) ? $this->alternativeFileName[$theFile] : $theFile;
                                                        $fI = t3lib_div::split_fileref($theEndFileName);
@@ -1521,7 +1529,7 @@ class t3lib_TCEmain       {
                                                                        if (!@is_file($theDestFile))    $this->log($table,$id,5,0,1,"Copying file '%s' failed!: The destination path (%s) may be write protected. Please make it write enabled!. (%s)",16,array($theFile, dirname($theDestFile), $recFID),$propArr['event_pid']);
                                                                } else $this->log($table,$id,5,0,1,"Copying file '%s' failed!: No destination file (%s) possible!. (%s)",11,array($theFile, $theDestFile, $recFID),$propArr['event_pid']);
                                                        } else $this->log($table,$id,5,0,1,"Fileextension '%s' not allowed. (%s)",12,array($fI['fileext'], $recFID),$propArr['event_pid']);
-                                               } else $this->log($table,$id,5,0,1,"Filesize (%s) of file '%s' exceeds limit (%s). (%s)",13,array(t3lib_div::formatSize(@filesize($theFile)),$theFile,t3lib_div::formatSize($maxSize*1024),$recFID),$propArr['event_pid']);
+                                               } else $this->log($table,$id,5,0,1,"Filesize (%s) of file '%s' exceeds limit (%s). (%s)",13,array(t3lib_div::formatSize($fileSize),$theFile,t3lib_div::formatSize($maxSize*1024),$recFID),$propArr['event_pid']);
                                        } else $this->log($table,$id,5,0,1,"The destination (%s) or the source file (%s) does not exist. (%s)",14,array($dest, $theFile, $recFID),$propArr['event_pid']);
 
                                                // If the destination file was created, we will set the new filename in the value array, otherwise unset the entry in the value array!
index d5641e2..a159c62 100755 (executable)
@@ -147,6 +147,7 @@ $TYPO3_CONF_VARS = Array(
                'tidy_option' => 'cached',                              // options [all, cached, output]. 'all' = the content is always passed through 'tidy' before it may be stored in cache. 'cached' = only if the page is put into the cache, 'output' = only the output code just before it's echoed out.
                'tidy_path' => 'tidy -i --quiet true --tidy-mark true -wrap 0',         // Path with options for tidy. For XHTML output, add " --output-xhtml true"
                'logfile_dir' => '',                                    // Path where TYPO3 should write webserver-style logfiles to. This path must be write-enabled for the webserver. Doesn't work for Windows! Remember slash AFTER! Eg: 'fileadmin/' or '/var/typo3logs/'. Please see the TypoScript reference!
+               'logfile_write' => '',                                  // Keywords for write-mode of logfiles. Default is unix "echo". Keyword "fputs" will make PHP use "fputs" instead (compliant with safe_mode)
                'publish_dir' => '',                                    // Path where TYPO3 should write staticly published documents. This path must be write-enabled for the webserver. Remember slash AFTER! Eg: 'publish/' or '/www/htdocs/publish/'. See admPanel option 'publish'
                'addAllowedPaths' => '',                                // Additional relative paths (comma-list) to allow TypoScript resources be in. Should be prepended with '/'. If not, then any path where the first part is like this path will match. That is: 'myfolder/ , myarchive' will match eg. 'myfolder/', 'myarchive/', 'myarchive_one/', 'myarchive_2/' ... No check is done to see if this directory actually exists in the root of the site. Paths are matched by simply checking if these strings equals the first part of any TypoScript resource filepath. (See class template, function init() in t3lib/class.t3lib_tsparser.php)
                'allowedTempPaths' => '',                               // Additional paths allowed for temporary images. Used with imgResource. Eg. 'alttypo3temp/,another_temp_dir/';
index ece97eb..52957f0 100755 (executable)
@@ -1966,11 +1966,11 @@ EXTENSION KEYS:
                                reset($allDirs);
                                $root="";
                                while(list(,$dirParts)=each($allDirs))  {
-                                       $root.=$dirParts."/";
+                                       $root.=$dirParts;
                                        if (!is_dir($extDirPath.$root)) {
                                                @mkdir($extDirPath.$root, 0777);
                                                if (!@is_dir($extDirPath.$root))        {
-                                                       return "Error: The directory '".$extDirPath.$root."' could not be created...";
+                                                       return "Error: The directory '".$extDirPath.$root."/' could not be created...";
                                                }
                                        }
                                }
@@ -2080,7 +2080,7 @@ EXTENSION KEYS:
                                $path=PATH_site.$this->typePaths[$type];
                                $suffix="";
                                if ((string)$type=="L" && !@is_dir($path))      {
-                                       @mkdir($path, 0777);
+                                       @mkdir(ereg_replace('\/$','',$path), 0777);
                                }
                        break;
                        default:
@@ -2094,17 +2094,17 @@ EXTENSION KEYS:
                        break;
                }
                if ($path && @is_dir($path))    {
-                       $extDirPath = $path.$importedData["extKey"].$suffix."/";
+                       $extDirPath = $path.$importedData["extKey"].$suffix;
                        if (@is_dir($extDirPath))       {
                                // Install dir was found
-                               $res = $this->removeExtDirectory($extDirPath);
-                               if ($res) return "ERROR: Could not remove extension directory '".$extDirPath."'";
+                               $res = $this->removeExtDirectory($extDirPath.'/');
+                               if ($res) return "ERROR: Could not remove extension directory '".$extDirPath."/'";
                        }
 #die("stop here...");
                        // we go create...
                        @mkdir($extDirPath, 0777);
-                       if (!is_dir($extDirPath))       return "ERROR: Could not create extension directory '".$extDirPath."'";
-                       return array($extDirPath);
+                       if (!is_dir($extDirPath))       return "ERROR: Could not create extension directory '".$extDirPath."/'";
+                       return array($extDirPath.'/');
                } else return "ERROR: The extension install path '".$path."' was not a directory.";
        }
 
@@ -2810,7 +2810,7 @@ EXTENSION KEYS:
                $uploadFolder = PATH_site.$this->ulFolder($eKey);
                if ($info["EM_CONF"]["uploadfolder"] && !@is_dir($uploadFolder))        {
                        if (t3lib_div::GPvar("_uploadfolder"))  {
-                               mkdir($uploadFolder, 0777);
+                               mkdir(ereg_replace('\/$','',$uploadFolder), 0777);
                                $indexContent = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
@@ -2837,11 +2837,11 @@ EXTENSION KEYS:
                                                $dirs_in_path=explode("/",ereg_replace("/$","",$crDir));
                                                while(list(,$dirP)=each($dirs_in_path)) {
                                                        if (strcmp($dirP,""))   {
-                                                               $crDirStart.=$dirP."/";
+                                                               $crDirStart.=$dirP;
                                                                if (!@is_dir(PATH_site.$crDirStart))    {
                                                                        mkdir(PATH_site.$crDirStart, 0777);
 #debug(array(PATH_site.$crDirStart));
-                                                                       $finalDir=PATH_site.$crDirStart;
+                                                                       $finalDir=PATH_site.$crDirStart.'/';
                                                                }
                                                        } else die("ERROR: The path '".PATH_site.$crDir."' could not be created.");
                                                }
index 906e6bb..25789ed 100755 (executable)
         * @link http://typo3.org/doc.0.html?&tx_extrepmgm_pi1[extUid]=270&cHash=4ad9d7acb4
         */
        function checkAlternativeIdMethods()    {
+               global $TYPO3_CONF_VARS;
+               
 #              IF (TYPO3_OS=='WIN')    return;         # Commenting out this line will make it work for windows Apache mod_rewrite as well.
 
                        // Redirect by mod_rewrite:
                                if ($parts[$pCount-1]='html')   {
                                        if ($pCount>2)  {
                                                $this->type = intval($parts[$pCount-2]);
-                                               $this->id= $parts[$pCount-3];
+                                               $this->id = $parts[$pCount-3];
                                        } else {
                                                $this->type = 0;
-                                               $this->id= $parts[0];
+                                               $this->id = $parts[0];
                                        }
                                }
                        }
                }
                        // If PATH_INFO
                if (t3lib_div::getIndpEnv('PATH_INFO')) {               // If pathinfo contains stuff...
-                       # line below is NOT needed (anymore), because getIndpEnv already filters this out if needed. Only true PATH_INFO gets through.
-#                      if (t3lib_div::getIndpEnv('PATH_INFO')!=t3lib_div::getIndpEnv('SCRIPT_NAME') && count(explode('/',t3lib_div::getIndpEnv('PATH_INFO')))>1)       {       // There must be at least one '/' in the path - else the PATH_INFO value does not make sense., ALSO t3lib_div::getIndpEnv('PATH_INFO')!=t3lib_div::getIndpEnv('SCRIPT_NAME') is necessary because some servers are seen to set pathinfo equal to script_name
-                               $parts=t3lib_div::trimExplode('/',t3lib_div::getIndpEnv('PATH_INFO'),1);
-                               $parts[]='html';
-                               $pCount = count($parts);
-                               if ($pCount>2)  {
-                                       $this->type = intval($parts[$pCount-2]);
-                                       $this->id= $parts[$pCount-3];
-                               } else {
-                                       $this->type = 0;
-                                       $this->id= $parts[0];
-                               }
-                               $this->absRefPrefix_force=1;
-#                      }
+                       $parts=t3lib_div::trimExplode('/',t3lib_div::getIndpEnv('PATH_INFO'),1);
+                       $parts[]='html';
+                       $pCount = count($parts);
+                       if ($pCount>2)  {
+                               $this->type = intval($parts[$pCount-2]);
+                               $this->id = $parts[$pCount-3];
+                       } else {
+                               $this->type = 0;
+                               $this->id = $parts[0];
+                       }
+                       $this->absRefPrefix_force=1;
                }
                
                        // Call post processing function for custom URL methods.
         * @return      void            
         */
        function determineId()  {
+               global $TYPO3_CONF_VARS;
+               
                        // Getting ARG-v values if some
                $this->setIDfromArgV(); 
                        
                                parse_str($addParams,$GET_VARS);
                        break;
                        case 'M5':
-                               $query='SELECT params FROM cache_md5params WHERE md5hash="'.addslashes(substr($str,2)).'"';
-                               $res=mysql(TYPO3_db,$query);
-                               $row=mysql_fetch_assoc($res);
+                               $query = 'SELECT params FROM cache_md5params WHERE md5hash="'.addslashes(substr($str,2)).'"';
+                               $res = mysql(TYPO3_db,$query);
+                               $row = mysql_fetch_assoc($res);
                                $this->updateMD5paramsRecord(substr($str,2));
                                parse_str($row['params'],$GET_VARS);
                        break;
                }
+               
+               $this->mergingWithGetVars($GET_VARS);
+       }
+       
+       function mergingWithGetVars($GET_VARS)  {
                if (is_array($GET_VARS))        {
-                       if (!is_array($GLOBALS['HTTP_GET_VARS']))       $GLOBALS['HTTP_GET_VARS']=array();
-                       $GLOBALS['HTTP_GET_VARS']=t3lib_div::array_merge_recursive_overrule($GLOBALS['HTTP_GET_VARS'],$GET_VARS);
+                       t3lib_div::addSlashesOnArray($GET_VARS);                // Since TYPO3 expects input in GETVARS to be escaped we will have to do so with the merging parameters.
+                       if (!is_array($GLOBALS['HTTP_GET_VARS']))       $GLOBALS['HTTP_GET_VARS'] = array();
+                       $GLOBALS['HTTP_GET_VARS'] = $_GET = t3lib_div::array_merge_recursive_overrule($GLOBALS['HTTP_GET_VARS'],$GET_VARS);
+
                                // Setting these specifically (like in the init-function):
-                       if (isset($GET_VARS['cHash']))          $this->cHash=$GET_VARS['cHash'];
-                       if (isset($GET_VARS['no_cache']))       $this->no_cache=$GET_VARS['no_cache'] ? 1 : 0;
-                       if (isset($GET_VARS['jumpurl']))        $this->jumpurl=$GET_VARS['jumpurl'];
-                       if (isset($GET_VARS['MP']))                     $this->MP=$this->TYPO3_CONF_VARS['FE']['enable_mount_pids'] ? $GET_VARS['MP'] : '';
+                       if (isset($GET_VARS['type']))           $this->type = $GET_VARS['type'];
+                       if (isset($GET_VARS['cHash']))          $this->cHash = $GET_VARS['cHash'];
+                       if (isset($GET_VARS['no_cache']))       $this->no_cache = $GET_VARS['no_cache'] ? 1 : 0;
+                       if (isset($GET_VARS['jumpurl']))        $this->jumpurl = $GET_VARS['jumpurl'];
+                       if (isset($GET_VARS['MP']))                     $this->MP = $this->TYPO3_CONF_VARS['FE']['enable_mount_pids'] ? $GET_VARS['MP'] : '';
                }
-       }
-       
-       
+       }       
        
        
        
@@ -2187,10 +2194,23 @@ if (version == "n3") {
                                                if (!$this->config['config']['stat_apache_notExtended'])        {
                                                        $LogLine.= ' "'.t3lib_div::getIndpEnv('HTTP_REFERER').'" "'.t3lib_div::getIndpEnv('HTTP_USER_AGENT').'"';
                                                }
-                                               $execCmd = 'echo "'.addslashes($LogLine).'" >> '.$this->config['stat_vars']['logFile'];
-                                               $GLOBALS['TT']->push('Write to log file');
-                                                       exec($execCmd);
-                                               $GLOBALS['TT']->pull();
+
+                                               switch($GLOBALS['TYPO3_CONF_VARS']['FE']['logfile_write'])      {
+                                                       case 'fputs':
+                                                               $GLOBALS['TT']->push('Write to log file (fputs)');
+                                                                       $logfilehandle = fopen(PATH_site.$this->config['stat_vars']['logFile'], 'a');
+                                                                       fputs($logfilehandle, $LogLine."\n");
+                                                                       @fclose($logfilehandle);
+                                                               $GLOBALS['TT']->pull();
+                                                       break;
+                                                       default:
+                                                               $GLOBALS['TT']->push('Write to log file (echo)');
+                                                                       $execCmd = 'echo "'.addslashes($LogLine).'" >> '.PATH_site.$this->config['stat_vars']['logFile'];
+                                                                       exec($execCmd);
+                                                               $GLOBALS['TT']->pull();
+                                                       break;
+                                               }
+
                                                $GLOBALS['TT']->setTSlogMessage('Writing to logfile: OK',0);
                                        } else {
                                                $GLOBALS['TT']->setTSlogMessage('Writing to logfile: Error - logFile did not exist or OS is Windows!',3);
@@ -2451,7 +2471,7 @@ if (version == "n3") {
        function tidyHTML($content)             {
                if ($this->TYPO3_CONF_VARS['FE']['tidy'] && $this->TYPO3_CONF_VARS['FE']['tidy_path'])  {
                        $oldContent = $content;
-                       $fname = tempnam('','Typo3_Tidydoc_');          // Create temporary name
+                       $fname = t3lib_div::tempnam('Typo3_Tidydoc_');          // Create temporary name
                        @unlink ($fname);       // Delete if exists, just to be safe.
                        $fp = fopen ($fname,'wb');      // Open for writing
                        fputs ($fp, $content);  // Put $content