diff --git a/Controller.php b/Controller.php index d28cddf..ac7d178 100644 --- a/Controller.php +++ b/Controller.php @@ -207,7 +207,7 @@ class Controller extends ModuleAbstract implements WebInterface * @since 1.0.0 * @author Dennis Eichhorn */ - public function uploadFiles(array $files, int $account, string $basePath = '/Modules/Media/Files') : array + public function uploadFiles(array $files, int $account, string $basePath = 'Modules/Media/Files') : array { $mediaCreated = []; @@ -224,10 +224,10 @@ class Controller extends ModuleAbstract implements WebInterface return $mediaCreated; } - public static function createMediaPath(string $basePath = '/Modules/Media/Files') : string + public static function createMediaPath(string $basePath = 'Modules/Media/Files') : string { $rndPath = str_pad(dechex(rand(0, 65535)), 4, '0', STR_PAD_LEFT); - return '/' . trim($basePath, '/\\.') . '/' . $rndPath[0] . $rndPath[1] . '/' . $rndPath[2] . $rndPath[3]; + return $basePath . '/' . $rndPath[0] . $rndPath[1] . '/' . $rndPath[2] . $rndPath[3]; } /** @@ -244,20 +244,29 @@ class Controller extends ModuleAbstract implements WebInterface $mediaCreated = []; foreach ($status as $uFile) { - if ($uFile['status'] === UploadStatus::OK) { - $media = new Media(); - $media->setPath(trim($uFile['path'], '/') . '/' . $uFile['filename']); - $media->setName($uFile['filename']); - $media->setSize($uFile['size']); - $media->setCreatedBy($account); - $media->setCreatedAt(new \DateTime('NOW')); - $media->setExtension($uFile['extension']); - - $mediaCreated[] = MediaMapper::create($media); - } + $mediaCreated[] = self::createDbEntry($uFile, $account); } return $mediaCreated; } + public static function createDbEntry(array $status, int $account) + { + $media = null; + + if ($status['status'] === UploadStatus::OK) { + $media = new Media(); + $media->setPath(trim($status['path'], '/') . '/' . $status['filename']); + $media->setName($status['name']); + $media->setSize($status['size']); + $media->setCreatedBy($account); + $media->setCreatedAt(new \DateTime('NOW')); + $media->setExtension($status['extension']); + + MediaMapper::create($media); + } + + return $media; + } + } diff --git a/Models/Media.php b/Models/Media.php index 9eb419c..1666da0 100644 --- a/Models/Media.php +++ b/Models/Media.php @@ -330,4 +330,9 @@ class Media { $this->versioned = $versioned; } + + public function toArray() + { + return []; + } } diff --git a/Models/UploadFile.php b/Models/UploadFile.php index fa9c6e1..0585cd4 100644 --- a/Models/UploadFile.php +++ b/Models/UploadFile.php @@ -31,6 +31,7 @@ use phpOMS\System\File\Local\Directory; */ class UploadFile { + const PATH_GENERATION_LIMIT = 1000; /** * Upload max size. @@ -54,7 +55,7 @@ class UploadFile * @var string * @since 1.0.0 */ - private $outputDir = '/Modules/Media/Files'; + private $outputDir = 'Modules/Media/Files'; /** * Output file name. @@ -79,6 +80,8 @@ class UploadFile * * @return array * + * @throws \Exception + * * @since 1.0.0 * @author Dennis Eichhorn */ @@ -138,7 +141,7 @@ class UploadFile if (!$this->fileName || empty($this->fileName) || file_exists($path . '/' . $this->fileName)) { $rnd = ''; - // todo: implement limit since this could get exploited + $limit = 0; do { $sha = sha1_file($f['tmp_name'] . $rnd); @@ -152,11 +155,16 @@ class UploadFile $this->fileName = $sha; $rnd = mt_rand(); - } while (file_exists($path . '/' . $this->fileName)); + $limit++; + } while (file_exists($path . '/' . $this->fileName) && $limit < self::PATH_GENERATION_LIMIT); + + if($limit >= self::PATH_GENERATION_LIMIT) { + throw new \Exception('No file path could be found. Potential attack!'); + } } if (!is_dir($path)) { - Directory::createPath($path, '0655', true); + Directory::create($path, '0655', true); } if (!is_uploaded_file($f['tmp_name'])) {