From 94f1641b5c750bc7bdf3878a8fdc496a5c7de760 Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Sat, 23 Dec 2023 01:19:26 +0700 Subject: [PATCH] Some cleanup for attach mod (#1250) * Some cleanup for attach mod * Update displaying.php * Update CHANGELOG.md --- CHANGELOG.md | 1 + admin/admin_attach_cp.php | 2 +- admin/admin_attachments.php | 18 +-- admin/admin_extensions.php | 4 +- dl.php | 2 +- library/attach_mod/displaying.php | 21 ++- .../attach_mod/includes/functions_admin.php | 6 +- .../attach_mod/includes/functions_attach.php | 147 +----------------- .../attach_mod/includes/functions_thumbs.php | 2 +- src/Legacy/Attach.php | 21 ++- 10 files changed, 45 insertions(+), 179 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24a9a21ba..2ba4716b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ - Improved handling errors while uploading [\#1246](https://github.com/torrentpier/torrentpier/pull/1246) - Use hardcoded dictionary names for better counting result in file listing [\#1247](https://github.com/torrentpier/torrentpier/pull/1247) ([kovalensky](https://github.com/kovalensky)) - Refactored thumbnail creation 🌄 [\#1249](https://github.com/torrentpier/torrentpier/pull/1249) ([belomaxorka](https://github.com/belomaxorka)) +- Some cleanup for attach mod [\#1250](https://github.com/torrentpier/torrentpier/pull/1250) ([belomaxorka](https://github.com/belomaxorka)) - New Crowdin updates [\#1203](https://github.com/torrentpier/torrentpier/pull/1203), [\#1222](https://github.com/torrentpier/torrentpier/pull/1222) ([Exileum](https://github.com/Exileum)) ## [v2.4.0-rc2](https://github.com/torrentpier/torrentpier/tree/v2.4.0-rc2) (2023-12-12) diff --git a/admin/admin_attach_cp.php b/admin/admin_attach_cp.php index 9a3a2bdc3..9527fee3a 100644 --- a/admin/admin_attach_cp.php +++ b/admin/admin_attach_cp.php @@ -201,7 +201,7 @@ if ($submit_change && $view === 'attachments') { if (isset($attachments['_' . $attachrow['attach_id']])) { if ($attachrow['comment'] != $attachments['_' . $attachrow['attach_id']]['comment'] || $attachrow['download_count'] != $attachments['_' . $attachrow['attach_id']]['download_count']) { $sql = 'UPDATE ' . BB_ATTACHMENTS_DESC . " - SET comment = '" . attach_mod_sql_escape($attachments['_' . $attachrow['attach_id']]['comment']) . "', download_count = " . (int)$attachments['_' . $attachrow['attach_id']]['download_count'] . ' + SET comment = '" . DB()->escape($attachments['_' . $attachrow['attach_id']]['comment']) . "', download_count = " . (int)$attachments['_' . $attachrow['attach_id']]['download_count'] . ' WHERE attach_id = ' . (int)$attachrow['attach_id']; if (!DB()->sql_query($sql)) { diff --git a/admin/admin_attachments.php b/admin/admin_attachments.php index f850d2214..3a8b05cc2 100644 --- a/admin/admin_attachments.php +++ b/admin/admin_attachments.php @@ -103,12 +103,12 @@ while ($row = DB()->sql_fetchrow($result)) { } $sql = 'UPDATE ' . BB_ATTACH_CONFIG . " - SET config_value = '" . attach_mod_sql_escape($new_attach[$config_name]) . "' - WHERE config_name = '" . attach_mod_sql_escape($config_name) . "'"; + SET config_value = '" . DB()->escape($new_attach[$config_name]) . "' + WHERE config_name = '" . DB()->escape($config_name) . "'"; } else { $sql = 'UPDATE ' . BB_ATTACH_CONFIG . " - SET config_value = '" . attach_mod_sql_escape($new_attach[$config_name]) . "' - WHERE config_name = '" . attach_mod_sql_escape($config_name) . "'"; + SET config_value = '" . DB()->escape($new_attach[$config_name]) . "' + WHERE config_name = '" . DB()->escape($config_name) . "'"; } if (!DB()->sql_query($sql)) { @@ -157,7 +157,7 @@ if ($check_upload) { $error = false; // Does the target directory exist, is it a directory and writeable - if (!@file_exists(amod_realpath($upload_dir))) { + if (!@file_exists(realpath($upload_dir))) { $error = true; $error_msg = sprintf($lang['DIRECTORY_DOES_NOT_EXIST'], $attach_config['upload_dir']) . '
'; } @@ -301,12 +301,12 @@ if ($check_image_cat) { $error = false; // Does the target directory exist, is it a directory and writeable - if (!@file_exists(amod_realpath($upload_dir))) { + if (!@file_exists(realpath($upload_dir))) { if (!bb_mkdir($upload_dir) && !is_dir($upload_dir)) { throw new \RuntimeException(sprintf('Directory "%s" was not created', $upload_dir)); } - if (!@file_exists(amod_realpath($upload_dir))) { + if (!@file_exists(realpath($upload_dir))) { $error = true; $error_msg = sprintf($lang['DIRECTORY_DOES_NOT_EXIST'], $upload_dir) . '
'; } @@ -346,7 +346,7 @@ if ($submit && $mode == 'quota') { $filesize_list[$i] = ($size_select_list[$i] == 'kb') ? round($filesize_list[$i] * 1024) : (($size_select_list[$i] == 'mb') ? round($filesize_list[$i] * 1048576) : $filesize_list[$i]); $sql = 'UPDATE ' . BB_QUOTA_LIMITS . " - SET quota_desc = '" . attach_mod_sql_escape($quota_desc_list[$i]) . "', quota_limit = " . (int)$filesize_list[$i] . ' + SET quota_desc = '" . DB()->escape($quota_desc_list[$i]) . "', quota_limit = " . (int)$filesize_list[$i] . ' WHERE quota_limit_id = ' . (int)$quota_change_list[$i]; if (!DB()->sql_query($sql)) { @@ -408,7 +408,7 @@ if ($submit && $mode == 'quota') { $filesize = ($size_select == 'kb') ? round($filesize * 1024) : (($size_select == 'mb') ? round($filesize * 1048576) : $filesize); $sql = 'INSERT INTO ' . BB_QUOTA_LIMITS . " (quota_desc, quota_limit) - VALUES ('" . attach_mod_sql_escape($quota_desc) . "', " . (int)$filesize . ')'; + VALUES ('" . DB()->escape($quota_desc) . "', " . (int)$filesize . ')'; if (!DB()->sql_query($sql)) { bb_die('Could not add quota limit'); diff --git a/admin/admin_extensions.php b/admin/admin_extensions.php index ad796c98c..000293dff 100644 --- a/admin/admin_extensions.php +++ b/admin/admin_extensions.php @@ -499,7 +499,7 @@ if ($add_forum && $e_mode == 'perm' && $group) { $auth_bitstream = auth_pack($auth_p); - $sql = 'UPDATE ' . BB_EXTENSION_GROUPS . " SET forum_permissions = '" . attach_mod_sql_escape($auth_bitstream) . "' WHERE group_id = " . (int)$group; + $sql = 'UPDATE ' . BB_EXTENSION_GROUPS . " SET forum_permissions = '" . DB()->escape($auth_bitstream) . "' WHERE group_id = " . (int)$group; if (!($result = DB()->sql_query($sql))) { bb_die('Could not update permissions #2'); @@ -536,7 +536,7 @@ if ($delete_forum && $e_mode == 'perm' && $group) { $auth_bitstream = (count($auth_p) > 0) ? auth_pack($auth_p) : ''; - $sql = 'UPDATE ' . BB_EXTENSION_GROUPS . " SET forum_permissions = '" . attach_mod_sql_escape($auth_bitstream) . "' WHERE group_id = " . (int)$group; + $sql = 'UPDATE ' . BB_EXTENSION_GROUPS . " SET forum_permissions = '" . DB()->escape($auth_bitstream) . "' WHERE group_id = " . (int)$group; if (!($result = DB()->sql_query($sql))) { bb_die('Could not update permissions #3'); diff --git a/dl.php b/dl.php index 4fc17cb78..dd3e5138a 100644 --- a/dl.php +++ b/dl.php @@ -30,7 +30,7 @@ function send_file_to_browser($attachment, $upload_dir) $gotit = false; - if (@!file_exists(@amod_realpath($filename))) { + if (@!file_exists(realpath($filename))) { bb_die($lang['ERROR_NO_ATTACHMENT'] . '

' . htmlCHR($filename)); } else { $gotit = true; diff --git a/library/attach_mod/displaying.php b/library/attach_mod/displaying.php index c12fd9cb7..210294fe2 100644 --- a/library/attach_mod/displaying.php +++ b/library/attach_mod/displaying.php @@ -179,9 +179,7 @@ function display_attachments($post_id) $template->assign_block_vars('postrow.attach', []); for ($i = 0; $i < $num_attachments; $i++) { - // Some basic things... $filename = $upload_dir . '/' . basename($attachments['_' . $post_id][$i]['physical_filename']); - $thumbnail_filename = $upload_dir . '/' . THUMB_DIR . '/t_' . basename($attachments['_' . $post_id][$i]['physical_filename']); // Checks the file existence if (!is_file($filename)) { @@ -189,7 +187,6 @@ function display_attachments($post_id) } $upload_image = ''; - if ($attach_config['upload_img'] && empty($upload_icons[$attachments['_' . $post_id][$i]['extension']])) { $upload_image = ''; } elseif (trim($upload_icons[$attachments['_' . $post_id][$i]['extension']]) != '') { @@ -217,15 +214,13 @@ function display_attachments($post_id) $thumbnail = false; $link = false; + // Shows the images in topic if (@(int)$display_categories[$attachments['_' . $post_id][$i]['extension']] == IMAGE_CAT && (int)$attach_config['img_display_inlined']) { if ((int)$attach_config['img_link_width'] != 0 || (int)$attach_config['img_link_height'] != 0) { - // Checks the thumbnail existence - if (!is_file($thumbnail_filename)) { - continue; - } - + // Get image sizes [$width, $height] = getimagesize($filename); + // Check if image sizes is allowed if ($width == 0 && $height == 0) { $image = true; } else { @@ -238,11 +233,13 @@ function display_attachments($post_id) } } + // Checks if image is thumbnail if (@(int)$display_categories[$attachments['_' . $post_id][$i]['extension']] == IMAGE_CAT && $attachments['_' . $post_id][$i]['thumbnail'] == 1) { $thumbnail = true; $image = false; } + // Checks whether the image should be displayed as a link if (!$image && !$thumbnail) { $link = true; } @@ -278,6 +275,14 @@ function display_attachments($post_id) } if ($thumbnail) { + // Get the thumbnail image + $thumbnail_filename = $upload_dir . '/' . THUMB_DIR . '/t_' . basename($attachments['_' . $post_id][$i]['physical_filename']); + + // Checks the thumbnail existence + if (!is_file($thumbnail_filename)) { + continue; + } + // Images, but display Thumbnail if ($attach_config['upload_dir'][0] == '/' || ($attach_config['upload_dir'][0] != '/' && $attach_config['upload_dir'][1] == ':')) { $thumb_source = BB_ROOT . DL_URL . $attachments['_' . $post_id][$i]['attach_id'] . '&thumb=1'; diff --git a/library/attach_mod/includes/functions_admin.php b/library/attach_mod/includes/functions_admin.php index d38190e0b..41e646864 100644 --- a/library/attach_mod/includes/functions_admin.php +++ b/library/attach_mod/includes/functions_admin.php @@ -146,7 +146,7 @@ function search_attachments($order_by, &$total_rows) $search_author = stripslashes(clean_username($search_author)); // Prepare for directly going into sql query - $search_author = str_replace('*', '%', attach_mod_sql_escape($search_author)); + $search_author = str_replace('*', '%', DB()->escape($search_author)); // We need the post_id's, because we want to query the Attachment Table $sql = 'SELECT user_id FROM ' . BB_USERS . " WHERE username LIKE '$search_author'"; @@ -172,13 +172,13 @@ function search_attachments($order_by, &$total_rows) $search_keyword_fname = get_var('search_keyword_fname', ''); if ($search_keyword_fname) { $match_word = str_replace('*', '%', $search_keyword_fname); - $where_sql[] = " (a.real_filename LIKE '" . attach_mod_sql_escape($match_word) . "') "; + $where_sql[] = " (a.real_filename LIKE '" . DB()->escape($match_word) . "') "; } $search_keyword_comment = get_var('search_keyword_comment', ''); if ($search_keyword_comment) { $match_word = str_replace('*', '%', $search_keyword_comment); - $where_sql[] = " (a.comment LIKE '" . attach_mod_sql_escape($match_word) . "') "; + $where_sql[] = " (a.comment LIKE '" . DB()->escape($match_word) . "') "; } // Search Download Count diff --git a/library/attach_mod/includes/functions_attach.php b/library/attach_mod/includes/functions_attach.php index cdae27621..8faf18830 100644 --- a/library/attach_mod/includes/functions_attach.php +++ b/library/attach_mod/includes/functions_attach.php @@ -177,38 +177,6 @@ function unlink_attach($filename, $mode = false) return @unlink($filename); } -/** - * Check if Attachment exist - */ -function attachment_exists($filename) -{ - global $upload_dir, $attach_config; - - $filename = basename($filename); - - if (!@file_exists(@amod_realpath($upload_dir . '/' . $filename))) { - return false; - } - - return true; -} - -/** - * Check if Thumbnail exist - */ -function thumbnail_exists($filename) -{ - global $upload_dir, $attach_config; - - $filename = basename($filename); - - if (!@file_exists(@amod_realpath($upload_dir . '/' . THUMB_DIR . '/t_' . $filename))) { - return false; - } - - return true; -} - /** * Physical Filename stored already ? */ @@ -222,7 +190,7 @@ function physical_filename_already_stored($filename) $sql = 'SELECT attach_id FROM ' . BB_ATTACHMENTS_DESC . " - WHERE physical_filename = '" . attach_mod_sql_escape($filename) . "' + WHERE physical_filename = '" . DB()->escape($filename) . "' LIMIT 1"; if (!($result = DB()->sql_query($sql))) { @@ -283,37 +251,6 @@ function get_attachments_from_post($post_id_array) return $attachments; } -/** - * Count Filesize of Attachments in Database based on the attachment id - */ -function get_total_attach_filesize($attach_ids) -{ - if (!is_array($attach_ids) || !count($attach_ids)) { - return 0; - } - - $attach_ids = implode(', ', array_map('\intval', $attach_ids)); - - if (!$attach_ids) { - return 0; - } - - $sql = 'SELECT filesize FROM ' . BB_ATTACHMENTS_DESC . " WHERE attach_id IN ($attach_ids)"; - - if (!($result = DB()->sql_query($sql))) { - bb_die('Could not query total filesize'); - } - - $total_filesize = 0; - - while ($row = DB()->sql_fetchrow($result)) { - $total_filesize += (int)$row['filesize']; - } - DB()->sql_freeresult($result); - - return $total_filesize; -} - /** * Get allowed Extensions and their respective Values */ @@ -377,70 +314,6 @@ function attachment_sync_topic($topics) } } -/** - * Get Extension - */ -function get_extension($filename) -{ - if (!str_contains($filename, '.')) { - return ''; - } - $extension = strrchr(strtolower($filename), '.'); - $extension[0] = ' '; - $extension = strtolower(trim($extension)); - if (is_array($extension)) { - return ''; - } - - return $extension; -} - -/** - * Delete Extension - */ -function delete_extension($filename) -{ - return substr($filename, 0, strripos(trim($filename), '.')); -} - -/** - * Check if a user is within Group - */ -function user_in_group($user_id, $group_id) -{ - $user_id = (int)$user_id; - $group_id = (int)$group_id; - - if (!$user_id || !$group_id) { - return false; - } - - $sql = 'SELECT u.group_id - FROM ' . BB_USER_GROUP . ' u, ' . BB_GROUPS . " g - WHERE g.group_single_user = 0 - AND u.group_id = g.group_id - AND u.user_id = $user_id - AND g.group_id = $group_id - LIMIT 1"; - - if (!($result = DB()->sql_query($sql))) { - bb_die('Could not get user group'); - } - - $num_rows = DB()->num_rows($result); - DB()->sql_freeresult($result); - - return !($num_rows == 0); -} - -/** - * Realpath replacement for attachment mod - */ -function amod_realpath($path) -{ - return (function_exists('realpath')) ? realpath($path) : $path; -} - /** * _set_var * @@ -515,18 +388,6 @@ function get_var($var_name, $default, $multibyte = false) return $var; } -/** - * Escaping SQL - */ -function attach_mod_sql_escape($text) -{ - if (function_exists('mysqli_real_escape_string')) { - return DB()->escape_string($text); - } - - return str_replace(['\\', "'"], ['\\\\', "''"], $text); -} - /** * Build sql statement from array for insert/update/select statements * @@ -548,7 +409,7 @@ function attach_mod_sql_build_array($query, $assoc_ary = false) if (null === $var) { $values[] = 'NULL'; } elseif (is_string($var)) { - $values[] = "'" . attach_mod_sql_escape($var) . "'"; + $values[] = "'" . DB()->escape($var) . "'"; } elseif (is_array($var) && is_string($var[0])) { $values[] = $var[0]; } else { @@ -565,7 +426,7 @@ function attach_mod_sql_build_array($query, $assoc_ary = false) if (null === $var) { $values[] = 'NULL'; } elseif (is_string($var)) { - $values[] = "'" . attach_mod_sql_escape($var) . "'"; + $values[] = "'" . DB()->escape($var) . "'"; } else { $values[] = (is_bool($var)) ? (int)$var : $var; } @@ -580,7 +441,7 @@ function attach_mod_sql_build_array($query, $assoc_ary = false) if (null === $var) { $values[] = "$key = NULL"; } elseif (is_string($var)) { - $values[] = "$key = '" . attach_mod_sql_escape($var) . "'"; + $values[] = "$key = '" . DB()->escape($var) . "'"; } else { $values[] = (is_bool($var)) ? "$key = " . (int)$var : "$key = $var"; } diff --git a/library/attach_mod/includes/functions_thumbs.php b/library/attach_mod/includes/functions_thumbs.php index b6480ee80..d22a6fb31 100644 --- a/library/attach_mod/includes/functions_thumbs.php +++ b/library/attach_mod/includes/functions_thumbs.php @@ -25,7 +25,7 @@ function createThumbnail(string $source, string $newFile, string $mimeType): boo global $attach_config; // Get the file information - $source = amod_realpath($source); + $source = realpath($source); $min_filesize = (int)$attach_config['img_min_thumb_filesize']; $img_filesize = file_exists($source) ? filesize($source) : false; diff --git a/src/Legacy/Attach.php b/src/Legacy/Attach.php index 70ac12c3b..65cee65c6 100644 --- a/src/Legacy/Attach.php +++ b/src/Legacy/Attach.php @@ -550,7 +550,7 @@ class Attach // update entry in db if attachment already stored in db and filespace $sql = 'UPDATE ' . BB_ATTACHMENTS_DESC . " - SET comment = '" . @attach_mod_sql_escape($this->attachment_comment_list[$i]) . "' + SET comment = '" . DB()->escape($this->attachment_comment_list[$i]) . "' WHERE attach_id = " . $this->attachment_id_list[$i]; if (!(DB()->sql_query($sql))) { @@ -757,22 +757,22 @@ class Attach } $this->type = strtolower($this->type); - $this->extension = strtolower(get_extension($this->filename)); - - $this->filesize = @filesize($file); - $this->filesize = (int)$this->filesize; + $this->extension = strtolower(pathinfo($this->filename, PATHINFO_EXTENSION)); + $this->filesize = (int)filesize($file); $sql = 'SELECT g.allow_group, g.max_filesize, g.cat_id, g.forum_permissions FROM ' . BB_EXTENSION_GROUPS . ' g, ' . BB_EXTENSIONS . " e WHERE g.group_id = e.group_id - AND e.extension = '" . attach_mod_sql_escape($this->extension) . "' + AND e.extension = '" . DB()->escape($this->extension) . "' LIMIT 1"; if (!($result = DB()->sql_query($sql))) { bb_die('Could not query extensions'); } - $row = DB()->sql_fetchrow($result); + if (!($row = DB()->sql_fetchrow($result))) { + /** TODO **/ + } DB()->sql_freeresult($result); $allowed_filesize = $row['max_filesize'] ?: $attach_config['max_filesize']; @@ -848,15 +848,14 @@ class Attach $this->filename = $r_file; // physical filename - //$this->attach_filename = strtolower($this->filename); $this->attach_filename = $this->filename; //bt if (FILENAME_CRYPTIC) { $this->attach_filename = make_rand_str(FILENAME_CRYPTIC_LENGTH); - } else { // original + } else { $this->attach_filename = html_entity_decode(trim(stripslashes($this->attach_filename))); - $this->attach_filename = delete_extension($this->attach_filename); + $this->attach_filename = pathinfo($this->attach_filename, PATHINFO_FILENAME); $this->attach_filename = str_replace([' ', '-'], '_', $this->attach_filename); $this->attach_filename = str_replace('__', '_', $this->attach_filename); $this->attach_filename = str_replace([',', '.', '!', '?', 'ь', 'Ь', 'ц', 'Ц', 'д', 'Д', ';', ':', '@', "'", '"', '&'], ['', '', '', '', 'ue', 'ue', 'oe', 'oe', 'ae', 'ae', '', '', '', '', '', 'and'], $this->attach_filename); @@ -1082,7 +1081,7 @@ class Attach if (!$error && $this->thumbnail === 1) { $source = $upload_dir . '/' . basename($this->attach_filename); - $dest_file = amod_realpath($upload_dir); + $dest_file = realpath($upload_dir); $dest_file .= '/' . THUMB_DIR . '/t_' . basename($this->attach_filename); if (!createThumbnail($source, $dest_file, $this->type)) {