Skip to content

Q
question2answer
Commit 389c8211 by pupi1985 Committed by Scott
Options

Added checks and error displays when exceeding post_max_size and upload_max_filesize limits

parent cbf70b46
Showing with 211 additions and 168 deletions
qa-include/qa-base.php
...@@ -1038,6 +1038,33 @@ ...@@ -1038,6 +1038,33 @@
} }
function qa_is_post_max_size_limit_exceeded()
/*
Checks whether an HTTP request has exceeded the post_max_size PHP variable. This happens whenever an HTTP request
is too big to be properly processed by PHP, usually because there is an attachment in the HTTP request. A warning
is added to the server's log displaying the size of the file that triggered this situation. It is important to note
that whenever this happens the $_POST and $_FILES superglobals are empty.
*/
{
if (in_array($_SERVER['REQUEST_METHOD'], array('POST', 'PUT')) && empty($_POST) && empty($_FILES)) {
$postmaxsize = ini_get('post_max_size'); // Gets the current post_max_size configuration
$unit = substr($postmaxsize, -1);
if (!is_numeric($unit)) {
$postmaxsize = substr($postmaxsize, 0, -1);
}
switch (strtoupper($unit)) { // Gets an integer value that can be compared against the size of the HTTP request
case 'G':
$postmaxsize *= 1024;
case 'M':
$postmaxsize *= 1024;
case 'K':
$postmaxsize *= 1024;
}
return $_SERVER['CONTENT_LENGTH'] > $postmaxsize;
}
}
function qa_is_mobile_probably() function qa_is_mobile_probably()
/* /*
Return true if it appears that the page request is coming from a mobile client rather than a desktop/laptop web browser Return true if it appears that the page request is coming from a mobile client rather than a desktop/laptop web browser
......
qa-include/qa-lang-main.php
...@@ -82,6 +82,7 @@ ...@@ -82,6 +82,7 @@
'edited' => 'edited', 'edited' => 'edited',
'email_error' => 'An error occurred trying to send the email.', 'email_error' => 'An error occurred trying to send the email.',
'field_required' => 'Please enter something in this field', 'field_required' => 'Please enter something in this field',
'file_upload_limit_exceeded' => 'The size of the file exceeds the server\'s limits',
'general_error' => 'A server error occurred - please try again.', 'general_error' => 'A server error occurred - please try again.',
'hidden' => 'hidden', 'hidden' => 'hidden',
'highest_users' => 'Top scoring users', 'highest_users' => 'Top scoring users',
......
qa-include/qa-page-account.php
...@@ -65,139 +65,147 @@ ...@@ -65,139 +65,147 @@
// Process profile if saved // Process profile if saved
if (qa_clicked('dosaveprofile') && !$isblocked) { // If the post_max_size is exceeded then the $_POST array is empty so no field processing can be done
require_once QA_INCLUDE_DIR.'qa-app-users-edit.php'; if (qa_is_post_max_size_limit_exceeded())
$errors['avatar'] = qa_lang('main/file_upload_limit_exceeded');
$inhandle=$changehandle ? qa_post_text('handle') : $useraccount['handle']; else {
$inemail=qa_post_text('email'); if (qa_clicked('dosaveprofile') && !$isblocked) {
$inmessages=qa_post_text('messages'); require_once QA_INCLUDE_DIR . 'qa-app-users-edit.php';
$inwallposts=qa_post_text('wall');
$inmailings=qa_post_text('mailings'); $inhandle = $changehandle ? qa_post_text('handle') : $useraccount['handle'];
$inavatar=qa_post_text('avatar'); $inemail = qa_post_text('email');
$inmessages = qa_post_text('messages');
$inprofile=array(); $inwallposts = qa_post_text('wall');
foreach ($userfields as $userfield) $inmailings = qa_post_text('mailings');
$inprofile[$userfield['fieldid']]=qa_post_text('field_'.$userfield['fieldid']); $inavatar = qa_post_text('avatar');
$inprofile=array();
foreach ($userfields as $userfield)
$inprofile[$userfield['fieldid']] = qa_post_text('field_' . $userfield['fieldid']);
if (!qa_check_form_security_code('account', qa_post_text('code'))) if (!qa_check_form_security_code('account', qa_post_text('code')))
$errors['page']=qa_lang_html('misc/form_security_again'); $errors['page'] = qa_lang_html('misc/form_security_again');
else { else {
$errors=qa_handle_email_filter($inhandle, $inemail, $useraccount); $errors = qa_handle_email_filter($inhandle, $inemail, $useraccount);
if (!isset($errors['handle'])) if (!isset($errors['handle']))
qa_db_user_set($userid, 'handle', $inhandle); qa_db_user_set($userid, 'handle', $inhandle);
if (!isset($errors['email'])) if (!isset($errors['email']) && $inemail !== $useraccount['email']) {
if ($inemail != $useraccount['email']) {
qa_db_user_set($userid, 'email', $inemail); qa_db_user_set($userid, 'email', $inemail);
qa_db_user_set_flag($userid, QA_USER_FLAGS_EMAIL_CONFIRMED, false); qa_db_user_set_flag($userid, QA_USER_FLAGS_EMAIL_CONFIRMED, false);
$isconfirmed=false; $isconfirmed = false;
if ($doconfirms) if ($doconfirms)
qa_send_new_confirm($userid); qa_send_new_confirm($userid);
} }
if (qa_opt('allow_private_messages')) if (qa_opt('allow_private_messages'))
qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_MESSAGES, !$inmessages); qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_MESSAGES, !$inmessages);
if (qa_opt('allow_user_walls')) if (qa_opt('allow_user_walls'))
qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_WALL_POSTS, !$inwallposts); qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_WALL_POSTS, !$inwallposts);
if (qa_opt('mailing_enabled')) if (qa_opt('mailing_enabled'))
qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_MAILINGS, !$inmailings); qa_db_user_set_flag($userid, QA_USER_FLAGS_NO_MAILINGS, !$inmailings);
qa_db_user_set_flag($userid, QA_USER_FLAGS_SHOW_AVATAR, ($inavatar=='uploaded')); qa_db_user_set_flag($userid, QA_USER_FLAGS_SHOW_AVATAR, ($inavatar == 'uploaded'));
qa_db_user_set_flag($userid, QA_USER_FLAGS_SHOW_GRAVATAR, ($inavatar=='gravatar')); qa_db_user_set_flag($userid, QA_USER_FLAGS_SHOW_GRAVATAR, ($inavatar == 'gravatar'));
if (is_array(@$_FILES['file']) && $_FILES['file']['size']) { if (is_array(@$_FILES['file'])) {
require_once QA_INCLUDE_DIR.'qa-app-limits.php'; $avatarfileerror = $_FILES['file']['error'];
switch (qa_user_permit_error(null, QA_LIMIT_UPLOADS)) // Note if $_FILES['file']['error'] === 1 then upload_max_filesize has been exceeded
{ if ($avatarfileerror === 1)
case 'limit': $errors['avatar'] = qa_lang('main/file_upload_limit_exceeded');
$errors['avatar']=qa_lang('main/upload_limit'); elseif ($avatarfileerror === 0 && $_FILES['file']['size'] > 0) {
break; require_once QA_INCLUDE_DIR . 'qa-app-limits.php';
default: switch (qa_user_permit_error(null, QA_LIMIT_UPLOADS)) {
$errors['avatar']=qa_lang('users/no_permission'); case 'limit':
break; $errors['avatar'] = qa_lang('main/upload_limit');
break;
case false: default:
qa_limits_increment($userid, QA_LIMIT_UPLOADS); $errors['avatar'] = qa_lang('users/no_permission');
break;
$toobig=qa_image_file_too_big($_FILES['file']['tmp_name'], qa_opt('avatar_store_size')); case false:
qa_limits_increment($userid, QA_LIMIT_UPLOADS);
if ($toobig) $toobig = qa_image_file_too_big($_FILES['file']['tmp_name'], qa_opt('avatar_store_size'));
$errors['avatar']=qa_lang_sub('main/image_too_big_x_pc', (int)($toobig*100));
elseif (!qa_set_user_avatar($userid, file_get_contents($_FILES['file']['tmp_name']), $useraccount['avatarblobid'])) if ($toobig)
$errors['avatar']=qa_lang_sub('main/image_not_read', implode(', ', qa_gd_image_formats())); $errors['avatar'] = qa_lang_sub('main/image_too_big_x_pc', (int) ($toobig * 100));
break; elseif (!qa_set_user_avatar($userid, file_get_contents($_FILES['file']['tmp_name']), $useraccount['avatarblobid']))
$errors['avatar'] = qa_lang_sub('main/image_not_read', implode(', ', qa_gd_image_formats()));
break;
}
} // There shouldn't be any need to catch any other error
} }
}
if (count($inprofile)) { if (count($inprofile)) {
$filtermodules=qa_load_modules_with('filter', 'filter_profile'); $filtermodules = qa_load_modules_with('filter', 'filter_profile');
foreach ($filtermodules as $filtermodule) foreach ($filtermodules as $filtermodule)
$filtermodule->filter_profile($inprofile, $errors, $useraccount, $userprofile); $filtermodule->filter_profile($inprofile, $errors, $useraccount, $userprofile);
} }
foreach ($userfields as $userfield) foreach ($userfields as $userfield)
if (!isset($errors[$userfield['fieldid']])) if (!isset($errors[$userfield['fieldid']]))
qa_db_user_profile_set($userid, $userfield['title'], $inprofile[$userfield['fieldid']]); qa_db_user_profile_set($userid, $userfield['title'], $inprofile[$userfield['fieldid']]);
list($useraccount, $userprofile)=qa_db_select_with_pending( list($useraccount, $userprofile) = qa_db_select_with_pending(
qa_db_user_account_selectspec($userid, true), qa_db_user_account_selectspec($userid, true), qa_db_user_profile_selectspec($userid, true)
qa_db_user_profile_selectspec($userid, true) );
);
qa_report_event('u_save', $userid, $useraccount['handle'], qa_cookie_get()); qa_report_event('u_save', $userid, $useraccount['handle'], qa_cookie_get());
if (empty($errors)) if (empty($errors))
qa_redirect('account', array('state' => 'profile-saved')); qa_redirect('account', array('state' => 'profile-saved'));
qa_logged_in_user_flush(); qa_logged_in_user_flush();
}
} }
}
// Process change password if clicked // Process change password if clicked
if (qa_clicked('dochangepassword')) { if (qa_clicked('dochangepassword')) {
require_once QA_INCLUDE_DIR.'qa-app-users-edit.php'; require_once QA_INCLUDE_DIR . 'qa-app-users-edit.php';
$inoldpassword=qa_post_text('oldpassword'); $inoldpassword = qa_post_text('oldpassword');
$innewpassword1=qa_post_text('newpassword1'); $innewpassword1 = qa_post_text('newpassword1');
$innewpassword2=qa_post_text('newpassword2'); $innewpassword2 = qa_post_text('newpassword2');
if (!qa_check_form_security_code('password', qa_post_text('code'))) if (!qa_check_form_security_code('password', qa_post_text('code')))
$errors['page']=qa_lang_html('misc/form_security_again'); $errors['page'] = qa_lang_html('misc/form_security_again');
else { else {
$errors=array(); $errors = array();
if ($haspassword && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck']))) if ($haspassword && (strtolower(qa_db_calc_passcheck($inoldpassword, $useraccount['passsalt'])) != strtolower($useraccount['passcheck'])))
$errors['oldpassword']=qa_lang('users/password_wrong'); $errors['oldpassword'] = qa_lang('users/password_wrong');
$useraccount['password']=$inoldpassword; $useraccount['password'] = $inoldpassword;
$errors=$errors+qa_password_validate($innewpassword1, $useraccount); // array union $errors = $errors + qa_password_validate($innewpassword1, $useraccount); // array union
if ($innewpassword1 != $innewpassword2) if ($innewpassword1 != $innewpassword2)
$errors['newpassword2']=qa_lang('users/password_mismatch'); $errors['newpassword2'] = qa_lang('users/password_mismatch');
if (empty($errors)) { if (empty($errors)) {
qa_db_user_set_password($userid, $innewpassword1); qa_db_user_set_password($userid, $innewpassword1);
qa_db_user_set($userid, 'sessioncode', ''); // stop old 'Remember me' style logins from still working qa_db_user_set($userid, 'sessioncode', ''); // stop old 'Remember me' style logins from still working
qa_set_logged_in_user($userid, $useraccount['handle'], false, $useraccount['sessionsource']); // reinstate this specific session qa_set_logged_in_user($userid, $useraccount['handle'], false, $useraccount['sessionsource']); // reinstate this specific session
qa_report_event('u_password', $userid, $useraccount['handle'], qa_cookie_get()); qa_report_event('u_password', $userid, $useraccount['handle'], qa_cookie_get());
qa_redirect('account', array('state' => 'password-changed')); qa_redirect('account', array('state' => 'password-changed'));
}
} }
} }
} }
// Prepare content for theme // Prepare content for theme
$qa_content=qa_content_prepare(); $qa_content=qa_content_prepare();
......
qa-include/qa-page-admin-default.php
...@@ -661,104 +661,111 @@ ...@@ -661,104 +661,111 @@
$formokhtml = null; $formokhtml = null;
if (qa_clicked('doresetoptions')) { // If the post_max_size is exceeded then the $_POST array is empty so no field processing can be done
if (!qa_check_form_security_code('admin/'.$adminsection, qa_post_text('code'))) if (qa_is_post_max_size_limit_exceeded())
$securityexpired = true; $errors['avatar_default_show'] = qa_lang('main/file_upload_limit_exceeded');
else
if (qa_clicked('doresetoptions')) {
if (!qa_check_form_security_code('admin/' . $adminsection, qa_post_text('code')))
$securityexpired = true;
else { else {
qa_reset_options($getoptions); qa_reset_options($getoptions);
$formokhtml = qa_lang_html('admin/options_reset'); $formokhtml = qa_lang_html('admin/options_reset');
} }
} } elseif (qa_clicked('dosaveoptions')) {
elseif (qa_clicked('dosaveoptions')) { if (!qa_check_form_security_code('admin/' . $adminsection, qa_post_text('code')))
if (!qa_check_form_security_code('admin/'.$adminsection, qa_post_text('code'))) $securityexpired = true;
$securityexpired = true;
else { else {
foreach ($getoptions as $optionname) { foreach ($getoptions as $optionname) {
$optionvalue = qa_post_text('option_'.$optionname); $optionvalue = qa_post_text('option_' . $optionname);
if ( if (
(@$optiontype[$optionname] == 'number') || (@$optiontype[$optionname] == 'number') ||
(@$optiontype[$optionname] == 'checkbox') || (@$optiontype[$optionname] == 'checkbox') ||
((@$optiontype[$optionname] == 'number-blank') && strlen($optionvalue)) ((@$optiontype[$optionname] == 'number-blank') && strlen($optionvalue))
) )
$optionvalue = (int)$optionvalue; $optionvalue = (int) $optionvalue;
if (isset($optionmaximum[$optionname])) if (isset($optionmaximum[$optionname]))
$optionvalue = min($optionmaximum[$optionname], $optionvalue); $optionvalue = min($optionmaximum[$optionname], $optionvalue);
if (isset($optionminimum[$optionname])) if (isset($optionminimum[$optionname]))
$optionvalue = max($optionminimum[$optionname], $optionvalue); $optionvalue = max($optionminimum[$optionname], $optionvalue);
switch ($optionname) { switch ($optionname) {
case 'site_url': case 'site_url':
if (substr($optionvalue, -1) != '/') // seems to be a very common mistake and will mess up URLs if (substr($optionvalue, -1) != '/') // seems to be a very common mistake and will mess up URLs
$optionvalue .= '/'; $optionvalue .= '/';
break; break;
case 'hot_weight_views': case 'hot_weight_views':
case 'hot_weight_answers': case 'hot_weight_answers':
case 'hot_weight_votes': case 'hot_weight_votes':
case 'hot_weight_q_age': case 'hot_weight_q_age':
case 'hot_weight_a_age': case 'hot_weight_a_age':
if (qa_opt($optionname) != $optionvalue) if (qa_opt($optionname) != $optionvalue)
$recalchotness = true; $recalchotness = true;
break; break;
case 'block_ips_write': case 'block_ips_write':
require_once QA_INCLUDE_DIR.'qa-app-limits.php'; require_once QA_INCLUDE_DIR . 'qa-app-limits.php';
$optionvalue = implode(' , ', qa_block_ips_explode($optionvalue)); $optionvalue = implode(' , ', qa_block_ips_explode($optionvalue));
break; break;
case 'block_bad_words': case 'block_bad_words':
require_once QA_INCLUDE_DIR.'qa-util-string.php'; require_once QA_INCLUDE_DIR . 'qa-util-string.php';
$optionvalue = implode(' , ', qa_block_words_explode($optionvalue)); $optionvalue = implode(' , ', qa_block_words_explode($optionvalue));
break; break;
}
qa_set_option($optionname, $optionvalue);
} }
qa_set_option($optionname, $optionvalue); $formokhtml = qa_lang_html('admin/options_saved');
}
$formokhtml = qa_lang_html('admin/options_saved'); // Uploading default avatar
if (is_array(@$_FILES['avatar_default_file'])) {
$avatarfileerror = $_FILES['avatar_default_file']['error'];
// Uploading default avatar // Note if $_FILES['avatar_default_file']['error'] === 1 then upload_max_filesize has been exceeded
if ($avatarfileerror === 1)
$errors['avatar_default_show'] = qa_lang('main/file_upload_limit_exceeded');
elseif ($avatarfileerror === 0 && $_FILES['avatar_default_file']['size'] > 0) {
require_once QA_INCLUDE_DIR . 'qa-util-image.php';
if (is_array(@$_FILES['avatar_default_file']) && $_FILES['avatar_default_file']['size']) { $oldblobid = qa_opt('avatar_default_blobid');
require_once QA_INCLUDE_DIR.'qa-util-image.php';
$oldblobid = qa_opt('avatar_default_blobid'); $toobig = qa_image_file_too_big($_FILES['avatar_default_file']['tmp_name'], qa_opt('avatar_store_size'));
$toobig = qa_image_file_too_big($_FILES['avatar_default_file']['tmp_name'], qa_opt('avatar_store_size')); if ($toobig)
$errors['avatar_default_show'] = qa_lang_sub('main/image_too_big_x_pc', (int) ($toobig * 100));
if ($toobig) else {
$errors['avatar_default_show'] = qa_lang_sub('main/image_too_big_x_pc', (int)($toobig*100)); $imagedata = qa_image_constrain_data(file_get_contents($_FILES['avatar_default_file']['tmp_name']), $width, $height, qa_opt('avatar_store_size'));
else { if (isset($imagedata)) {
$imagedata = qa_image_constrain_data(file_get_contents($_FILES['avatar_default_file']['tmp_name']), $width, $height, qa_opt('avatar_store_size')); require_once QA_INCLUDE_DIR . 'qa-app-blobs.php';
if (isset($imagedata)) { $newblobid = qa_create_blob($imagedata, 'jpeg');
require_once QA_INCLUDE_DIR.'qa-app-blobs.php';
$newblobid = qa_create_blob($imagedata, 'jpeg'); if (isset($newblobid)) {
qa_set_option('avatar_default_blobid', $newblobid);
qa_set_option('avatar_default_width', $width);
qa_set_option('avatar_default_height', $height);
qa_set_option('avatar_default_show', 1);
}
if (isset($newblobid)) { if (strlen($oldblobid))
qa_set_option('avatar_default_blobid', $newblobid); qa_delete_blob($oldblobid);
qa_set_option('avatar_default_width', $width); } else
qa_set_option('avatar_default_height', $height); $errors['avatar_default_show'] = qa_lang_sub('main/image_not_read', implode(', ', qa_gd_image_formats()));
qa_set_option('avatar_default_show', 1);
} }
if (strlen($oldblobid))
qa_delete_blob($oldblobid);
} }
else
$errors['avatar_default_show'] = qa_lang_sub('main/image_not_read', implode(', ', qa_gd_image_formats()));
} }
} }
} }
}
// Mailings management // Mailings management
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment