1 files changed, 182 insertions, 37 deletions

diff --git a/modules/gallery/helpers/legal_file.php b/modules/gallery/helpers/legal_file.php
index 5768cf14..eb9c25de 100644
--- a/modules/gallery/helpers/legal_file.php
+++ b/modules/gallery/helpers/legal_file.php
@@ -18,6 +18,15 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class legal_file_Core {
+  private static $photo_types_by_extension;
+  private static $movie_types_by_extension;
+  private static $photo_extensions;
+  private static $movie_extensions;
+  private static $photo_types;
+  private static $movie_types;
+  private static $blacklist = array("php", "php3", "php4", "php5", "phtml", "phtm", "shtml", "shtm",
+                                    "pl", "cgi", "asp", "sh", "py", "c", "js");
+
   /**
    * Create a default list of allowed photo MIME types paired with their extensions and then let
    * modules modify it.  This is an ordered map, mapping extensions to their MIME types.
@@ -26,21 +35,27 @@ class legal_file_Core {
    * @param string $extension (opt.) - return MIME of extension; if not given, return complete array
    */
   static function get_photo_types_by_extension($extension=null) {
-    $types_by_extension_wrapper = new stdClass();
-    $types_by_extension_wrapper->types_by_extension = array(
-      "jpg" => "image/jpeg", "jpeg" => "image/jpeg", "gif" => "image/gif", "png" => "image/png");
-    module::event("photo_types_by_extension", $types_by_extension_wrapper);
+    if (empty(self::$photo_types_by_extension)) {
+      $types_by_extension_wrapper = new stdClass();
+      $types_by_extension_wrapper->types_by_extension = array(
+        "jpg" => "image/jpeg", "jpeg" => "image/jpeg", "gif" => "image/gif", "png" => "image/png");
+      module::event("photo_types_by_extension", $types_by_extension_wrapper);
+      foreach (self::$blacklist as $key) {
+        unset($types_by_extension_wrapper->types_by_extension[$key]);
+      }
+      self::$photo_types_by_extension = $types_by_extension_wrapper->types_by_extension;
+    }
     if ($extension) {
       // return matching MIME type
       $extension = strtolower($extension);
-      if (isset($types_by_extension_wrapper->types_by_extension[$extension])) {
-        return $types_by_extension_wrapper->types_by_extension[$extension];
+      if (isset(self::$photo_types_by_extension[$extension])) {
+        return self::$photo_types_by_extension[$extension];
       } else {
         return null;
       }
     } else {
       // return complete array
-      return $types_by_extension_wrapper->types_by_extension;
+      return self::$photo_types_by_extension;
     }
   }
 
@@ -52,53 +67,114 @@ class legal_file_Core {
    * @param string $extension (opt.) - return MIME of extension; if not given, return complete array
    */
   static function get_movie_types_by_extension($extension=null) {
-    $types_by_extension_wrapper = new stdClass();
-    $types_by_extension_wrapper->types_by_extension = array(
-      "flv" => "video/x-flv", "mp4" => "video/mp4", "m4v" => "video/x-m4v");
-    module::event("movie_types_by_extension", $types_by_extension_wrapper);
+    if (empty(self::$movie_types_by_extension)) {
+      $types_by_extension_wrapper = new stdClass();
+      $types_by_extension_wrapper->types_by_extension = array(
+        "flv" => "video/x-flv", "mp4" => "video/mp4", "m4v" => "video/x-m4v");
+      module::event("movie_types_by_extension", $types_by_extension_wrapper);
+      foreach (self::$blacklist as $key) {
+        unset($types_by_extension_wrapper->types_by_extension[$key]);
+      }
+      self::$movie_types_by_extension = $types_by_extension_wrapper->types_by_extension;
+    }
     if ($extension) {
       // return matching MIME type
       $extension = strtolower($extension);
-      if (isset($types_by_extension_wrapper->types_by_extension[$extension])) {
-        return $types_by_extension_wrapper->types_by_extension[$extension];
+      if (isset(self::$movie_types_by_extension[$extension])) {
+        return self::$movie_types_by_extension[$extension];
       } else {
         return null;
       }
     } else {
       // return complete array
-      return $types_by_extension_wrapper->types_by_extension;
+      return self::$movie_types_by_extension;
+    }
+  }
+
+  /**
+   * Create a merged list of all allowed photo and movie MIME types paired with their extensions.
+   *
+   * @param string $extension (opt.) - return MIME of extension; if not given, return complete array
+   */
+  static function get_types_by_extension($extension=null) {
+    $types_by_extension = legal_file::get_photo_types_by_extension();
+    if (movie::allow_uploads()) {
+      $types_by_extension = array_merge($types_by_extension,
+                                        legal_file::get_movie_types_by_extension());
+    }
+    if ($extension) {
+      // return matching MIME type
+      $extension = strtolower($extension);
+      if (isset($types_by_extension[$extension])) {
+        return $types_by_extension[$extension];
+      } else {
+        return null;
+      }
+    } else {
+      // return complete array
+      return $types_by_extension;
     }
   }
 
   /**
    * Create a default list of allowed photo extensions and then let modules modify it.
+   *
+   * @param string $extension (opt.) - return true if allowed; if not given, return complete array
    */
-  static function get_photo_extensions() {
-    $extensions_wrapper = new stdClass();
-    $extensions_wrapper->extensions = array_keys(legal_file::get_photo_types_by_extension());
-    module::event("legal_photo_extensions", $extensions_wrapper);
-    return $extensions_wrapper->extensions;
+  static function get_photo_extensions($extension=null) {
+    if (empty(self::$photo_extensions)) {
+      $extensions_wrapper = new stdClass();
+      $extensions_wrapper->extensions = array_keys(legal_file::get_photo_types_by_extension());
+      module::event("legal_photo_extensions", $extensions_wrapper);
+      self::$photo_extensions = array_diff($extensions_wrapper->extensions, self::$blacklist);
+    }
+    if ($extension) {
+      // return true if in array, false if not
+      return in_array(strtolower($extension), self::$photo_extensions);
+    } else {
+      // return complete array
+      return self::$photo_extensions;
+    }
   }
 
   /**
    * Create a default list of allowed movie extensions and then let modules modify it.
+   *
+   * @param string $extension (opt.) - return true if allowed; if not given, return complete array
    */
-  static function get_movie_extensions() {
-    $extensions_wrapper = new stdClass();
-    $extensions_wrapper->extensions = array_keys(legal_file::get_movie_types_by_extension());
-    module::event("legal_movie_extensions", $extensions_wrapper);
-    return $extensions_wrapper->extensions;
+  static function get_movie_extensions($extension=null) {
+    if (empty(self::$movie_extensions)) {
+      $extensions_wrapper = new stdClass();
+      $extensions_wrapper->extensions = array_keys(legal_file::get_movie_types_by_extension());
+      module::event("legal_movie_extensions", $extensions_wrapper);
+      self::$movie_extensions = array_diff($extensions_wrapper->extensions, self::$blacklist);
+    }
+    if ($extension) {
+      // return true if in array, false if not
+      return in_array(strtolower($extension), self::$movie_extensions);
+    } else {
+      // return complete array
+      return self::$movie_extensions;
+    }
   }
 
   /**
    * Create a merged list of all allowed photo and movie extensions.
+   *
+   * @param string $extension (opt.) - return true if allowed; if not given, return complete array
    */
-  static function get_extensions() {
+  static function get_extensions($extension=null) {
     $extensions = legal_file::get_photo_extensions();
-    if (movie::find_ffmpeg()) {
+    if (movie::allow_uploads()) {
       $extensions = array_merge($extensions, legal_file::get_movie_extensions());
     }
-    return $extensions;
+    if ($extension) {
+      // return true if in array, false if not
+      return in_array(strtolower($extension), $extensions);
+    } else {
+      // return complete array
+      return $extensions;
+    }
   }
 
   /**
@@ -119,10 +195,14 @@ class legal_file_Core {
    * (e.g. flv maps to video/x-flv by default, but video/flv is still legal).
    */
   static function get_photo_types() {
-    $types_wrapper = new stdClass();
-    $types_wrapper->types = array_values(legal_file::get_photo_types_by_extension());
-    module::event("legal_photo_types", $types_wrapper);
-    return $types_wrapper->types;
+    if (empty(self::$photo_types)) {
+      $types_wrapper = new stdClass();
+      // Need array_unique since types_by_extension can be many-to-one (e.g. jpeg and jpg).
+      $types_wrapper->types = array_unique(array_values(legal_file::get_photo_types_by_extension()));
+      module::event("legal_photo_types", $types_wrapper);
+      self::$photo_types = $types_wrapper->types;
+    }
+    return self::$photo_types;
   }
 
   /**
@@ -131,11 +211,15 @@ class legal_file_Core {
    * (e.g. flv maps to video/x-flv by default, but video/flv is still legal).
    */
   static function get_movie_types() {
-    $types_wrapper = new stdClass();
-    $types_wrapper->types = array_values(legal_file::get_movie_types_by_extension());
-    $types_wrapper->types[] = "video/flv";
-    module::event("legal_movie_types", $types_wrapper);
-    return $types_wrapper->types;
+    if (empty(self::$movie_types)) {
+      $types_wrapper = new stdClass();
+      // Need array_unique since types_by_extension can be many-to-one (e.g. jpeg and jpg).
+      $types_wrapper->types = array_unique(array_values(legal_file::get_movie_types_by_extension()));
+      $types_wrapper->types[] = "video/flv";
+      module::event("legal_movie_types", $types_wrapper);
+      self::$movie_types = $types_wrapper->types;
+    }
+    return self::$movie_types;
   }
 
   /**
@@ -151,6 +235,10 @@ class legal_file_Core {
    * Reduce the given file to having a single extension.
    */
   static function smash_extensions($filename) {
+    if (!$filename) {
+      // It's harmless, so return it before it causes issues with pathinfo.
+      return $filename;
+    }
     $parts = pathinfo($filename);
     $result = "";
     if ($parts["dirname"] != ".") {
@@ -159,7 +247,64 @@ class legal_file_Core {
     $parts["filename"] = str_replace(".", "_", $parts["filename"]);
     $parts["filename"] = preg_replace("/[_]+/", "_", $parts["filename"]);
     $parts["filename"] = trim($parts["filename"], "_");
-    $result .= "{$parts['filename']}.{$parts['extension']}";
+    $result .= isset($parts["extension"]) ? "{$parts['filename']}.{$parts['extension']}" : $parts["filename"];
     return $result;
   }
+
+  /**
+   * Sanitize a filename for a given type (given as "photo" or "movie") and a target file format
+   * (given as an extension).  This returns a completely legal and valid filename,
+   * or throws an exception if the type or extension given is invalid or illegal.  It tries to
+   * maintain the filename's original extension even if it's not identical to the given extension
+   * (e.g. don't change "JPG" or "jpeg" to "jpg").
+   *
+   * Note: it is not okay if the extension given is legal but does not match the type (e.g. if
+   * extension is "mp4" and type is "photo", it will throw an exception)
+   *
+   * @param  string $filename  (with no directory)
+   * @param  string $extension (can be uppercase or lowercase)
+   * @param  string $type      (as "photo" or "movie")
+   * @return string sanitized filename (or null if bad extension argument)
+   */
+  static function sanitize_filename($filename, $extension, $type) {
+    // Check if the type is valid - if so, get the mime types of the
+    // original and target extensions; if not, throw an exception.
+    $original_extension = pathinfo($filename, PATHINFO_EXTENSION);
+    switch ($type) {
+      case "photo":
+        $mime_type = legal_file::get_photo_types_by_extension($extension);
+        $original_mime_type = legal_file::get_photo_types_by_extension($original_extension);
+        break;
+      case "movie":
+        $mime_type = legal_file::get_movie_types_by_extension($extension);
+        $original_mime_type = legal_file::get_movie_types_by_extension($original_extension);
+        break;
+      default:
+        throw new Exception("@todo INVALID_TYPE");
+    }
+
+    // Check if the target extension is blank or invalid - if so, throw an exception.
+    if (!$extension || !$mime_type) {
+      throw new Exception("@todo ILLEGAL_EXTENSION");
+    }
+
+    // Check if the mime types of the original and target extensions match - if not, fix it.
+    if (!$original_extension || ($mime_type != $original_mime_type)) {
+      $filename = legal_file::change_extension($filename, $extension);
+    }
+
+    // It should be a filename without a directory - remove all slashes (and backslashes).
+    $filename = str_replace("/", "_", $filename);
+    $filename = str_replace("\\", "_", $filename);
+
+    // Remove extra dots from the filename.  This will also remove extraneous underscores.
+    $filename = legal_file::smash_extensions($filename);
+
+    // It's possible that the filename has no base (e.g. ".jpg") - if so, give it a generic one.
+    if (empty($filename) || (substr($filename, 0, 1) == ".")) {
+      $filename = $type . $filename;  // e.g. "photo.jpg" or "movie.mp4"
+    }
+
+    return $filename;
+  }
 }