| [ Index ] |
PHP Cross Reference of Limb3 |
[Summary view] [Print] [Text view]
1 <?php 2 ////////////////////////////////////////////////////////////// 3 /// phpThumb() by James Heinrich <info@silisoftware.com> // 4 // available at http://phpthumb.sourceforge.net /// 5 ////////////////////////////////////////////////////////////// 6 /// // 7 // See: phpthumb.changelog.txt for recent changes // 8 // See: phpthumb.readme.txt for usage instructions // 9 // /// 10 ////////////////////////////////////////////////////////////// 11 12 error_reporting(E_ALL); 13 ini_set('display_errors', '1'); 14 if (!@ini_get('safe_mode')) { 15 set_time_limit(60); // shouldn't take nearly this long in most cases, but with many filter and/or a slow server... 16 } 17 ini_set('magic_quotes_runtime', '0'); 18 if (@ini_get('magic_quotes_runtime')) { 19 die('"magic_quotes_runtime" is set in php.ini, cannot run phpThumb with this enabled'); 20 } 21 $starttime = array_sum(explode(' ', microtime())); 22 23 // this script relies on the superglobal arrays, fake it here for old PHP versions 24 if (phpversion() < '4.1.0') { 25 $_SERVER = $HTTP_SERVER_VARS; 26 $_GET = $HTTP_GET_VARS; 27 } 28 29 // instantiate a new phpThumb() object 30 ob_start(); 31 if (!include_once(dirname(__FILE__).'/phpthumb.class.php')) { 32 ob_end_flush(); 33 die('failed to include_once("'.realpath(dirname(__FILE__).'/phpthumb.class.php').'")'); 34 } 35 ob_end_clean(); 36 $phpThumb = new phpThumb(); 37 $phpThumb->DebugTimingMessage('phpThumb.php start', __FILE__, __LINE__, $starttime); 38 39 // phpThumbDebug[0] used to be here, but may reveal too much 40 // info when high_security_mode should be enabled (not set yet) 41 42 if (file_exists(dirname(__FILE__).'/phpThumb.config.php')) { 43 ob_start(); 44 if (include_once(dirname(__FILE__).'/phpThumb.config.php')) { 45 // great 46 } else { 47 ob_end_flush(); 48 $phpThumb->ErrorImage('failed to include_once('.dirname(__FILE__).'/phpThumb.config.php) - realpath="'.realpath(dirname(__FILE__).'/phpThumb.config.php').'"'); 49 } 50 ob_end_clean(); 51 } elseif (file_exists(dirname(__FILE__).'/phpThumb.config.php.default')) { 52 $phpThumb->ErrorImage('Please rename "phpThumb.config.php.default" to "phpThumb.config.php"'); 53 } else { 54 $phpThumb->ErrorImage('failed to include_once('.dirname(__FILE__).'/phpThumb.config.php) - realpath="'.realpath(dirname(__FILE__).'/phpThumb.config.php').'"'); 55 } 56 57 if (!@$PHPTHUMB_CONFIG['disable_pathinfo_parsing'] && (empty($_GET) || isset($_GET['phpThumbDebug'])) && !empty($_SERVER['PATH_INFO'])) { 58 $_SERVER['PHP_SELF'] = str_replace($_SERVER['PATH_INFO'], '', @$_SERVER['PHP_SELF']); 59 60 $args = explode(';', substr($_SERVER['PATH_INFO'], 1)); 61 $phpThumb->DebugMessage('PATH_INFO.$args set to ('.implode(')(', $args).')', __FILE__, __LINE__); 62 if (!empty($args)) { 63 $_GET['src'] = @$args[count($args) - 1]; 64 if (eregi('^new\=([a-z0-9]+)', $_GET['src'], $matches)) { 65 unset($_GET['src']); 66 $_GET['new'] = $matches[1]; 67 } 68 } 69 if (eregi('^([0-9]*)x?([0-9]*)$', @$args[count($args) - 2], $matches)) { 70 $_GET['w'] = $matches[1]; 71 $_GET['h'] = $matches[2]; 72 $phpThumb->DebugMessage('PATH_INFO."w"x"h" set to "'.$_GET['w'].'"x"'.$_GET['h'].'"', __FILE__, __LINE__); 73 } 74 for ($i = 0; $i < count($args) - 2; $i++) { 75 @list($key, $value) = explode('=', @$args[$i]); 76 if (substr($key, -2) == '[]') { 77 $array_key_name = substr($key, 0, -2); 78 $_GET[$array_key_name][] = $value; 79 $phpThumb->DebugMessage('PATH_INFO."'.$array_key_name.'[]" = "'.$value.'"', __FILE__, __LINE__); 80 } else { 81 $_GET[$key] = $value; 82 $phpThumb->DebugMessage('PATH_INFO."'.$key.'" = "'.$value.'"', __FILE__, __LINE__); 83 } 84 } 85 } 86 87 if (@$PHPTHUMB_CONFIG['high_security_enabled']) { 88 if (!@$_GET['hash']) { 89 $phpThumb->ErrorImage('ERROR: missing hash'); 90 } elseif (strlen($PHPTHUMB_CONFIG['high_security_password']) < 5) { 91 $phpThumb->ErrorImage('ERROR: strlen($PHPTHUMB_CONFIG[high_security_password]) < 5'); 92 } elseif ($_GET['hash'] != md5(str_replace('&hash='.$_GET['hash'], '', $_SERVER['QUERY_STRING']).$PHPTHUMB_CONFIG['high_security_password'])) { 93 $phpThumb->ErrorImage('ERROR: invalid hash'); 94 } 95 } 96 97 //////////////////////////////////////////////////////////////// 98 // Debug output, to try and help me diagnose problems 99 $phpThumb->DebugTimingMessage('phpThumbDebug[0]', __FILE__, __LINE__); 100 if (@$_GET['phpThumbDebug'] == '0') { 101 $phpThumb->phpThumbDebug(); 102 } 103 //////////////////////////////////////////////////////////////// 104 105 // returned the fixed string if the evil "magic_quotes_gpc" setting is on 106 if (get_magic_quotes_gpc()) { 107 $RequestVarsToStripSlashes = array('src', 'wmf', 'file', 'err', 'goto', 'down'); 108 foreach ($RequestVarsToStripSlashes as $dummy => $key) { 109 if (isset($_GET[$key])) { 110 $_GET[$key] = stripslashes($_GET[$key]); 111 } 112 } 113 } 114 115 if (!@$_SERVER['PATH_INFO'] && !@$_SERVER['QUERY_STRING']) { 116 $phpThumb->ErrorImage('phpThumb() v'.$phpThumb->phpthumb_version.'<br><a href="http://phpthumb.sourceforge.net">http://phpthumb.sourceforge.net</a><br><br>ERROR: no parameters specified'); 117 } 118 119 if (@$_GET['src'] && isset($_GET['md5s']) && empty($_GET['md5s'])) { 120 if (eregi('^(f|ht)tps?://', $_GET['src'])) { 121 if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error)) { 122 $md5s = md5($rawImageData); 123 } 124 } else { 125 $SourceFilename = $phpThumb->ResolveFilenameToAbsolute($_GET['src']); 126 if (is_readable($SourceFilename)) { 127 $md5s = phpthumb_functions::md5_file_safe($SourceFilename); 128 } else { 129 $phpThumb->ErrorImage('ERROR: "'.$SourceFilename.'" cannot be read'); 130 } 131 } 132 if (@$_SERVER['HTTP_REFERER']) { 133 $phpThumb->ErrorImage('&md5s='.$md5s); 134 } else { 135 die('&md5s='.$md5s); 136 } 137 } 138 139 if (!empty($PHPTHUMB_CONFIG)) { 140 foreach ($PHPTHUMB_CONFIG as $key => $value) { 141 $keyname = 'config_'.$key; 142 $phpThumb->setParameter($keyname, $value); 143 if (!eregi('password', $key)) { 144 $phpThumb->DebugMessage('setParameter('.$keyname.', '.$phpThumb->phpThumbDebugVarDump($value).')', __FILE__, __LINE__); 145 } 146 } 147 } else { 148 $phpThumb->DebugMessage('$PHPTHUMB_CONFIG is empty', __FILE__, __LINE__); 149 } 150 151 if (@$_GET['src'] && !@$PHPTHUMB_CONFIG['allow_local_http_src'] && eregi('^http://'.@$_SERVER['HTTP_HOST'].'(.+)', @$_GET['src'], $matches)) { 152 $phpThumb->ErrorImage('It is MUCH better to specify the "src" parameter as "'.$matches[1].'" instead of "'.$matches[0].'".'."\n\n".'If you really must do it this way, enable "allow_local_http_src" in phpThumb.config.php'); 153 } 154 155 //////////////////////////////////////////////////////////////// 156 // Debug output, to try and help me diagnose problems 157 $phpThumb->DebugTimingMessage('phpThumbDebug[1]', __FILE__, __LINE__); 158 if (@$_GET['phpThumbDebug'] == '1') { 159 $phpThumb->phpThumbDebug(); 160 } 161 //////////////////////////////////////////////////////////////// 162 163 $parsed_url_referer = parse_url(@$_SERVER['HTTP_REFERER']); 164 if ($phpThumb->config_nooffsitelink_require_refer && !in_array(@$parsed_url_referer['host'], $phpThumb->config_nohotlink_valid_domains)) { 165 $phpThumb->ErrorImage('config_nooffsitelink_require_refer enabled and '.(@$parsed_url_referer['host'] ? '"'.$parsed_url_referer['host'].'" is not an allowed referer' : 'no HTTP_REFERER exists')); 166 } 167 $parsed_url_src = parse_url(@$_GET['src']); 168 if ($phpThumb->config_nohotlink_enabled && $phpThumb->config_nohotlink_erase_image && eregi('^(f|ht)tps?://', @$_GET['src']) && !in_array(@$parsed_url_src['host'], $phpThumb->config_nohotlink_valid_domains)) { 169 $phpThumb->ErrorImage($phpThumb->config_nohotlink_text_message); 170 } 171 172 if ($phpThumb->config_mysql_query) { 173 if ($cid = @mysql_connect($phpThumb->config_mysql_hostname, $phpThumb->config_mysql_username, $phpThumb->config_mysql_password)) { 174 if (@mysql_select_db($phpThumb->config_mysql_database, $cid)) { 175 if ($result = @mysql_query($phpThumb->config_mysql_query, $cid)) { 176 if ($row = @mysql_fetch_array($result)) { 177 178 mysql_free_result($result); 179 mysql_close($cid); 180 $phpThumb->setSourceData($row[0]); 181 unset($row); 182 183 } else { 184 mysql_free_result($result); 185 mysql_close($cid); 186 $phpThumb->ErrorImage('no matching data in database.'); 187 } 188 } else { 189 mysql_close($cid); 190 $phpThumb->ErrorImage('Error in MySQL query: "'.mysql_error($cid).'"'); 191 } 192 } else { 193 mysql_close($cid); 194 $phpThumb->ErrorImage('cannot select MySQL database: "'.mysql_error($cid).'"'); 195 } 196 } else { 197 $phpThumb->ErrorImage('cannot connect to MySQL server'); 198 } 199 unset($_GET['id']); 200 } 201 202 //////////////////////////////////////////////////////////////// 203 // Debug output, to try and help me diagnose problems 204 $phpThumb->DebugTimingMessage('phpThumbDebug[2]', __FILE__, __LINE__); 205 if (@$_GET['phpThumbDebug'] == '2') { 206 $phpThumb->phpThumbDebug(); 207 } 208 //////////////////////////////////////////////////////////////// 209 210 if (@$PHPTHUMB_CONFIG['cache_default_only_suffix'] && (strpos($PHPTHUMB_CONFIG['cache_default_only_suffix'], '*') !== false)) { 211 $PHPTHUMB_DEFAULTS_DISABLEGETPARAMS = true; 212 } 213 $allowedGETparameters = array('src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs', 'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'bgt', 'fltr', 'file', 'goto', 'err', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down', 'phpThumbDebug', 'hash', 'md5s'); 214 if (!empty($PHPTHUMB_DEFAULTS) && is_array($PHPTHUMB_DEFAULTS)) { 215 $phpThumb->DebugMessage('setting $PHPTHUMB_DEFAULTS['.implode(';', array_keys($PHPTHUMB_DEFAULTS)).']', __FILE__, __LINE__); 216 foreach ($PHPTHUMB_DEFAULTS as $key => $value) { 217 if ($PHPTHUMB_DEFAULTS_GETSTRINGOVERRIDE || !isset($_GET[$key])) { 218 $_GET[$key] = $value; 219 $phpThumb->DebugMessage('PHPTHUMB_DEFAULTS assigning ('.$value.') to $_GET['.$key.']', __FILE__, __LINE__); 220 //$phpThumb->DebugMessage('PHPTHUMB_DEFAULTS.setParameter('.$key.', '.$phpThumb->phpThumbDebugVarDump($value).')', __FILE__, __LINE__); 221 //$phpThumb->setParameter($key, $value); 222 } 223 } 224 } 225 foreach ($_GET as $key => $value) { 226 if (@$PHPTHUMB_DEFAULTS_DISABLEGETPARAMS && ($key != 'src')) { 227 // disabled, do not set parameter 228 $phpThumb->DebugMessage('ignoring $_GET['.$key.'] because of $PHPTHUMB_DEFAULTS_DISABLEGETPARAMS', __FILE__, __LINE__); 229 } elseif (in_array($key, $allowedGETparameters)) { 230 $phpThumb->DebugMessage('setParameter('.$key.', '.$phpThumb->phpThumbDebugVarDump($value).')', __FILE__, __LINE__); 231 $phpThumb->setParameter($key, $value); 232 } else { 233 $phpThumb->ErrorImage('Forbidden parameter: '.$key); 234 } 235 } 236 237 //////////////////////////////////////////////////////////////// 238 // Debug output, to try and help me diagnose problems 239 $phpThumb->DebugTimingMessage('phpThumbDebug[3]', __FILE__, __LINE__); 240 if (@$_GET['phpThumbDebug'] == '3') { 241 $phpThumb->phpThumbDebug(); 242 } 243 //////////////////////////////////////////////////////////////// 244 245 //if (!@$_GET['phpThumbDebug'] && !$phpThumb->sourceFilename && !function_exists('ImageJPEG') && !function_exists('ImagePNG') && !function_exists('ImageGIF')) { 246 if (!@$_GET['phpThumbDebug'] && !is_file($phpThumb->sourceFilename) && !phpthumb_functions::gd_version()) { 247 if (!headers_sent()) { 248 // base64-encoded error image in GIF format 249 $ERROR_NOGD = 'R0lGODlhIAAgALMAAAAAABQUFCQkJDY2NkZGRldXV2ZmZnJycoaGhpSUlKWlpbe3t8XFxdXV1eTk5P7+/iwAAAAAIAAgAAAE/vDJSau9WILtTAACUinDNijZtAHfCojS4W5H+qxD8xibIDE9h0OwWaRWDIljJSkUJYsN4bihMB8th3IToAKs1VtYM75cyV8sZ8vygtOE5yMKmGbO4jRdICQCjHdlZzwzNW4qZSQmKDaNjhUMBX4BBAlmMywFSRWEmAI6b5gAlhNxokGhooAIK5o/pi9vEw4Lfj4OLTAUpj6IabMtCwlSFw0DCKBoFqwAB04AjI54PyZ+yY3TD0ss2YcVmN/gvpcu4TOyFivWqYJlbAHPpOntvxNAACcmGHjZzAZqzSzcq5fNjxFmAFw9iFRunD1epU6tsIPmFCAJnWYE0FURk7wJDA0MTKpEzoWAAskiAAA7'; 250 header('Content-Type: image/gif'); 251 echo base64_decode($ERROR_NOGD); 252 } else { 253 echo '*** ERROR: No PHP-GD support available ***'; 254 } 255 exit; 256 } 257 258 // check to see if file can be output from source with no processing or caching 259 $CanPassThroughDirectly = true; 260 if ($phpThumb->rawImageData) { 261 // data from SQL, should be fine 262 } elseif (eregi('^(f|ht)tp\://', $phpThumb->src)) { 263 $phpThumb->DebugMessage('$CanPassThroughDirectly=false because eregi("^(f|ht)tp\://", '.$phpThumb->src.')', __FILE__, __LINE__); 264 $CanPassThroughDirectly = false; 265 } elseif (!@is_file($phpThumb->sourceFilename)) { 266 $phpThumb->DebugMessage('$CanPassThroughDirectly=false because !@is_file('.$phpThumb->sourceFilename.')', __FILE__, __LINE__); 267 $CanPassThroughDirectly = false; 268 } elseif (!@is_readable($phpThumb->sourceFilename)) { 269 $phpThumb->DebugMessage('$CanPassThroughDirectly=false because !@is_readable('.$phpThumb->sourceFilename.')', __FILE__, __LINE__); 270 $CanPassThroughDirectly = false; 271 } 272 foreach ($_GET as $key => $value) { 273 switch ($key) { 274 case 'src': 275 // allowed 276 break; 277 278 case 'w': 279 case 'h': 280 // might be OK if exactly matches original 281 break; 282 283 case 'phpThumbDebug': 284 // handled in direct-passthru code 285 break; 286 287 default: 288 // all other parameters will cause some processing, 289 // therefore cannot pass through original image unmodified 290 $CanPassThroughDirectly = false; 291 $UnAllowedGET[] = $key; 292 break; 293 } 294 } 295 if (!empty($UnAllowedGET)) { 296 $phpThumb->DebugMessage('$CanPassThroughDirectly=false because $_GET['.implode(';', array_unique($UnAllowedGET)).'] are set', __FILE__, __LINE__); 297 } 298 299 //////////////////////////////////////////////////////////////// 300 // Debug output, to try and help me diagnose problems 301 $phpThumb->DebugTimingMessage('phpThumbDebug[4]', __FILE__, __LINE__); 302 if (@$_GET['phpThumbDebug'] == '4') { 303 $phpThumb->phpThumbDebug(); 304 } 305 //////////////////////////////////////////////////////////////// 306 307 function SendSaveAsFileHeaderIfNeeded() { 308 if (headers_sent()) { 309 return false; 310 } 311 global $phpThumb; 312 if (@$_GET['down']) { 313 $downloadfilename = ereg_replace('[/\\:\*\?"<>|]', '_', $_GET['down']); 314 if (phpthumb_functions::version_compare_replacement(phpversion(), '4.1.0', '>=')) { 315 $downloadfilename = trim($downloadfilename, '.'); 316 } 317 if (@$downloadfilename) { 318 $phpThumb->DebugMessage('SendSaveAsFileHeaderIfNeeded() sending header: Content-Disposition: attachment; filename="'.$downloadfilename.'"', __FILE__, __LINE__); 319 header('Content-Disposition: attachment; filename="'.$downloadfilename.'"'); 320 return true; 321 } 322 } 323 $phpThumb->DebugMessage('SendSaveAsFileHeaderIfNeeded() sending header: Content-Disposition: inline', __FILE__, __LINE__); 324 header('Content-Disposition: inline'); 325 return true; 326 } 327 328 $phpThumb->DebugMessage('$CanPassThroughDirectly="'.intval($CanPassThroughDirectly).'" && $phpThumb->src="'.$phpThumb->src.'"', __FILE__, __LINE__); 329 while ($CanPassThroughDirectly && $phpThumb->src) { 330 // no parameters set, passthru 331 $SourceFilename = $phpThumb->ResolveFilenameToAbsolute($phpThumb->src); 332 333 // security and size checks 334 if ($phpThumb->getimagesizeinfo = @GetImageSize($SourceFilename)) { 335 $phpThumb->DebugMessage('Direct passthru GetImageSize() returned [w='.$phpThumb->getimagesizeinfo[0].';h='.$phpThumb->getimagesizeinfo[1].';t='.$phpThumb->getimagesizeinfo[2].']', __FILE__, __LINE__); 336 337 if (!@$_GET['w'] && !@$_GET['wp'] && !@$_GET['wl'] && !@$_GET['ws'] && !@$_GET['h'] && !@$_GET['hp'] && !@$_GET['hl'] && !@$_GET['hs']) { 338 // no resizing needed 339 $phpThumb->DebugMessage('Passing "'.$SourceFilename.'" through directly, no resizing required ("'.$phpThumb->getimagesizeinfo[0].'"x"'.$phpThumb->getimagesizeinfo[1].'")', __FILE__, __LINE__); 340 } elseif (($phpThumb->getimagesizeinfo[0] <= @$_GET['w']) && ($phpThumb->getimagesizeinfo[1] <= @