You are not logged in.
#1 20 Feb 2008 1:14 am
Chmodding uploaded files
I am using the Exponent CMS for one of my websites, and I have a upload module that works, except that I cannot access the files I upload.
I have read somewhere that uploaded files automatically gets the CHMOD value of 600, but I need it to be 604, so its readable by the flash player that is on the site.
Code:
if (!defined('EXPONENT')) exit(''); $resource = null; $iloc = null; if (isset($_POST['id'])) { $resource = $db->selectObject('resourceitem','id='.intval($_POST['id'])); if ($resource) { $loc = unserialize($resource->location_data); $iloc = exponent_core_makeLocation($loc->mod,$loc->src,$resource->id); } } if (($resource == null && exponent_permissions_check('post',$loc)) || ($resource != null && exponent_permissions_check('edit',$loc)) || ($iloc != null && exponent_permissions_check('edit',$iloc)) ) { $resource = resourceitem::update($_POST,$resource); $resource->location_data = serialize($loc); if (!isset($resource->id)) { $resource->rank = intval($_POST['rank']); $db->increment('resourceitem','rank',1,"location_data='".serialize($loc)."' AND rank >= ".$resource->rank); } if (!isset($resource->file_id)) { $directory = 'files/resourcesmodule/'.$loc->src; $file = file::update('file',$directory,null,time().'_'.$_FILES['file']['name']); if (is_object($file)) { $resource->file_id = $db->insertObject($file,'file'); $id = $db->insertObject($resource,'resourceitem'); // Assign new perms on loc $iloc = exponent_core_makeLocation($loc->mod,$loc->src,$id); exponent_permissions_grant($user,'edit',$iloc); exponent_permissions_grant($user,'delete',$iloc); exponent_permissions_grant($user,'administrate',$iloc); exponent_permissions_triggerSingleRefresh($user); if (!defined('SYS_WORKFLOW')) include_once(BASE.'subsystems/workflow.php'); $resource->id = $id; $resource->poster = $user->id; $resource->posted = time(); exponent_workflow_post($resource,'resourceitem',$loc); exponent_sessions_clearAllUsersSessionCache('resourcesmodule'); } else { // If file::update() returns a non-object, it should be a string. That string is the error message. $post = $_POST; $post['_formError'] = $file; exponent_sessions_set('last_POST',$post); unset($_SESSION['resource_cache']); header('Location: ' . $_SERVER['HTTP_REFERER']); } chmod($loc, 0604); } else { $resource->editor = $user->id; $resource->edited = time(); $db->updateObject($resource,'resourceitem'); exponent_sessions_clearAllUsersSessionCache('resourcesmodule'); exponent_flow_redirect(); } } else { echo SITE_403_HTML; }
I don't know exactly how this code works, but I know that my attempt at inserting a chmod line in it did not work.
Any help would be extremely nice...
Last edited by azzlack (20 Feb 2008 1:36 am)
Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...
Offline
#3 20 Feb 2008 9:27 am
Re: Chmodding uploaded files
It didn't work, so I guess there are some functions in Exponent overriding it, and putting 600 on everything.
I have also posted a similar request for help at the Exponent forums, and I will post back here if they have a solution.
Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...
Offline
#4 20 Feb 2008 11:20 am
Re: Chmodding uploaded files
oops, I missed this earlier. $file is an object not a file path: if(is_object($file)) so yea... that wouldn't work. you need to inject that code just after the file is written to the file location (where ever that is).
Offline
#5 20 Feb 2008 2:23 pm
- winsr
- Extreme Member
- Registered: Mar 2007
- Posts: 90
Re: Chmodding uploaded files
try>
chmod($file, 777);
This should give you full access to the file
Offline
#6 20 Feb 2008 2:42 pm
Re: Chmodding uploaded files
yea, thats what I thought too, except $file is an actual php object, not a string file path (and chmod doesnt know what to do with the file object, only a file path string).
he really only needs public read access (which would be 604) to the file. giving world access to files is a potential security risk. since unix/linux file systems allow execution of any file (if the permissions allow execution of the file) then giving an image (or any other file type) execute priv's can be very dangerous because anyone can upload a php script as some other file, and craft code that executes the wolf in sheep's clothing file (which is actually a script), and someone could own the web server.
Offline
#7 20 Feb 2008 2:46 pm
- winsr
- Extreme Member
- Registered: Mar 2007
- Posts: 90
Re: Chmodding uploaded files
then it should be
chmod($loc, 777);
Dont use a 4 digit code, since it wont work, so maybe you can try
chmod($loc, 604);
Offline
#8 10 Mar 2008 3:21 am
Re: Chmodding uploaded files
I tried your solutions but they didnt work.
I contacted the developers of the CMS, and there is a function in another file that overrides any CHMOD lines we would place there, so that is why your solution didnt work. He told me how to fix it so now it works.
I'm sorry I didnt think of contacting the CMS developers earlier...
Thank you both for trying to help!
Anyway, now I at least know what to do if I'm gonna make a file upload utility myself one day...
Web Developer and Designer.
Currently studying for Bachelor of Computer Science degree ...
Offline