bludit/bl-kernel/ajax/upload-profile-picture.php

60 lines
1.8 KiB
PHP
Raw Normal View History

2018-07-30 23:43:12 +02:00
<?php defined('BLUDIT') or die('Bludit CMS.');
header('Content-Type: application/json');
2018-10-29 18:21:42 +01:00
// $_POST
// ----------------------------------------------------------------------------
// (string) $_POST['username']
$username = empty($_POST['username']) ? false : $_POST['username'];
// ----------------------------------------------------------------------------
if ($username===false) {
2019-01-31 20:07:59 +01:00
ajaxResponse(1, 'Error in username.');
2018-10-29 18:21:42 +01:00
}
2018-07-30 23:43:12 +02:00
if (!isset($_FILES['profilePictureInputFile'])) {
2019-01-31 20:07:59 +01:00
ajaxResponse(1, 'Error trying to upload the profile picture.');
2018-07-30 23:43:12 +02:00
}
// File extension
2019-03-10 18:27:24 +01:00
$allowedExtensions = array('gif', 'png', 'jpg', 'jpeg', 'svg');
$fileExtension = pathinfo($_FILES['profilePictureInputFile']['name'], PATHINFO_EXTENSION);
if (!in_array($fileExtension, $allowedExtensions) ) {
$message = 'File type is not supported. Allowed types: '.implode(', ',$allowedExtensions);
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
2018-07-30 23:43:12 +02:00
// Tmp filename
$tmpFilename = $username.'.'.$fileExtension;
2019-03-10 18:27:24 +01:00
2018-07-30 23:43:12 +02:00
// Final filename
$filename = $username.'.png';
2019-03-10 18:27:24 +01:00
// Check path traversal
2019-03-10 18:28:29 +01:00
if (Text::stringContains($username, DS, false)) {
2019-03-10 18:27:24 +01:00
$message = 'Path traversal detected.';
Log::set($message, LOG_TYPE_ERROR);
ajaxResponse(1, $message);
}
2018-07-30 23:43:12 +02:00
// Move from temporary directory to uploads folder
rename($_FILES['profilePictureInputFile']['tmp_name'], PATH_TMP.$tmpFilename);
// Resize and convert to png
$image = new Image();
$image->setImage(PATH_TMP.$tmpFilename, PROFILE_IMG_WIDTH, PROFILE_IMG_HEIGHT, 'crop');
$image->saveImage(PATH_UPLOADS_PROFILES.$filename, PROFILE_IMG_QUALITY, false, true);
// Remove the tmp file
unlink(PATH_TMP.$tmpFilename);
// Permissions
chmod(PATH_UPLOADS_PROFILES.$filename, 0644);
2019-01-31 20:07:59 +01:00
ajaxResponse(0, 'Image uploaded.', array(
2018-07-30 23:43:12 +02:00
'filename'=>$filename,
'absoluteURL'=>DOMAIN_UPLOADS_PROFILES.$filename,
'absolutePath'=>PATH_UPLOADS_PROFILES.$filename
2019-01-31 20:07:59 +01:00
));
2018-07-30 23:43:12 +02:00
?>