Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Is it possible to convert this to RN2.20.01? Please.. :)
 View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> RN Enhancement Requests and Suggestions
Author Message
blith
Client



Joined: Jul 18, 2003
Posts: 977
PostPosted: Wed Jul 02, 2008 7:53 am Reply with quote
Thank you for looking. I would really like to see if this can work with RN2.20.01. I would like a secure upload module for my site. Thank you for looking. Some of it is in Italian....

Code:



/************************************************************************/


//


//  EASYUP-NUKE


//


// module created by HI-Lab based on EasyUp of Amine Ouelhadj                                                                         *


// Copyright (c) 2002 by cooperativa sociale l'Utopia a r.l.


// released under GPL licence


//


// www.hi-lab.net


//


/***************************************************************************/





//


// upload html form


//





if (!eregi("modules.php", $PHP_SELF)) {


        die ("Non puoi accedere a questo file direttamente...");


}


require_once("mainfile.php");


$module_name = basename(dirname(__FILE__));


get_lang($module_name);


$pagetitle = "- "._TITLEASYUP."";








    global $user, $cookie, $prefix, $dbi, $user_prefix;


    include ("header.php");


    title("<img src='modules/Easyup/EASYUP-NUKE.jpg' width='248' height='123' alt='logo EASYUP-NUKE'>");


    OpenTable();


    echo "<center><font class=\"content\"><b>"._TITLEASYUP."</b></font></center><br><br>"


                . "<i>"._INSTRUCTIONEASYUP."</i><br>"


        ."<form ENCTYPE=\"multipart/form-data\" action=\"modules.php?mop=modload&name=Easyup&file=index\" method=\"post\">"


        ._FILETYPE.":<br><SELECT  name=\"percorso\" title=\"Tipo di file\">\n"


        ."<OPTION value=\"1\">"._FILETODISPLAY."</OPTION>\n"


        ."<OPTION value=\"2\">"._FILETODOWN."</OPTION></SELECT><br><br>\n"


        ._FILEPOSITION.":<br><input name=\"nomfichier\" type=\"file\" size=\"30\"><br><br>\n"


        ._ALTTAG.":<br><input name=\"alt\" type=\"text\" size=\"30\" maxlength=\"40\"><br><br>\n"


        ._BGCOLORSWF.":<br># <input name=\"bgcolorswf\" type=\"text\" size=\"6\" maxlength=\"6\"><br><br>\n"


        ."<input type=\"submit\" name=\"Submit\" value=\""._SEND."\">\n"


        ."</form><br>\n";








//----------------------------------------------------------------


// upload engine


//----------------------------------------------------------------








// parameters





// choose directory of upload files


$imagesdir="images/upload";


$downloaddir="images/materiali";


// Allow or not executable files adding an extension - yes="si" no="no"


$execution = "no";


// Allow or not upload of index files - yes="si" no="no"


$index_autorisation = "no";





$alertdimension=array(


// Alert dimension for images files in Kb integer


                   img=>150,


// Alert dimension for swf files in Kb integer


                   swf=>150,


// Alert dimension for other files in Kb integer


                   other=>500


                   );





// check folder permissions


function checkperms($dir)


         {


         $permsdir=decoct(fileperms($dir));


         $perms=substr("$permsdir",-3);


         if ($perms!="777")


             {


             echo "<div align=\"center\"><font color=\"#cc0000\"><h3>"._ERRORPERM." &quot;$dir&quot; "._ERRORPERM2."<br>"


                  ._PERMISSION." $perms. "._PERMISSION2."</h3></font></div><br>";


             }


         }











checkperms($imagesdir);


checkperms($downloaddir);





switch ($percorso)


        {


        case "1":


              $chemin=$imagesdir;


              break;


        case "2":


              $chemin=$downloaddir;


              break;


        }





$testotoobig=array(_TOOBIG,_TOOBIG1,_TOOBIG2,_TOOBIG3,_TOOBIG4,_TOOBIG5);





$nom_fichier_name = strtolower($nomfichier_name);








// check extension of file





function check_extension($nomfichier_name)


        {


        $extension = end(explode(".", $nomfichier_name));


        if ($extension == "php" || $extension == "php3" || $extension == "php4" || $extension == "pl" || $extension == "phtml" || $extension == "asp" || $extension == "cgi")


                {


                return true;


                }


        }








// Verifie si le nom ne se nomme pas index.extension





function verif_index($nomfichier_name)


        {


          $pointeur = strrpos($nomfichier_name, ".");


          $nom  = substr($nomfichier_name, 0, $pointeur);


        if (ereg ("^index$", $nom)) return true;


                }











// Verifie si le fichier existe sur le serveur.


function presence_file($nomfichier_name)


        {


        global $chemin;


        if (file_exists("$chemin/$nomfichier_name")) return true;


                }








// Calculate dimensions of files and print alert message


function dimensionefiles($chemin,$nomfichier_name,$testotoobig1,$testotoobig2,$max)


         {


         $dimensione=filesize("$chemin/$nomfichier_name");


         $fdimensione=number_format($dimensione, 0, ',', '.');


         $kdimensione=number_format(($dimensione/1024), 1, ',', '.');


         $mdimensione=number_format(($kdimensione/1024), 1, ',', '.');


         if ($dimensione<=1023)


             {


             echo "<center>"._FILEIS." $dimensione "._BYTES.".</center><br>";


             }


         elseif (($dimensione>1023)&&($dimensione<=1048575))


             {


             echo "<center>"._FILEIS." $kdimensione Kb ($fdimensione "._BYTES.").</center><br>";


             if ($kdimensione>$max) {echo "<center><font color=\"#ff0000\"><h3>$testotoobig1</h3></font>$testotoobig2</center><br><br>";}


             }


         elseif (($dimensione>1048575))


             {


             echo "<center>"._FILEIS." $mdimensione Mb ($fdimensione "._BYTES.").<br>"


                 ."<font color=\"#ff0000\"><h3>$testotoobig1</h3></font>$testotoobig2</center><br><br>";


             }


         }





// Calculate dimensions of image and print related html tag


function imagetag($chemin,$nomfichier_name,$alt)


         {


         global $testotoobig,$alertdimension;


         $misura=getimagesize("$chemin/$nomfichier_name");


         $htmlimgstring="<img src=\"$chemin/$nomfichier_name\" alt=\"$alt\" ".$misura[3].">";


         echo "<center><h2>"._TITLETAG."</h2>\n".


              "<i>"._INSTRUCTIONTAG." "._IMAGE.". "._INSTRUCTIONTAG2."</i><br>\n";


         echo "<font color=\"#000066\"><h2><blockquote>&lt;img src=\"$chemin/$nomfichier_name\" alt=\"$alt\" ".$misura[3]."&gt;</h2></font></center><br><br>";


         echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";


         dimensionefiles($chemin,$nomfichier_name,$testotoobig[0],$testotoobig[1],$alertdimension[img]);


         echo "<center><h2><br>"._PREVIEW."</h2>\n".


              "<i>"._SUBPREVIEW." "._IMAGE." "._SUBPREVIEW2."</i>:<br><br>\n";


         echo "".$htmlimgstring."</center>";





         }








// Calculate dimensions of swf file and print related html tag


function swftag ($chemin,$nomfichier_name,$alt,$bgcolorswf)


         {


         global $testotoobig,$alertdimension;


         $misura=getimagesize("$chemin/$nomfichier_name");


         $htmlswfstring="<embed ALT=\"$alt\" src=\"$chemin/$nomfichier_name\" quality=high bgcolor=\"#$bgcolorswf\" ".$misura[3]." type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash\">";


         echo "<center><h2>"._TITLETAG."</h2>\n".


              "<i>"._INSTRUCTIONTAG." "._MOVIE.". "._INSTRUCTIONTAG2."</i><br>\n";


         echo "<font color=\"#000066\"><h2><blockquote>&lt;embed ALT=\"$alt\" src=\"$chemin/$nomfichier_name\" quality=high bgcolor=\"#$bgcolorswf\" ".$misura[3]." type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash\"&gt;</h2></font></center><br><br>";


         echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";


         dimensionefiles($chemin,$nomfichier_name,$testotoobig[2],$testotoobig[3],$alertdimension[swf]);


         echo "<center><h2><br>"._PREVIEW."</h2>\n".


              "<i>"._SUBPREVIEW." "._MOVIE." "._SUBPREVIEW2."</i>:<br><br>\n";


         echo "".$htmlswfstring."</center>";


         }








// Check dimension of file and print alert message


function otherfiles ($chemin,$nomfichier_name)


         {


         global $testotoobig,$alertdimension,$nukeurl;


         echo "<center><h2>"._TITLEDIMENSION."</h2></center><br>\n";


         dimensionefiles($chemin,$nomfichier_name,$testotoobig[4],$testotoobig[5],$alertdimension[other]);


         echo "<center><h2>"._TITLEDOWNLOAD."</h2></center><br>\n";


         echo "<center>"._INSTRUCTIONDOWN."</center><br>".


         _FILEURL.": <font color=\"#000066\">$nukeurl/$chemin/$nomfichier_name</font><br>\n";


         $dimensione=filesize("$chemin/$nomfichier_name");


         echo ""._FILESIZE.": <font color=\"#000066\">$dimensione</font> "._BYTES."<br>\n";


         echo ""._HOMEPAGE.": <font color=\"#000066\">$nukeurl</font><br>";


         }








// Chmod le fichier pour en 644 pour le rendre non executable.


function chmod_no_execution($nomfichier_name)


        {


        global $chemin;


        chmod ("$chemin/$nomfichier_name", 0644);


        }








if ($nomfichier!="")


         {





if ($index_autorisation == "no")


                {


                if (verif_index($nomfichier_name)) {


                        echo "<hr>";


                        echo ""._ERROR." 02: "._YOURFILE." &quot;$nomfichier_name&quot; "._REFUSE."<br>";


                        echo "<hr>";


                        exit;


                        }


                }


if ($execution == "no"){


                                if(check_extension($nomfichier_name)){


                                                                                $nomfichier_name = "$nomfichier_name.txt";


                                                                                        }


                }





if (presence_file($nomfichier_name) == "true") {


                echo "<hr>";


                echo ""._ERROR." 01: "._YOURFILE." $nomfichier_name "._EXIST."<br>";


                echo "<hr>";


                exit;


                }





if (copy($nomfichier, "$chemin/$nomfichier_name"))


        {


        echo ""._YOURFILE." $nomfichier_name "._SUCCESS."<br><p>\n";





// check file type


        $imgextension = end(explode(".", $nomfichier_name));


        switch ($imgextension)


                        {


                        case ("swf"):


                        swftag($chemin,$nomfichier_name,$alt,$bgcolorswf);


                        break;


                        case ("gif"):


                        imagetag($chemin,$nomfichier_name,$alt);


                        break;


                        case ("jpg"):


                        imagetag($chemin,$nomfichier_name,$alt);


                        break;


                        case ("png"):


                        imagetag($chemin,$nomfichier_name,$alt);


                        break;


                        default:


                        otherfiles($chemin,$nomfichier_name);


                        }





        chmod_no_execution($nomfichier_name);


        }


else


        {


        //echo ""._ERRORPERM."<br>";


        //echo ""._PERMISSION."<p>";


        //exit;


        }





}





    echo "<p align=\"right\"><A href=\"http://www.hi-lab.net\"><img src='modules/Easyup/hilab.gif' width='70' height='30' alt='HI-Lab - The Social Technology'></A><p>";


    CloseTable();


    include ("footer.php");





?>
 
View user's profile Send private message Visit poster's website
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6437
PostPosted: Wed Jul 02, 2008 9:52 am Reply with quote
Hi blith. Have you tried it with RN? I'm assuming it's a module, though it appears to use some specific functions that might need to be added to mainfile (or to this file).

_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
blith
PostPosted: Wed Jul 02, 2008 10:30 am Reply with quote
Hello, I have not tried it with RN, I was worried about the security of it, not the uploading part but the coding, since the wording is different at the opening if statement. Does the code look secure? I will try and install it and see what happens. Thanks!
 
blith
PostPosted: Wed Jul 02, 2008 10:44 am Reply with quote
Well I have tried it and I keep getting the error.

ERROR 01: The file already exist on the server!

which it doesn't, I tried to upload a zip file and a bmp. I am looking a the code to see what went wrong.
 
blith
PostPosted: Wed Jul 02, 2008 11:10 am Reply with quote
Here is the line that pertains to the file existing.
Code:



function presence_file($nomfichier_name)


        {


        global $chemin;


        if (file_exists("$chemin/$nomfichier_name")) return true;


but the file did not exist
 
kguske
PostPosted: Wed Jul 02, 2008 11:18 am Reply with quote
That function should return a false if the file doesn't exist, but I'm not sure that is the problem.

Why not add a line after the global $chemin:
Code:
        die('$chemin = '.$chemin.'<br />$nomfichier_name = '.$nomfichier_name);


That will at least tell you what it's checking for and may shed some light on the issue.

As for this being secure - I'd be wary of allowing users to upload anything, unless it's very limited. I did not something alarming: the $user variable is referenced - but it isn't used to prevent random people (i.e. non-members) from uploading files. IMO, that's not good...
 
blith
PostPosted: Wed Jul 02, 2008 11:54 am Reply with quote
kguske wrote:
That function should return a false if the file doesn't exist, but I'm not sure that is the problem.

Why not add a line after the global $chemin:
Code:
        die('$chemin = '.$chemin.'<br />$nomfichier_name = '.$nomfichier_name);


That will at least tell you what it's checking for and may shed some light on the issue.

As for this being secure - I'd be wary of allowing users to upload anything, unless it's very limited. I did not something alarming: the $user variable is referenced - but it isn't used to prevent random people (i.e. non-members) from uploading files. IMO, that's not good...


Got returned:
Code:
$chemin = images/materiali


$nomfichier_name =

So it is not finding a file, just not uploading. Additionally, it does not allow any php or .exe extensions.... you could limit any extensions I suppose. My main reason for posting it here is to see if it could be RavenNuked. i.e. made more safe by someone who knows the RN code. Smile
 
blith
PostPosted: Wed Jul 02, 2008 1:12 pm Reply with quote
Nevermind all this. NSN GR downloads 750 pl2 does everything I need... Thanks!
 
kguske
PostPosted: Wed Jul 02, 2008 1:18 pm Reply with quote
Actually, since the file is blank / empty, it does find a file (the directory).

You should definitely not allow php or exe files, especially since it's in an accessible directory.

Not sure why the file name is blank, or why RN would impact that.
 
kguske
PostPosted: Wed Jul 02, 2008 1:21 pm Reply with quote
Sorry - glad you resolved it.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> RN Enhancement Requests and Suggestions


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©