From 6f8e186cef22c5c32cd8ec7a34bc4376f8e38970 Mon Sep 17 00:00:00 2001 From: Ruxton Date: Wed, 26 Jul 2017 13:46:39 +0800 Subject: [PATCH 1/2] Ensure original filename+extension is sent --- controllers/micropub.php | 2 +- lib/helpers.php | 24 ++++++++++++++---------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/controllers/micropub.php b/controllers/micropub.php index 871c9cf..a1c3a26 100644 --- a/controllers/micropub.php +++ b/controllers/micropub.php @@ -52,7 +52,7 @@ $app->post('/micropub/multipart', function() use($app) { if(!$error) { $file_path = $file['tmp_name']; correct_photo_rotation($file_path); - $r = micropub_post_for_user($user, $_POST, $file_path); + $r = micropub_post_for_user($user, $_POST, $file); } else { $r = array('error' => $error); } diff --git a/lib/helpers.php b/lib/helpers.php index f48c986..c8d4e0e 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -5,7 +5,7 @@ if(isset(Config::$dbType) && Config::$dbType == 'sqlite') { } else { ORM::configure('mysql:host=' . Config::$dbHost . ';dbname=' . Config::$dbName); ORM::configure('username', Config::$dbUsername); - ORM::configure('password', Config::$dbPassword); + ORM::configure('password', Config::$dbPassword); } function render($page, $data) { @@ -83,15 +83,15 @@ if(!function_exists('http_build_url')) { } } -function micropub_post_for_user(&$user, $params, $file_path = NULL, $json = false) { +function micropub_post_for_user(&$user, $params, $file = NULL, $json = false) { // Now send to the micropub endpoint - $r = micropub_post($user->micropub_endpoint, $params, $user->micropub_access_token, $file_path, $json); + $r = micropub_post($user->micropub_endpoint, $params, $user->micropub_access_token, $file, $json); $user->last_micropub_response = substr(json_encode($r), 0, 1024); $user->last_micropub_response_date = date('Y-m-d H:i:s'); // Check the response and look for a "Location" header containing the URL - if($r['response'] && ($r['code'] == 201 || $r['code'] == 202) + if($r['response'] && ($r['code'] == 201 || $r['code'] == 202) && isset($r['headers']['Location'])) { $r['location'] = $r['headers']['Location'][0]; $user->micropub_success = 1; @@ -104,9 +104,9 @@ function micropub_post_for_user(&$user, $params, $file_path = NULL, $json = fals return $r; } -function micropub_media_post_for_user(&$user, $file_path) { +function micropub_media_post_for_user(&$user, $file) { // Send to the media endpoint - $r = micropub_post($user->micropub_media_endpoint, [], $user->micropub_access_token, $file_path, true, 'file'); + $r = micropub_post($user->micropub_media_endpoint, [], $user->micropub_access_token, $file, true, 'file'); // Check the response and look for a "Location" header containing the URL if($r['response'] && preg_match('/Location: (.+)/', $r['response'], $match)) { @@ -118,11 +118,15 @@ function micropub_media_post_for_user(&$user, $file_path) { return $r; } -function micropub_post($endpoint, $params, $access_token, $file_path = NULL, $json = false, $file_prop = 'photo') { +function micropub_post($endpoint, $params, $access_token, $file = NULL, $json = false, $file_prop = 'photo') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $endpoint); curl_setopt($ch, CURLOPT_POST, true); + $file_path = $file['tmp_name']; + $file_content = file_get_contents($file_path) . self::EOL; + $filename = $file['name']; + // Send the access token in both the header and post body to support more clients // https://github.com/aaronpk/Quill/issues/4 // http://indiewebcamp.com/irc/2015-02-14#t1423955287064 @@ -149,7 +153,7 @@ function micropub_post($endpoint, $params, $access_token, $file_path = NULL, $js $mimetype = finfo_file($finfo, $file_path); $multipart = new p3k\Multipart(); $multipart->addArray($params); - $multipart->addFile($file_prop, $file_path, $mimetype); + $multipart->addFile($file_prop, $filename, $mimetype, $file_content); $post = $multipart->data(); $httpheaders[] = 'Content-Type: ' . $multipart->contentType(); } @@ -323,7 +327,7 @@ function validate_photo(&$file) { if ($_SERVER['REQUEST_METHOD'] == 'POST' && count($_POST) < 1 ) { throw new RuntimeException('File upload size exceeded.'); } - + // Undefined | Multiple Files | $_FILES Corruption Attack // If this request falls under any of them, treat it invalid. if ( @@ -436,7 +440,7 @@ function sanitize_editor_html($html) { $def->addElement('figure', 'Block', 'Optional: (figcaption, Flow) | (Flow, figcaption) | Flow', 'Common'); $def->addElement('figcaption', 'Inline', 'Flow', 'Common'); - // Allow data: URIs + // Allow data: URIs $config->set('URI.AllowedSchemes', array('data' => true, 'http' => true, 'https' => true)); // Strip all classes from elements From 0cba1cb9cdd2f7b8b7fb5f439984d40ea34dc6c2 Mon Sep 17 00:00:00 2001 From: Ruxton Date: Fri, 28 Jul 2017 10:21:52 +0800 Subject: [PATCH 2/2] Update p3k/multipart to use at least v0.2.0 --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 03d460a..e28372d 100644 --- a/composer.json +++ b/composer.json @@ -11,7 +11,7 @@ "abraham/twitteroauth": "*", "andreyco/instagram": "3.*", "ezyang/htmlpurifier": "4.*", - "p3k/multipart": "*", + "p3k/multipart": ">=0.2.0", "tantek/cassis": "*", "p3k/timezone": "*", "gajus/dindent": "^2.0"