/**
* can Upload
*
* @param array $file
* @param string $errorUploadMsg
* @param int $frontEnd - if it is called from frontend or backend (1 - category view, 2 user control panel)
* @param boolean $chunkMethod - if chunk method is used (multiple upload) then there are special rules
* @param string $realSize - if chunk method is used we get info about real size of file (not only the part)
* @return boolean True on success
* @since 1.5
*/
public static function canUpload($file, &$errUploadMsg, $frontEnd = 0, $chunkEnabled = 0, $realSize = 0)
{
$params = ComponentHelper::getParams('com_phocagallery');
$paramsL = array();
$paramsL['upload_extensions'] = 'gif,jpg,png,jpeg,webp';
$paramsL['image_extensions'] = 'gif,jpg,png,jpeg,webp';
$paramsL['upload_mime'] = 'image/jpeg,image/gif,image/png,image/webp';
$paramsL['upload_mime_illegal'] = 'application/x-shockwave-flash,application/msword,application/excel,application/pdf,application/powerpoint,text/plain,application/x-zip,text/html';
// The file doesn't exist
if (empty($file['name'])) {
$errUploadMsg = 'COM_PHOCAGALLERY_ERROR_UNABLE_TO_UPLOAD_FILE';
return false;
}
// Not safe file
jimport('joomla.filesystem.file');
if ($file['name'] !== File::makesafe($file['name'])) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_FILENAME';
return false;
}
$format = strtolower(File::getExt($file['name']));
// Allowable extension
$allowable = explode(',', $paramsL['upload_extensions']);
if ($format == '' || $format == false || !in_array($format, $allowable)) {
//if (!in_array($format, $allowable)) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_FILETYPE';
return false;
}
// 'COM_PHOCAGALLERY_MAX_RESOLUTION'
$imgSize = PhocaGalleryImage::getImageSize($file['tmp_name']);
$maxResWidth = $params->get('upload_maxres_width', 3072);
$maxResHeight = $params->get('upload_maxres_height', 2304);
if ((int) $maxResWidth > 0 && (int) $maxResHeight > 0 && ((int) $imgSize[0] > (int) $maxResWidth || (int) $imgSize[1] > (int) $maxResHeight)) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_FILE_TOOLARGE_RESOLUTION';
return false;
}
// User (only in ucp) - Check the size of all images by users
if ($frontEnd == 2) {
$user = Factory::getUser();
$maxUserImageSize = (int) $params->get('user_images_max_size', 20971520);
if ($chunkEnabled == 1) {
$fileSize = $realSize;
} else {
$fileSize = $file['size'];
}
$allFileSize = PhocaGalleryFileUploadFront::getSizeAllOriginalImages($fileSize, $user->id);
if ((int) $maxUserImageSize > 0 && (int) $allFileSize > $maxUserImageSize) {
$errUploadMsg = Text::_('COM_PHOCAGALLERY_WARNING_USERIMAGES_TOOLARGE');
return false;
}
}
// Max size of image
// If chunk method is used, we need to get computed size
$maxSize = $params->get('upload_maxsize', 3145728);
if ($chunkEnabled == 1) {
if ((int) $maxSize > 0 && (int) $realSize > (int) $maxSize) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_FILE_TOOLARGE';
return false;
}
} else {
if ((int) $maxSize > 0 && (int) $file['size'] > (int) $maxSize) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_FILE_TOOLARGE';
return false;
}
}
$user = Factory::getUser();
$imginfo = null;
// Image check
$images = explode(',', $paramsL['image_extensions']);
if (in_array($format, $images)) {
// if its an image run it through getimagesize
if ($chunkEnabled != 1) {
if (($imginfo = getimagesize($file['tmp_name'])) === FALSE) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_INVALIDIMG';
return false;
}
}
} else {
if (!in_array($format, $images)) {
// if its not an image...and we're not ignoring it
$allowed_mime = explode(',', $paramsL['upload_mime']);
$illegal_mime = explode(',', $paramsL['upload_mime_illegal']);
if (function_exists('finfo_open')) {
// We have fileinfo
$finfo = finfo_open(FILEINFO_MIME);
$type = finfo_file($finfo, $file['tmp_name']);
if (strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_INVALIDMIME';
return false;
}
finfo_close($finfo);
} else {
if (function_exists('mime_content_type')) {
// we have mime magic
$type = mime_content_type($file['tmp_name']);
if (strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_INVALIDMIME';
return false;
}
}
}
/* else if(!$user->authorize( 'login', 'administrator' )) {
$errUploadMsg = = 'WARNNOTADMIN';
return false;
}*/
}
}
// XSS Check
$xss_check = file_get_contents($file['tmp_name'], false, null, -1, 256);
$html_tags = array('abbr', 'acronym', 'address', 'applet', 'area', 'audioscope', 'base', 'basefont', 'bdo', 'bgsound', 'big', 'blackface', 'blink', 'blockquote', 'body', 'bq', 'br', 'button', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'comment', 'custom', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'embed', 'fieldset', 'fn', 'font', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'hr', 'html', 'iframe', 'ilayer', 'img', 'input', 'ins', 'isindex', 'keygen', 'kbd', 'label', 'layer', 'legend', 'li', 'limittext', 'link', 'listing', 'map', 'marquee', 'menu', 'meta', 'multicol', 'nobr', 'noembed', 'noframes', 'noscript', 'nosmartquotes', 'object', 'ol', 'optgroup', 'option', 'param', 'plaintext', 'pre', 'rt', 'ruby', 's', 'samp', 'script', 'select', 'server', 'shadow', 'sidebar', 'small', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'title', 'tr', 'tt', 'ul', 'var', 'wbr', 'xml', 'xmp', '!DOCTYPE', '!--');
foreach ($html_tags as $tag) {
// A tag is '<tagname ', so we need to add < and a space or '<tagname>'
if (stripos($xss_check, '<' . $tag . ' ') !== false || stripos($xss_check, '<' . $tag . '>') !== false) {
$errUploadMsg = 'COM_PHOCAGALLERY_WARNING_IEXSS';
return false;
}
}
return true;
}