0) { // dump the request $v = array_keys(get_defined_vars()); error_log(var_export($v, true), 3, '/tmp/log'); foreach (array_keys(get_defined_vars()) as $k) { if ($k == 'GLOBALS') { continue; } error_log($k, 3, '/tmp/log'); error_log(var_export($$k, true), 3, '/tmp/log'); } } /*==== Flash loose the cookie ===*/ /* needed when using the nice upload window : if ($_SERVER['HTTP_USER_AGENT'] == 'Shockwave Flash') { $sid = $_REQUEST['sid']; if ($debug>0) error_log("reusing: ".$sid); session_id($sid); } */ /*==== INCLUDE ====*/ require_once '../inc/global.inc.php'; api_block_anonymous_users(); require_once ("../newscorm/learnpath.class.php"); require_once ("../newscorm/openoffice_presentation.class.php"); /*==== Variables initialisation ====*/ $action = $_REQUEST["action"]; //safe as only used in if()'s $seek = array('/', '%2F', '..'); $destroy = array('', '', ''); $cidReq = str_replace($seek, $destroy, $_REQUEST["cidReq"]); $cidReq = Security::remove_XSS($cidReq); $user_id = api_get_user_id(); $coursePath = api_get_path(SYS_COURSE_PATH).$cidReq.'/document'; $_course = CourseManager::get_course_information($cidReq); $_course['path'] = $_course['directory']; // FIXME: FileManager::add_document needs this to work $_course['dbName'] = $_course['db_name']; // FIXME: check if CourseManager::get_user_in_course_status return != // COURSEMANAGER when the code is not valid if ($debug > 0) { error_log($coursePath, 0); } if ($action == "uploadgui") { echo '
'.get_lang('SelectFile').':
'; die(); } else { if ($action == "upload") { if ($debug > 0) { error_log("upload".$_FILES['Filedata']); } /*==== PERMISSION ====*/ $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq); if ($permissions != COURSEMANAGER) { if ($debug > 0) { error_log("Upload from videoconf not allowed !!!", 0); } die('Not allowed'); // this user is not allowed to add upload documents } /*==== UPLOAD ====*/ $destPath = $coursePath.VIDEOCONF_UPLOAD_PATH; /*==== creation of /videoconf ====*/ if (!is_dir($destPath)) { $result = FileManager::create_unexisting_directory( $_course, $user_id, api_get_session_id(), 0, null, $coursePath, VIDEOCONF_UPLOAD_PATH ); if (!$result) { if ($debug > 0) { error_log("Can't create ".$destPath." folder", 0); } } } /*==== file upload ====*/ $newPath = $_FILES['Filedata']['name']; if ($debug > 0) { error_log($newPath); } /*==== extension extraction ====*/ $file_name = (strrpos($newPath, '.') > 0 ? substr($newPath, 0, strrpos($newPath, '.')) : $newPath); $file_extension = (strrpos($newPath, '.') > 0 ? substr($newPath, strrpos($newPath, '.'), 10) : ''); if ($debug > 0) { error_log(strrpos($newPath, '.')); } if ($debug > 0) { error_log($file_extension); } /*==== conversion if needed ====*/ if (!in_array(strtolower($file_extension), $image_extension)) { if ($debug > 0) { error_log("converting: ".$file_extension); } $take_slide_name = false; $o_ppt = new OpenofficePresentation($take_slide_name); $o_ppt->set_slide_size(640, 480); $o_ppt->convert_document($_FILES['Filedata'], 'add_docs_to_visio'); } echo ''; } else { if ($action == "service") { /*==== List files ====*/ if ($debug > 0) { error_log("sending file list", 0); } $subaction = $_REQUEST["subaction"]; $is_manager = (CourseManager::get_user_in_course_status($user_id, $cidReq) == COURSEMANAGER); if ($subaction == "list") { // FIXME: check security around $_REQUEST["cwd"] $cwd = $_REQUEST["cwd"]; // treat /.. $nParent = 0; // the number of /.. into the url while (substr($cwd, -3, 3) == "/..") { // go to parent directory $cwd = substr($cwd, 0, -3); if (strlen($cwd) == 0) { $cwd = "/"; } $nParent++; } for (; $nParent > 0; $nParent--) { $cwd = (strrpos($cwd, '/') > -1 ? substr($cwd, 0, strrpos($cwd, '/')) : $cwd); } if (strlen($cwd) == 0) { $cwd = "/"; } if (Security::check_abs_path($cwd, api_get_path(SYS_PATH))) { die(); } // check if user can delete files. He must be manager and be inside /videoconf $is_below_videoconf_dir = (substr($cwd, 0, strlen(VIDEOCONF_UPLOAD_PATH)) == VIDEOCONF_UPLOAD_PATH); if ($debug > 0) { error_log('Current working directory: '.$cwd); } if ($debug > 0) { error_log('Videoconf upload path: '.VIDEOCONF_UPLOAD_PATH); } /* $canDelete = ($canDelete && $isBellowVideoConfUploadPath); */ $can_delete = ($is_manager && $is_below_videoconf_dir); // get files list $files = DocumentManager::get_all_document_data($_course, $cwd, 0, null, false); printf(""); printf(""); // title filter if (is_array($files)) { foreach (array_keys($files) as $k) { // converting to UTF-8 $files[$k]['title'] = api_convert_encoding( api_strlen($files[$k]['title']) > 32 ? api_substr($files[$k]['title'], 0, 32)."..." : $files[$k]['title'], 'utf-8', api_get_system_encoding() ); // removing '<', '>' and '_' $files[$k]['title'] = str_replace(array('<', '>', '_'), ' ', $files[$k]['title']); } } if (is_array($files)) { foreach ($files as $i) { if ($i["filetype"] == "folder") { printf( '%s%s%s', $i['path'], $i['title'], ($can_delete ? 'true' : 'false') ); } } } printf(""); if (is_array($files)) { foreach ($files as $i) { $extension = (strrpos($i['path'], '.') > 0 ? substr( $i['path'], strrpos($i['path'], '.'), 10 ) : ''); if ($i["filetype"] == "file" && in_array(strtolower($extension), $image_extension)) { printf( '%s%s%s', $i['path'], $i['title'], ($can_delete ? 'true' : 'false') ); } } } printf(""); printf(""); printf(""); } else { if ($subaction == "delete") { /*==== PERMISSION ====*/ $permissions = CourseManager::get_user_in_course_status($user_id, $cidReq); if ($permissions != COURSEMANAGER) { if ($debug > 0) { error_log("Upload from videoconf not allowed !!!", 0); } die(); // this user is not allowed to add upload documents } /*==== DELETE ====*/ $path = str_replace('../', '', $_REQUEST["path"]); if ((substr($path, 0, strlen(VIDEOCONF_UPLOAD_PATH)) != VIDEOCONF_UPLOAD_PATH)) { if ($debug > 0) { error_log("Delete from videoconf for " + $path + " NOT ALLOWED", 0); } die(); } DocumentManager::delete_document($_course, $path, $coursePath); echo "OK"; // We have to return something to OpenLaszlo } } } else { if ($action == "download") { /*==== DOWNLOAD ====*/ //check if the document is in the database if (!DocumentManager::get_document_id($_course, $_REQUEST['file'])) { //file not found! if ($debug > 0) { error_log("404 ".$_REQUEST["file"]); } header("HTTP/1.0 404 Not Found"); $error404 = ''; $error404 .= ''; $error404 .= '404 Not Found'; $error404 .= ''; $error404 .= '

Not Found

'; $error404 .= '

The requested URL was not found on this server.

'; $error404 .= '
'; $error404 .= ''; echo($error404); exit; } $doc_url = str_replace('../', '', $_REQUEST['file']); if ($debug > 0) { error_log($doc_url); } $full_file_name = $coursePath.$doc_url; if (Security::check_abs_path($full_file_name, $coursePath.'/')) { DocumentManager::file_send_for_download($full_file_name, false); } exit; } } } }