diff --git a/inc/config.php b/inc/config.php
index ef9adb80..3aa0b34f 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -116,6 +116,7 @@
$config['error']['toomanyreports'] = 'You can\'t report that many posts at once.';
$config['error']['invalidpassword'] = 'Wrong password…';
$config['error']['invalidimg'] = 'Invalid image.';
+ $config['error']['unknownext'] = 'Unknown file extension.';
$config['error']['filesize'] = 'Maximum file size: %maxsz% bytes
Your file\'s size: %filesz% bytes';
$config['error']['maxsize'] = 'The file was too big.';
$config['error']['invalidzip'] = 'Invalid archive!';
@@ -516,8 +517,14 @@
// https://github.com/savetheinternet/Tinyboard/issues/20
$config['ie_mime_type_detection'] = '/<(?:body|head|html|img|plaintext|pre|script|table|title|a href|channel|scriptlet)/';
- // Allowed file extensions
- $config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', '');
+ // Allowed image file extensions
+ $config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', 'png');
+
+ // Allowed additional file extensions (not images; downloadable files)
+ $config['allowed_ext_files'] = Array('mp3');
+
+ // Thumbnail to use for the downloadable files (not images)
+ $config['file_thumb'] = 'static/file.png';
// The names on the post buttons. (On most imageboards, these are both "Post".)
$config['button_newtopic'] = 'New Topic';
diff --git a/inc/display.php b/inc/display.php
index b6722348..9ba5cac6 100644
--- a/inc/display.php
+++ b/inc/display.php
@@ -259,14 +259,16 @@
if(!empty($this->file) && $this->file != 'deleted') {
$built .= '
File: ' . $this->file . ' (' . // Filesize - format_bytes($this->filesize) . ', ' . + format_bytes($this->filesize) . // File dimensions - $this->filex . 'x' . $this->filey; + ($this->filex && $this->filey ? + ', ' . $this->filex . 'x' . $this->filey + : '' ); // Aspect Ratio - if($config['show_ratio']) { - $fraction = fraction($this->filex, $this->filey, ':'); - $built .= ', ' . $fraction; - } + if($config['show_ratio'] && $this->filex && $this->filey) { + $fraction = fraction($this->filex, $this->filey, ':'); + $built .= ', ' . $fraction; + } // Filename $built .= ', ' . $this->filename . ')
' . @@ -377,11 +379,13 @@ $built = 'File: ' . $this->file . ' (' . // Filesize - format_bytes($this->filesize) . ', ' . + format_bytes($this->filesize) . // File dimensions - $this->filex . 'x' . $this->filey; + ($this->filex && $this->filey ? + ', ' . $this->filex . 'x' . $this->filey + : '' ); // Aspect Ratio - if($config['show_ratio']) { + if($config['show_ratio'] && $this->filex && $this->filey) { $fraction = fraction($this->filex, $this->filey, ':'); $built .= ', ' . $fraction; } diff --git a/inc/functions.php b/inc/functions.php index e37a367d..2a45c606 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -363,7 +363,7 @@ $query->bindValue(':height', $post['height'], PDO::PARAM_INT); $query->bindValue(':filesize', $post['filesize'], PDO::PARAM_INT); $query->bindValue(':filename', $post['filename']); - $query->bindValue(':filehash', $post['filehash']); + $query->bindValue(':filehash', $post['file']); } else { $query->bindValue(':thumb', null, PDO::PARAM_NULL); $query->bindValue(':thumbwidth', null, PDO::PARAM_NULL); @@ -1363,12 +1363,13 @@ } break; default: - error('Unknwon file extension.'); + error($config['error']['unknownext']); } return $image; } - function resize($src, $width, $height, $destination_pic, $max_width, $max_height, $ext) { + function resize($src, $width, $height, $destination_pic, $max_width, $max_height, $ext) { + global $config; $return = Array(); $x_ratio = $max_width / $width; @@ -1414,7 +1415,7 @@ imagebmp($tmp, $destination_pic); break; default: - error('Unknwon file extension.'); + error($config['error']['unknownext']); } imagedestroy($src); diff --git a/post.php b/post.php index 6833d1d6..15a87dd3 100644 --- a/post.php +++ b/post.php @@ -384,51 +384,65 @@ } if($post['has_file']) { + if(!in_array($post['extension'], $config['allowed_ext']) && !in_array($post['extension'], $config['allowed_ext_files'])) + error($config['error']['unknownext']); + + if(in_array($post['extension'], $config['allowed_ext_files'])) + $__file = true; + // Just trim the filename if it's too long if(strlen($post['filename']) > 30) $post['filename'] = substr($post['filename'], 0, 27).'…'; // Move the uploaded file if(!@move_uploaded_file($_FILES['file']['tmp_name'], $post['file'])) error($config['error']['nomove']); - $size = @getimagesize($post['file']); - $post['width'] = $size[0]; - $post['height'] = $size[1]; - - // Check if the image is valid - if($post['width'] < 1 || $post['height'] < 1) { - undoImage($post); - error($config['error']['invalidimg']); - } - - if($post['width'] > $config['max_width'] || $post['height'] > $config['max_height']) { - undoImage($post); - error($config['error']['maxsize']); - } - - // Check IE MIME type detection XSS exploit - $buffer = file_get_contents($post['file'], null, null, null, 255); - if(preg_match($config['ie_mime_type_detection'], $buffer)) { - undoImage($post); - error($config['error']['mime_exploit']); + if(!isset($__file)) { + $size = @getimagesize($post['file']); + $post['width'] = $size[0]; + $post['height'] = $size[1]; + + // Check if the image is valid + if($post['width'] < 1 || $post['height'] < 1) { + undoImage($post); + error($config['error']['invalidimg']); + } + + if($post['width'] > $config['max_width'] || $post['height'] > $config['max_height']) { + undoImage($post); + error($config['error']['maxsize']); + } + + // Check IE MIME type detection XSS exploit + $buffer = file_get_contents($post['file'], null, null, null, 255); + if(preg_match($config['ie_mime_type_detection'], $buffer)) { + undoImage($post); + error($config['error']['mime_exploit']); + } + + if($config['minimum_copy_resize'] && $post['width'] <= $config['thumb_width'] && $post['height'] <= $config['thumb_height'] && $post['extension'] == ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])) { + // Copy, because there's nothing to resize + copy($post['file'], $post['thumb']); + + $post['thumbwidth'] = $post['width']; + $post['thumbheight'] = $post['height']; + } else { + $image = createimage($post['extension'], $post['file']); + + // Create a thumbnail + $thumb = resize($image, $post['width'], $post['height'], $post['thumb'], $config['thumb_width'], $config['thumb_height'], ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])); + + $post['thumbwidth'] = $thumb['width']; + $post['thumbheight'] = $thumb['height']; + } + } else { + copy($config['file_thumb'], $post['thumb']); + + $size = @getimagesize($post['thumb']); + $post['thumbwidth'] = $size[0]; + $post['thumbheight'] = $size[1]; } $post['filehash'] = $config['file_hash']($post['file']); $post['filesize'] = filesize($post['file']); - - if($config['minimum_copy_resize'] && $post['width'] <= $config['thumb_width'] && $post['height'] <= $config['thumb_height'] && $post['extension'] == ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])) { - // Copy, because there's nothing to resize - copy($post['file'], $post['thumb']); - - $post['thumbwidth'] = $post['width']; - $post['thumbheight'] = $post['height']; - } else { - $image = createimage($post['extension'], $post['file']); - - // Create a thumbnail - $thumb = resize($image, $post['width'], $post['height'], $post['thumb'], $config['thumb_width'], $config['thumb_height'], ($config['thumb_ext'] ? $config['thumb_ext'] : $post['extension'])); - - $post['thumbwidth'] = $thumb['width']; - $post['thumbheight'] = $thumb['height']; - } } if($post['has_file'] && $config['image_reject_repost'] && $p = getPostByHash($post['filehash'])) { diff --git a/static/file.png b/static/file.png new file mode 100644 index 00000000..8060fe3c Binary files /dev/null and b/static/file.png differ