Ð¤Ð°Ð¹Ð»Ð¾Ð²Ñ‹Ð¹ Ð¼ÐµÐ½ÐµÐ´Ð¶ÐµÑ€

Ð¤Ð°Ð¹Ð»Ð¾Ð²Ñ‹Ð¹ Ð¼ÐµÐ½ÐµÐ´Ð¶ÐµÑ€ - Ð ÐµÐ´Ð°ÐºÑ‚Ð¸Ñ€Ð¾Ð²Ð°Ñ‚ÑŒ - /var/www/html/mediawiki-1.43.1/includes/upload/UploadStash.php

ÐÐ°Ð·Ð°Ð´
<?php /** * Temporary storage for uploaded files. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * http://www.gnu.org/copyleft/gpl.html * * @file / use MediaWiki\Context\RequestContext; use MediaWiki\MainConfigNames; use MediaWiki\MediaWikiServices; use MediaWiki\User\UserIdentity; /* * UploadStash is intended to accomplish a few things: * - Enable applications to temporarily stash files without publishing them to * the wiki. * - Several parts of MediaWiki do this in similar ways: UploadBase, * UploadWizard, and FirefoggChunkedExtension. * And there are several that reimplement stashing from scratch, in * idiosyncratic ways. The idea is to unify them all here. * Mostly all of them are the same except for storing some custom fields, * which we subsume into the data array. * - Enable applications to find said files later, as long as the db table or * temp files haven't been purged. * - Enable the uploading user (and ONLY the uploading user) to access said * files, and thumbnails of said files, via a URL. We accomplish this using * a database table, with ownership checking as you might expect. See * SpecialUploadStash, which implements a web interface to some files stored * this way. * * UploadStash right now is mostly intended to show you one user's slice of * the entire stash. The user parameter is only optional because there are few * cases where we clean out the stash from an automated script. In the future we * might refactor this. * * UploadStash represents the entire stash of temporary files. * UploadStashFile is a filestore for the actual physical disk files. * UploadFromStash extends UploadBase, and represents a single stashed file as * it is moved from the stash to the regular file repository * * @ingroup Upload / class UploadStash { // Format of the key for files -- has to be suitable as a filename itself (e.g. ab12cd34ef.jpg) public const KEY_FORMAT_REGEX = '/^[\w\-\.]+\.\w$/'; private const MAX_US_PROPS_SIZE = 65535; /** * repository that this uses to store temp files * public because we sometimes need to get a LocalFile within the same repo. * * @var LocalRepo / public $repo; /* @var array array of initialized repo objects / protected $files = []; /* @var array cache of the file metadata that's stored in the database / protected $fileMetadata = []; /* @var array fileprops cache / protected $fileProps = []; /* @var UserIdentity / private $user; /* * Represents a temporary filestore, with metadata in the database. * Designed to be compatible with the session stashing code in UploadBase * (should replace it eventually). * * @param FileRepo $repo * @param UserIdentity\|null $user / public function __construct( FileRepo $repo, ?UserIdentity $user = null ) { // this might change based on wiki's configuration. $this->repo = $repo; // if a user was passed, use it. otherwise, attempt to use the global request context. // this keeps FileRepo from breaking when it creates an UploadStash object $this->user = $user ?? RequestContext::getMain()->getUser(); } /* * Get a file and its metadata from the stash. * The noAuth param is a bit janky but is required for automated scripts * which clean out the stash. * * @param string $key Key under which file information is stored * @param bool $noAuth (optional) Don't check authentication. Used by maintenance scripts. * @throws UploadStashFileNotFoundException * @throws UploadStashNotLoggedInException * @throws UploadStashWrongOwnerException * @throws UploadStashBadPathException * @return UploadStashFile / public function getFile( $key, $noAuth = false ) { if ( !preg_match( self::KEY_FORMAT_REGEX, $key ) ) { throw new UploadStashBadPathException( wfMessage( 'uploadstash-bad-path-bad-format', $key ) ); } if ( !$noAuth && !$this->user->isRegistered() ) { throw new UploadStashNotLoggedInException( wfMessage( 'uploadstash-not-logged-in' ) ); } if ( !isset( $this->fileMetadata[$key] ) ) { if ( !$this->fetchFileMetadata( $key ) ) { // If nothing was received, it's likely due to replication lag. // Check the primary DB to see if the record is there. $this->fetchFileMetadata( $key, DB_PRIMARY ); } if ( !isset( $this->fileMetadata[$key] ) ) { throw new UploadStashFileNotFoundException( wfMessage( 'uploadstash-file-not-found', $key ) ); } // create $this->files[$key] $this->initFile( $key ); // fetch fileprops if ( isset( $this->fileMetadata[$key]['us_props'] ) && strlen( $this->fileMetadata[$key]['us_props'] ) ) { $this->fileProps[$key] = unserialize( $this->fileMetadata[$key]['us_props'] ); } else { // b/c for rows with no us_props wfDebug( __METHOD__ . " fetched props for $key from file" ); $path = $this->fileMetadata[$key]['us_path']; $this->fileProps[$key] = $this->repo->getFileProps( $path ); } } if ( !$this->files[$key]->exists() ) { wfDebug( __METHOD__ . " tried to get file at $key, but it doesn't exist" ); // @todo Is this not an UploadStashFileNotFoundException case? throw new UploadStashBadPathException( wfMessage( 'uploadstash-bad-path' ) ); } if ( !$noAuth && $this->fileMetadata[$key]['us_user'] != $this->user->getId() ) { throw new UploadStashWrongOwnerException( wfMessage( 'uploadstash-wrong-owner', $key ) ); } return $this->files[$key]; } /* * Getter for file metadata. * * @param string $key Key under which file information is stored * @return array / public function getMetadata( $key ) { $this->getFile( $key ); return $this->fileMetadata[$key]; } /* * Getter for fileProps * * @param string $key Key under which file information is stored * @return array / public function getFileProps( $key ) { $this->getFile( $key ); return $this->fileProps[$key]; } /* * Stash a file in a temp directory and record that we did this in the * database, along with other metadata. * * @param string $path Path to file you want stashed * @param string\|null $sourceType The type of upload that generated this file * (currently, I believe, 'file' or null) * @param array\|null $fileProps File props or null to regenerate * @throws UploadStashBadPathException * @throws UploadStashFileException * @throws UploadStashNotLoggedInException * @return UploadStashFile\|null File, or null on failure / public function stashFile( $path, $sourceType = null, $fileProps = null ) { if ( !is_file( $path ) ) { wfDebug( __METHOD__ . " tried to stash file at '$path', but it doesn't exist" ); throw new UploadStashBadPathException( wfMessage( 'uploadstash-bad-path' ) ); } // File props is expensive to generate for large files, so reuse if possible. if ( !$fileProps ) { $mwProps = new MWFileProps( MediaWikiServices::getInstance()->getMimeAnalyzer() ); $fileProps = $mwProps->getPropsFromPath( $path, true ); } wfDebug( __METHOD__ . " stashing file at '$path'" ); // we will be initializing from some tmpnam files that don't have extensions. // most of MediaWiki assumes all uploaded files have good extensions. So, we fix this. $extension = self::getExtensionForPath( $path ); if ( !preg_match( "/\\.\\Q$extension\\E$/", $path ) ) { $pathWithGoodExtension = "$path.$extension"; } else { $pathWithGoodExtension = $path; } // If no key was supplied, make one. a mysql insertid would be totally // reasonable here, except that for historical reasons, the key is this // random thing instead. At least it's not guessable. // Some things that when combined will make a suitably unique key. // see: http://www.jwz.org/doc/mid.html [ $usec, $sec ] = explode( ' ', microtime() ); $usec = substr( $usec, 2 ); $key = Wikimedia\base_convert( $sec . $usec, 10, 36 ) . '.' . Wikimedia\base_convert( (string)mt_rand(), 10, 36 ) . '.' . $this->user->getId() . '.' . $extension; $this->fileProps[$key] = $fileProps; if ( !preg_match( self::KEY_FORMAT_REGEX, $key ) ) { throw new UploadStashBadPathException( wfMessage( 'uploadstash-bad-path-bad-format', $key ) ); } wfDebug( __METHOD__ . " key for '$path': $key" ); // if not already in a temporary area, put it there $storeStatus = $this->repo->storeTemp( basename( $pathWithGoodExtension ), $path ); if ( !$storeStatus->isOK() ) { // It is a convention in MediaWiki to only return one error per API // exception, even if multiple errors are available.[citation needed] // Pick the "first" thing that was wrong, preferring errors to warnings. // This is a bit lame, as we may have more info in the // $storeStatus and we're throwing it away, but to fix it means // redesigning API errors significantly. // $storeStatus->value just contains the virtual URL (if anything) // which is probably useless to the caller. foreach ( $storeStatus->getMessages( 'error' ) as $msg ) { throw new UploadStashFileException( $msg ); } foreach ( $storeStatus->getMessages( 'warning' ) as $msg ) { throw new UploadStashFileException( $msg ); } // XXX: This isn't a real message, hopefully this case is unreachable throw new UploadStashFileException( [ 'unknown', 'no error recorded' ] ); } $stashPath = $storeStatus->value; // fetch the current user ID if ( !$this->user->isRegistered() ) { throw new UploadStashNotLoggedInException( wfMessage( 'uploadstash-not-logged-in' ) ); } // insert the file metadata into the db. wfDebug( __METHOD__ . " inserting $stashPath under $key" ); $dbw = $this->repo->getPrimaryDB(); $serializedFileProps = serialize( $fileProps ); if ( strlen( $serializedFileProps ) > self::MAX_US_PROPS_SIZE ) { // Database is going to truncate this and make the field invalid. // Prioritize important metadata over file handler metadata. // File handler should be prepared to regenerate invalid metadata if needed. $fileProps['metadata'] = []; $serializedFileProps = serialize( $fileProps ); } $insertRow = [ 'us_user' => $this->user->getId(), 'us_key' => $key, 'us_orig_path' => $path, 'us_path' => $stashPath, // virtual URL 'us_props' => $dbw->encodeBlob( $serializedFileProps ), 'us_size' => $fileProps['size'], 'us_sha1' => $fileProps['sha1'], 'us_mime' => $fileProps['mime'], 'us_media_type' => $fileProps['media_type'], 'us_image_width' => $fileProps['width'], 'us_image_height' => $fileProps['height'], 'us_image_bits' => $fileProps['bits'], 'us_source_type' => $sourceType, 'us_timestamp' => $dbw->timestamp(), 'us_status' => 'finished' ]; $dbw->newInsertQueryBuilder() ->insertInto( 'uploadstash' ) ->row( $insertRow ) ->caller( __METHOD__ )->execute(); // store the insertid in the class variable so immediate retrieval // (possibly laggy) isn't necessary. $insertRow['us_id'] = $dbw->insertId(); $this->fileMetadata[$key] = $insertRow; # create the UploadStashFile object for this file. $this->initFile( $key ); return $this->getFile( $key ); } /* * Remove all files from the stash. * Does not clean up files in the repo, just the record of them. * * @throws UploadStashNotLoggedInException * @return bool Success / public function clear() { if ( !$this->user->isRegistered() ) { throw new UploadStashNotLoggedInException( wfMessage( 'uploadstash-not-logged-in' ) ); } wfDebug( __METHOD__ . ' clearing all rows for user ' . $this->user->getId() ); $dbw = $this->repo->getPrimaryDB(); $dbw->newDeleteQueryBuilder() ->deleteFrom( 'uploadstash' ) ->where( [ 'us_user' => $this->user->getId() ] ) ->caller( __METHOD__ )->execute(); # destroy objects. $this->files = []; $this->fileMetadata = []; return true; } /* * Remove a particular file from the stash. Also removes it from the repo. * * @param string $key * @throws UploadStashNoSuchKeyException\|UploadStashNotLoggedInException * @throws UploadStashWrongOwnerException * @return bool Success / public function removeFile( $key ) { if ( !$this->user->isRegistered() ) { throw new UploadStashNotLoggedInException( wfMessage( 'uploadstash-not-logged-in' ) ); } $dbw = $this->repo->getPrimaryDB(); // this is a cheap query. it runs on the primary DB so that this function // still works when there's lag. It won't be called all that often. $row = $dbw->newSelectQueryBuilder() ->select( 'us_user' ) ->from( 'uploadstash' ) ->where( [ 'us_key' => $key ] ) ->caller( __METHOD__ )->fetchRow(); if ( !$row ) { throw new UploadStashNoSuchKeyException( wfMessage( 'uploadstash-no-such-key', $key ) ); } if ( $row->us_user != $this->user->getId() ) { throw new UploadStashWrongOwnerException( wfMessage( 'uploadstash-wrong-owner', $key ) ); } return $this->removeFileNoAuth( $key ); } /* * Remove a file (see removeFile), but doesn't check ownership first. * * @param string $key * @return bool Success / public function removeFileNoAuth( $key ) { wfDebug( __METHOD__ . " clearing row $key" ); // Ensure we have the UploadStashFile loaded for this key $this->getFile( $key, true ); $dbw = $this->repo->getPrimaryDB(); $dbw->newDeleteQueryBuilder() ->deleteFrom( 'uploadstash' ) ->where( [ 'us_key' => $key ] ) ->caller( __METHOD__ )->execute(); /* @todo Look into UnregisteredLocalFile and find out why the rv here is * sometimes wrong (false when file was removed). For now, ignore. / $this->files[$key]->remove(); unset( $this->files[$key] ); unset( $this->fileMetadata[$key] ); return true; } /* * List all files in the stash. * * @throws UploadStashNotLoggedInException * @return array\|false / public function listFiles() { if ( !$this->user->isRegistered() ) { throw new UploadStashNotLoggedInException( wfMessage( 'uploadstash-not-logged-in' ) ); } $res = $this->repo->getReplicaDB()->newSelectQueryBuilder() ->select( 'us_key' ) ->from( 'uploadstash' ) ->where( [ 'us_user' => $this->user->getId() ] ) ->caller( __METHOD__ )->fetchResultSet(); if ( $res->numRows() == 0 ) { // nothing to do. return false; } // finish the read before starting writes. $keys = []; foreach ( $res as $row ) { $keys[] = $row->us_key; } return $keys; } /* * Find or guess extension -- ensuring that our extension matches our MIME type. * Since these files are constructed from php tempnames they may not start off * with an extension. * XXX this is somewhat redundant with the checks that ApiUpload.php does with incoming * uploads versus the desired filename. Maybe we can get that passed to us... * @param string $path * @return string / public static function getExtensionForPath( $path ) { $prohibitedFileExtensions = MediaWikiServices::getInstance() ->getMainConfig()->get( MainConfigNames::ProhibitedFileExtensions ); // Does this have an extension? $n = strrpos( $path, '.' ); if ( $n !== false ) { $extension = $n ? substr( $path, $n + 1 ) : ''; } else { // If not, assume that it should be related to the MIME type of the original file. $magic = MediaWikiServices::getInstance()->getMimeAnalyzer(); $mimeType = $magic->guessMimeType( $path ); $extension = $magic->getExtensionFromMimeTypeOrNull( $mimeType ) ?? ''; } $extension = File::normalizeExtension( $extension ); if ( in_array( $extension, $prohibitedFileExtensions ) ) { // The file should already be checked for being evil. // However, if somehow we got here, we definitely // don't want to give it an extension of .php and // put it in a web accessible directory. return ''; } return $extension; } /* * Helper function: do the actual database query to fetch file metadata. * * @param string $key * @param int $readFromDB Constant (default: DB_REPLICA) * @return bool / protected function fetchFileMetadata( $key, $readFromDB = DB_REPLICA ) { // populate $fileMetadata[$key] if ( $readFromDB === DB_PRIMARY ) { // sometimes reading from the primary DB is necessary, if there's replication lag. $dbr = $this->repo->getPrimaryDB(); } else { $dbr = $this->repo->getReplicaDB(); } $row = $dbr->newSelectQueryBuilder() ->select( [ 'us_user', 'us_key', 'us_orig_path', 'us_path', 'us_props', 'us_size', 'us_sha1', 'us_mime', 'us_media_type', 'us_image_width', 'us_image_height', 'us_image_bits', 'us_source_type', 'us_timestamp', 'us_status', ] ) ->from( 'uploadstash' ) ->where( [ 'us_key' => $key ] ) ->caller( __METHOD__ )->fetchRow(); if ( !is_object( $row ) ) { // key wasn't present in the database. this will happen sometimes. return false; } $this->fileMetadata[$key] = (array)$row; $this->fileMetadata[$key]['us_props'] = $dbr->decodeBlob( $row->us_props ); return true; } /* * Helper function: Initialize the UploadStashFile for a given file. * * @param string $key Key under which to store the object * @throws UploadStashZeroLengthFileException * @return bool */ protected function initFile( $key ) { $file = new UploadStashFile( $this->repo, $this->fileMetadata[$key]['us_path'], $key, $this->fileMetadata[$key]['us_sha1'] ); if ( $file->getSize() === 0 ) { throw new UploadStashZeroLengthFileException( wfMessage( 'uploadstash-zero-length' ) ); } $this->files[$key] = $file; return true; } }

| ver. 1.1 | | . | PHP 8.4.18 | Ð“ÐµÐ½ÐµÑ€Ð°Ñ†Ð¸Ñ ÑÑ‚Ñ€Ð°Ð½Ð¸Ñ†Ñ‹: 0 | proxy | phpinfo | ÐÐ°ÑÑ‚Ñ€Ð¾Ð¹ÐºÐ°