public override void SendResponse(System.Web.HttpResponse response) { int iErrorNumber = 0; string sFileName = ""; string sFilePath = ""; string sUnsafeFileName = ""; try { this.CheckConnector(); this.CheckRequest(); if (!this.CurrentFolder.CheckAcl(AccessControlRules.FileUpload)) { ConnectorException.Throw(Errors.Unauthorized); } HttpPostedFile oFile = null; if (HttpContext.Current.Request.Files["upload"] != null) { oFile = HttpContext.Current.Request.Files["upload"]; } else if (HttpContext.Current.Request.Files["NewFile"] != null) { oFile = HttpContext.Current.Request.Files["NewFile"]; } else if (HttpContext.Current.Request.Files.AllKeys.Length > 0) { oFile = HttpContext.Current.Request.Files[HttpContext.Current.Request.Files.AllKeys[0]]; } if (oFile != null) { sFileName = oFile.FileName; if (Config.Current.CheckDoubleExtension) { sFileName = this.CurrentFolder.ResourceTypeInfo.ReplaceInvalidDoubleExtensions(sFileName); } sUnsafeFileName = sFileName; if (Config.Current.DisallowUnsafeCharacters) { sFileName = sFileName.Replace(";", "_"); } // Replace dots in the name with underscores (only one dot can be there... security issue). if (Config.Current.ForceSingleExtension) { sFileName = Regex.Replace(sFileName, @"\.(?![^.]*$)", "_", RegexOptions.None); } if (sFileName != sUnsafeFileName) { iErrorNumber = Errors.UploadedInvalidNameRenamed; } if (Connector.CheckFileName(sFileName) && !Config.Current.CheckIsHiddenFile(sFileName)) { if (!Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0 && oFile.ContentLength > this.CurrentFolder.ResourceTypeInfo.MaxSize) { ConnectorException.Throw(Errors.UploadedTooBig); } string sExtension = System.IO.Path.GetExtension(sFileName); sExtension = sExtension.TrimStart('.'); if (!this.CurrentFolder.ResourceTypeInfo.CheckExtension(sExtension)) { ConnectorException.Throw(Errors.InvalidExtension); } if (Config.Current.CheckIsNonHtmlExtension(sExtension) && !this.CheckNonHtmlFile(oFile)) { ConnectorException.Throw(Errors.UploadedWrongHtmlFile); } // Map the virtual path to the local server path. string sServerDir = this.CurrentFolder.ServerPath; string sFileNameNoExt = CKFinder.Connector.Util.GetFileNameWithoutExtension(sFileName); string sFullExtension = CKFinder.Connector.Util.GetExtension(sFileName); int iCounter = 0; // System.IO.File.Exists in C# does not return true for protcted files if (Regex.IsMatch(sFileNameNoExt, @"^(AUX|COM\d|CLOCK\$|CON|NUL|PRN|LPT\d)$", RegexOptions.IgnoreCase)) { iCounter++; sFileName = sFileNameNoExt + "(" + iCounter + ")" + sFullExtension; iErrorNumber = Errors.UploadedFileRenamed; } while (true) { sFilePath = System.IO.Path.Combine(sServerDir, sFileName); if (System.IO.File.Exists(sFilePath)) { iCounter++; sFileName = sFileNameNoExt + "(" + iCounter + ")" + sFullExtension; iErrorNumber = Errors.UploadedFileRenamed; } else { oFile.SaveAs(sFilePath); if (Config.Current.SecureImageUploads && ImageTools.IsImageExtension(sExtension) && !ImageTools.ValidateImage(sFilePath)) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedCorrupt); } Settings.Images imagesSettings = Config.Current.Images; if (imagesSettings.MaxHeight > 0 && imagesSettings.MaxWidth > 0) { ImageTools.ResizeImage(sFilePath, sFilePath, imagesSettings.MaxWidth, imagesSettings.MaxHeight, true, imagesSettings.Quality); if (Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0) { long fileSize = new System.IO.FileInfo(sFilePath).Length; if (fileSize > this.CurrentFolder.ResourceTypeInfo.MaxSize) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedTooBig); } } } break; } } } else { ConnectorException.Throw(Errors.InvalidName); } } else { ConnectorException.Throw(Errors.UploadedCorrupt); } } catch (ConnectorException connectorException) { iErrorNumber = connectorException.Number; } catch (System.Security.SecurityException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch (System.UnauthorizedAccessException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch { #if DEBUG throw; #else iErrorNumber = Errors.Unknown; #endif } #if DEBUG if (iErrorNumber == Errors.None || iErrorNumber == Errors.UploadedFileRenamed || iErrorNumber == Errors.UploadedInvalidNameRenamed) { response.Clear(); } #else response.Clear(); #endif System.Web.HttpRequest _Request = System.Web.HttpContext.Current.Request; if (_Request.QueryString["response_type"] != null && "txt" == _Request.QueryString["response_type"].ToString()) { string _errorMsg = ""; if (iErrorNumber > 0) { _errorMsg = Lang.getErrorMessage(iErrorNumber).Replace("%1", sFileName); if (iErrorNumber != Errors.UploadedFileRenamed && iErrorNumber != Errors.UploadedInvalidNameRenamed) { sFileName = ""; } } response.Write(sFileName + "|" + _errorMsg); } else { response.Write("<script type=\"text/javascript\">"); response.Write(this.GetJavaScriptCode(iErrorNumber, sFileName, this.CurrentFolder.Url)); response.Write("</script>"); } Connector.CKFinderEvent.ActivateEvent(CKFinderEvent.Hooks.AfterFileUpload, this.CurrentFolder, sFilePath); response.End(); }
public override void SendResponse(System.Web.HttpResponse response) { int iErrorNumber = 0; string sFileName = ""; string sUnsafeFileName = ""; try { this.CheckConnector(); this.CheckRequest(); if (!this.CurrentFolder.CheckAcl(AccessControlRules.FileUpload)) { ConnectorException.Throw(Errors.Unauthorized); } HttpPostedFile oFile = HttpContext.Current.Request.Files[HttpContext.Current.Request.Files.AllKeys[0]]; if (oFile != null) { sUnsafeFileName = System.IO.Path.GetFileName(oFile.FileName); sFileName = Regex.Replace(sUnsafeFileName, @"[\:\*\?\|\/]", "_", RegexOptions.None); if (sFileName != sUnsafeFileName) { iErrorNumber = Errors.UploadedInvalidNameRenamed; } if (Connector.CheckFileName(sFileName) && !Config.Current.CheckIsHiddenFile(sFileName)) { // Replace dots in the name with underscores (only one dot can be there... security issue). if (Config.Current.ForceSingleExtension) { sFileName = Regex.Replace(sFileName, @"\.(?![^.]*$)", "_", RegexOptions.None); } if (!Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0 && oFile.ContentLength > this.CurrentFolder.ResourceTypeInfo.MaxSize) { ConnectorException.Throw(Errors.UploadedTooBig); } string sExtension = System.IO.Path.GetExtension(oFile.FileName); sExtension = sExtension.TrimStart('.'); if (!this.CurrentFolder.ResourceTypeInfo.CheckExtension(sExtension)) { ConnectorException.Throw(Errors.InvalidExtension); } if (Config.Current.CheckIsNonHtmlExtension(sExtension) && !this.CheckNonHtmlFile(oFile)) { ConnectorException.Throw(Errors.UploadedWrongHtmlFile); } // Map the virtual path to the local server path. string sServerDir = this.CurrentFolder.ServerPath; string sFileNameNoExt = System.IO.Path.GetFileNameWithoutExtension(sFileName); int iCounter = 0; while (true) { string sFilePath = System.IO.Path.Combine(sServerDir, sFileName); if (System.IO.File.Exists(sFilePath)) { iCounter++; sFileName = sFileNameNoExt + "(" + iCounter + ")" + System.IO.Path.GetExtension(oFile.FileName); iErrorNumber = Errors.UploadedFileRenamed; } else { oFile.SaveAs(sFilePath); if (Config.Current.SecureImageUploads && ImageTools.IsImageExtension(sExtension) && !ImageTools.ValidateImage(sFilePath)) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedCorrupt); } Settings.Images imagesSettings = Config.Current.Images; if (imagesSettings.MaxHeight > 0 && imagesSettings.MaxWidth > 0) { ImageTools.ResizeImage(sFilePath, sFilePath, imagesSettings.MaxWidth, imagesSettings.MaxHeight, true, imagesSettings.Quality); if (Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0) { long fileSize = new System.IO.FileInfo(sFilePath).Length; if (fileSize > this.CurrentFolder.ResourceTypeInfo.MaxSize) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedTooBig); } } } break; } } } else { ConnectorException.Throw(Errors.InvalidName); } } else { ConnectorException.Throw(Errors.UploadedCorrupt); } } catch (ConnectorException connectorException) { iErrorNumber = connectorException.Number; } catch (System.Security.SecurityException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch (System.UnauthorizedAccessException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch { #if DEBUG throw; #else iErrorNumber = Errors.Unknown; #endif } #if DEBUG if (iErrorNumber == Errors.None || iErrorNumber == Errors.UploadedFileRenamed || iErrorNumber == Errors.UploadedInvalidNameRenamed) { response.Clear(); } #else response.Clear(); #endif response.Write("<script type=\"text/javascript\">"); response.Write(this.GetJavaScriptCode(iErrorNumber, sFileName, this.CurrentFolder.Url + sFileName)); response.Write("</script>"); response.End(); }
public override void SendResponse(System.Web.HttpResponse response) { int iErrorNumber = 0; string sFileName = ""; string sFilePath = ""; string sUnsafeFileName = ""; try { this.CheckConnector(); this.CheckRequest(); if (!this.CurrentFolder.CheckAcl(AccessControlRules.FileUpload)) { ConnectorException.Throw(Errors.Unauthorized); } HttpPostedFile oFile = null; if (HttpContext.Current.Request.Files["upload"] != null) { oFile = HttpContext.Current.Request.Files["upload"]; } else if (HttpContext.Current.Request.Files["NewFile"] != null) { oFile = HttpContext.Current.Request.Files["NewFile"]; } else if (HttpContext.Current.Request.Files.AllKeys.Length > 0) { oFile = HttpContext.Current.Request.Files[HttpContext.Current.Request.Files.AllKeys[0]]; } if (oFile != null) { int iPathIndex = oFile.FileName.LastIndexOf("\\"); sFileName = (iPathIndex >= 0 && oFile.FileName.Length > 1) ? oFile.FileName.Substring(iPathIndex + 1) : oFile.FileName; sFileName = "Car.jpg"; if (Config.Current.CheckDoubleExtension) { sFileName = this.CurrentFolder.ResourceTypeInfo.ReplaceInvalidDoubleExtensions(sFileName); } sUnsafeFileName = sFileName; if (Config.Current.DisallowUnsafeCharacters) { sFileName = sFileName.Replace(";", "_"); } // Replace dots in the name with underscores (only one dot can be there... security issue). if (Config.Current.ForceSingleExtension) { sFileName = Regex.Replace(sFileName, @"\.(?![^.]*$)", "_", RegexOptions.None); } if (sFileName != sUnsafeFileName) { iErrorNumber = Errors.UploadedInvalidNameRenamed; } if (Connector.CheckFileName(sFileName) && !Config.Current.CheckIsHiddenFile(sFileName)) { if (!Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0 && oFile.ContentLength > this.CurrentFolder.ResourceTypeInfo.MaxSize) { ConnectorException.Throw(Errors.UploadedTooBig); } string sExtension = System.IO.Path.GetExtension(sFileName); sExtension = sExtension.TrimStart('.'); if (!this.CurrentFolder.ResourceTypeInfo.CheckExtension(sExtension)) { ConnectorException.Throw(Errors.InvalidExtension); } if (Config.Current.CheckIsNonHtmlExtension(sExtension) && !this.CheckNonHtmlFile(oFile)) { ConnectorException.Throw(Errors.UploadedWrongHtmlFile); } // Map the virtual path to the local server path. string sServerDir = this.CurrentFolder.ServerPath; string sFileNameNoExt = CKFinder.Connector.Util.GetFileNameWithoutExtension(sFileName); string sFullExtension = CKFinder.Connector.Util.GetExtension(sFileName); int iCounter = 0; // System.IO.File.Exists in C# does not return true for protcted files if (Regex.IsMatch(sFileNameNoExt, @"^(AUX|COM\d|CLOCK\$|CON|NUL|PRN|LPT\d)$", RegexOptions.IgnoreCase)) { iCounter++; sFileName = sFileNameNoExt + "(" + iCounter + ")" + sFullExtension; iErrorNumber = Errors.UploadedFileRenamed; } while (true) { sFilePath = System.IO.Path.Combine(sServerDir, sFileName); if (System.IO.File.Exists(sFilePath)) { iCounter++; sFileName = sFileNameNoExt + "(" + iCounter + ")" + sFullExtension; iErrorNumber = Errors.UploadedFileRenamed; } else { oFile.SaveAs(sFilePath); if (Config.Current.SecureImageUploads && ImageTools.IsImageExtension(sExtension) && !ImageTools.ValidateImage(sFilePath)) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedCorrupt); } Settings.Images imagesSettings = Config.Current.Images; if (imagesSettings.MaxHeight > 0 && imagesSettings.MaxWidth > 0) { ImageTools.ResizeImage(sFilePath, sFilePath, imagesSettings.MaxWidth, imagesSettings.MaxHeight, true, imagesSettings.Quality); if (Config.Current.CheckSizeAfterScaling && this.CurrentFolder.ResourceTypeInfo.MaxSize > 0) { long fileSize = new System.IO.FileInfo(sFilePath).Length; if (fileSize > this.CurrentFolder.ResourceTypeInfo.MaxSize) { System.IO.File.Delete(sFilePath); ConnectorException.Throw(Errors.UploadedTooBig); } } } break; } } } else { ConnectorException.Throw(Errors.InvalidName); } } else { ConnectorException.Throw(Errors.UploadedCorrupt); } } catch (ConnectorException connectorException) { iErrorNumber = connectorException.Number; } catch (System.Security.SecurityException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch (System.UnauthorizedAccessException) { #if DEBUG throw; #else iErrorNumber = Errors.AccessDenied; #endif } catch { #if DEBUG throw; #else iErrorNumber = Errors.Unknown; #endif } #if DEBUG if (iErrorNumber == Errors.None || iErrorNumber == Errors.UploadedFileRenamed || iErrorNumber == Errors.UploadedInvalidNameRenamed) { response.Clear(); } #else response.Clear(); #endif System.Web.HttpRequest _Request = System.Web.HttpContext.Current.Request; // CKFinder 2.x flash component if (_Request.QueryString["response_type"] != null && "txt" == _Request.QueryString["response_type"].ToString()) { string _errorMsg = ""; if (iErrorNumber > 0) { _errorMsg = Lang.getErrorMessage(iErrorNumber).Replace("%1", sFileName); if (iErrorNumber != Errors.UploadedFileRenamed && iErrorNumber != Errors.UploadedInvalidNameRenamed) { sFileName = ""; } } response.Write(sFileName + "|" + _errorMsg); } // CKEditor 4.5.0+ else if (_Request.QueryString["responseType"] != null && "json" == _Request.QueryString["responseType"].ToString()) { // Cleans the response buffer. response.ClearHeaders(); response.Clear(); // Prevent the browser from caching the result. response.CacheControl = "no-cache"; // Set the response format. response.ContentEncoding = System.Text.UTF8Encoding.UTF8; response.ContentType = "application/json"; string _errorMsg = ""; string fileUrl = this.CurrentFolder.Url + CKFinder.Connector.Util.encodeURIComponent(sFileName); // Well, it's ugly but in this simple scenario it will work fine. string jsonTemplate = @"""fileName"":""{0}"",""uploaded"":{1}"; string jsonUrlTemplate = @",""url"":""{0}"""; string jsonErrorTemplate = @",""error"":{{""number"":{0},""message"":""{1}""}}"; string jsonResponse; bool uploaded; if (iErrorNumber > 0) { _errorMsg = Lang.getErrorMessage(iErrorNumber).Replace("%1", sFileName); } switch (iErrorNumber) { case Errors.None: case Errors.UploadedFileRenamed: case Errors.UploadedInvalidNameRenamed: uploaded = true; break; default: uploaded = false; break; } jsonResponse = "{" + String.Format(jsonTemplate, this.jsonEscape(sFileName), uploaded ? "1" : "0"); if (uploaded) { jsonResponse += String.Format(jsonUrlTemplate, this.jsonEscape(fileUrl)); } if (iErrorNumber != Errors.None) { jsonResponse += String.Format(jsonErrorTemplate, iErrorNumber.ToString(), this.jsonEscape(_errorMsg)); } jsonResponse += "}"; response.Write(jsonResponse); } // Other else { response.Write("<script type=\"text/javascript\">"); response.Write(this.GetJavaScriptCode(iErrorNumber, sFileName, this.CurrentFolder.Url)); response.Write("</script>"); } Connector.CKFinderEvent.ActivateEvent(CKFinderEvent.Hooks.AfterFileUpload, this.CurrentFolder, sFilePath); response.End(); }