You are not logged in.

#1 20 Feb 2008 1:14 am

azzlack
Senior Member
From: Bergen, Norway
Registered: Jan 2008
Posts: 26
Website

Chmodding uploaded files

I am using the Exponent CMS for one of my websites, and I have a upload module that works, except that I cannot access the files I upload.

I have read somewhere that uploaded files automatically gets the CHMOD value of 600, but I need it to be 604, so its readable by the flash player that is on the site.

Code:

if (!defined('EXPONENT')) exit('');

$resource = null;
$iloc = null;
if (isset($_POST['id'])) {
    $resource = $db->selectObject('resourceitem','id='.intval($_POST['id']));
    if ($resource) {
        $loc = unserialize($resource->location_data);
        $iloc = exponent_core_makeLocation($loc->mod,$loc->src,$resource->id);
    }
}

if (($resource == null && exponent_permissions_check('post',$loc)) ||
    ($resource != null && exponent_permissions_check('edit',$loc)) ||
    ($iloc != null && exponent_permissions_check('edit',$iloc))
) {
    $resource = resourceitem::update($_POST,$resource);
    $resource->location_data = serialize($loc);
    
    if (!isset($resource->id)) {
        $resource->rank = intval($_POST['rank']);
        $db->increment('resourceitem','rank',1,"location_data='".serialize($loc)."' AND rank >= ".$resource->rank);
    }
    
    if (!isset($resource->file_id)) {
        $directory = 'files/resourcesmodule/'.$loc->src;
        
        $file = file::update('file',$directory,null,time().'_'.$_FILES['file']['name']);
        if (is_object($file)) {
            $resource->file_id = $db->insertObject($file,'file');
            $id = $db->insertObject($resource,'resourceitem');
            // Assign new perms on loc
            $iloc = exponent_core_makeLocation($loc->mod,$loc->src,$id);
            exponent_permissions_grant($user,'edit',$iloc);
            exponent_permissions_grant($user,'delete',$iloc);
            exponent_permissions_grant($user,'administrate',$iloc);
            exponent_permissions_triggerSingleRefresh($user);
    
            if (!defined('SYS_WORKFLOW')) include_once(BASE.'subsystems/workflow.php');
            $resource->id = $id;
            $resource->poster = $user->id;
            $resource->posted = time();
            exponent_workflow_post($resource,'resourceitem',$loc);
            exponent_sessions_clearAllUsersSessionCache('resourcesmodule');
        } else {
            // If file::update() returns a non-object, it should be a string.  That string is the error message.
            $post = $_POST;
            $post['_formError'] = $file;
            exponent_sessions_set('last_POST',$post);
            unset($_SESSION['resource_cache']);
            header('Location: ' . $_SERVER['HTTP_REFERER']);
        }
        chmod($loc, 0604);
    } else {
        $resource->editor = $user->id;
        $resource->edited = time();
        $db->updateObject($resource,'resourceitem');
        exponent_sessions_clearAllUsersSessionCache('resourcesmodule');
        exponent_flow_redirect();
    }
} else {
    echo SITE_403_HTML;
}

I don't know exactly how this code works, but I know that my attempt at inserting a chmod line in it did not work. big_smile

Any help would be extremely nice... smile

Last edited by azzlack (20 Feb 2008 1:36 am)


Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...

Offline

 

#2 20 Feb 2008 7:47 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: Chmodding uploaded files

try

Code:

chmod($file, 0604);

instead of

Code:

chmod($loc, 0604);

and see if that works.

Offline

 

#3 20 Feb 2008 9:27 am

azzlack
Senior Member
From: Bergen, Norway
Registered: Jan 2008
Posts: 26
Website

Re: Chmodding uploaded files

It didn't work, so I guess there are some functions in Exponent overriding it, and putting 600 on everything.

I have also posted a similar request for help at the Exponent forums, and I will post back here if they have a solution.


Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...

Offline

 

#4 20 Feb 2008 11:20 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: Chmodding uploaded files

oops, I missed this earlier.  $file is an object not a file path: if(is_object($file)) so yea... that wouldn't work.  you need to inject that code just after the file is written to the file location (where ever that is).

Offline

 

#5 20 Feb 2008 2:23 pm

winsr
Extreme Member
Registered: Mar 2007
Posts: 90

Re: Chmodding uploaded files

try>

chmod($file, 777);

This should give you full access to the file

Offline

 

#6 20 Feb 2008 2:42 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: Chmodding uploaded files

yea, thats what I thought too, except $file is an actual php object, not a string file path (and chmod doesnt know what to do with the file object, only a file path string).

he really only needs public read access (which would be 604) to the file.  giving world access to files is a potential security risk.  since unix/linux file systems allow execution of any file (if the permissions allow execution of the file) then giving an image (or any other file type) execute priv's can be very dangerous because anyone can upload a php script as some other file, and craft code that executes the wolf in sheep's clothing file (which is actually a script), and someone could own the web server.

Offline

 

#7 20 Feb 2008 2:46 pm

winsr
Extreme Member
Registered: Mar 2007
Posts: 90

Re: Chmodding uploaded files

then it should be

chmod($loc, 777);

Dont use a 4 digit code, since it wont work, so maybe you can try

chmod($loc, 604);

Offline

 

#8 10 Mar 2008 3:21 am

azzlack
Senior Member
From: Bergen, Norway
Registered: Jan 2008
Posts: 26
Website

Re: Chmodding uploaded files

I tried your solutions but they didnt work.

I contacted the developers of the CMS, and there is a function in another file that overrides any CHMOD lines we would place there, so that is why your solution didnt work. He told me how to fix it so now it works.

I'm sorry I didnt think of contacting the CMS developers earlier... tongue

Thank you both for trying to help!
Anyway, now I at least know what to do if I'm gonna make a file upload utility myself one day... big_smile


Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...

Offline

 



© 2003 - 2019 NullFX
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License