Ticket #19552: file.php

<?php
/**
 * File handling API
 *
 * @package WordPress
 */

/**
 * Recursive directory creation based on full path.
 *
 * Will attempt to set permissions on folders.
 *
 * @since 2.0.1
 *
 * @param string $target Full path to attempt to create.
 * @return bool Whether the path was created. True if path already exists.
 */
function wp_mkdir_p( $target ) {
        // from php.net/mkdir user contributed notes
        $target = str_replace( '//', '/', $target );

        // safe mode fails with a trailing slash under certain PHP versions.
        $target = rtrim($target, '/'); // Use rtrim() instead of untrailingslashit to avoid formatting.php dependency.
        if ( empty($target) )
                $target = '/';

        if ( file_exists( $target ) )
                return @is_dir( $target );

        // Attempting to create the directory may clutter up our display.
        if ( @mkdir( $target ) ) {
                $stat = @stat( dirname( $target ) );
                $dir_perms = $stat['mode'] & 0007777;  // Get the permission bits.
                @chmod( $target, $dir_perms );
                return true;
        } elseif ( is_dir( dirname( $target ) ) ) {
                        return false;
        }

        // If the above failed, attempt to create the parent node, then try again.
        if ( ( $target != '/' ) && ( wp_mkdir_p( dirname( $target ) ) ) )
                return wp_mkdir_p( $target );

        return false;
}

/**
 * Test if a give filesystem path is absolute ('/foo/bar', 'c:\windows').
 *
 * @since 2.5.0
 *
 * @param string $path File path
 * @return bool True if path is absolute, false is not absolute.
 */
function path_is_absolute( $path ) {
        // this is definitive if true but fails if $path does not exist or contains a symbolic link
        if ( realpath($path) == $path )
                return true;

        if ( strlen($path) == 0 || $path[0] == '.' )
                return false;

        // windows allows absolute paths like this
        if ( preg_match('#^[a-zA-Z]:\\\\#', $path) )
                return true;

        // a path starting with / or \ is absolute; anything else is relative
        return ( $path[0] == '/' || $path[0] == '\\' );
}

/**
 * Join two filesystem paths together (e.g. 'give me $path relative to $base').
 *
 * If the $path is absolute, then it the full path is returned.
 *
 * @since 2.5.0
 *
 * @param string $base
 * @param string $path
 * @return string The path with the base or absolute path.
 */
function path_join( $base, $path ) {
        if ( path_is_absolute($path) )
                return $path;

        return rtrim($base, '/') . '/' . ltrim($path, '/');
}

/**
 * Determines a writable directory for temporary files.
 * Function's preference is to WP_CONTENT_DIR followed by the return value of <code>sys_get_temp_dir()</code>, before finally defaulting to /tmp/
 *
 * In the event that this function does not find a writable location, It may be overridden by the <code>WP_TEMP_DIR</code> constant in your <code>wp-config.php</code> file.
 *
 * @since 2.5.0
 *
 * @return string Writable temporary directory
 */
function get_temp_dir() {
        static $temp;
        if ( defined('WP_TEMP_DIR') )
                return trailingslashit(WP_TEMP_DIR);

        if ( $temp )
                return trailingslashit($temp);

        $temp = WP_CONTENT_DIR . '/';
        if ( is_dir($temp) && @is_writable($temp) )
                return $temp;

        if  ( function_exists('sys_get_temp_dir') ) {
                $temp = sys_get_temp_dir();
                if ( @is_writable($temp) )
                        return trailingslashit($temp);
        }

        $temp = ini_get('upload_tmp_dir');
        if ( is_dir($temp) && @is_writable($temp) )
                return trailingslashit($temp);

        $temp = '/tmp/';
        return $temp;
}

/**
 * Get an array containing the current upload directory's path and url.
 *
 * Checks the 'upload_path' option, which should be from the web root folder,
 * and if it isn't empty it will be used. If it is empty, then the path will be
 * 'WP_CONTENT_DIR/uploads'. If the 'UPLOADS' constant is defined, then it will
 * override the 'upload_path' option and 'WP_CONTENT_DIR/uploads' path.
 *
 * The upload URL path is set either by the 'upload_url_path' option or by using
 * the 'WP_CONTENT_URL' constant and appending '/uploads' to the path.
 *
 * If the 'uploads_use_yearmonth_folders' is set to true (checkbox if checked in
 * the administration settings panel), then the time will be used. The format
 * will be year first and then month.
 *
 * If the path couldn't be created, then an error will be returned with the key
 * 'error' containing the error message. The error suggests that the parent
 * directory is not writable by the server.
 *
 * On success, the returned array will have many indices:
 * 'path' - base directory and sub directory or full path to upload directory.
 * 'url' - base url and sub directory or absolute URL to upload directory.
 * 'subdir' - sub directory if uploads use year/month folders option is on.
 * 'basedir' - path without subdir.
 * 'baseurl' - URL path without subdir.
 * 'error' - set to false.
 *
 * @since 2.0.0
 * @uses apply_filters() Calls 'upload_dir' on returned array.
 *
 * @param string $time Optional. Time formatted in 'yyyy/mm'.
 * @return array See above for description.
 */
function wp_upload_dir( $time = null ) {
        global $switched;
        $siteurl = get_option( 'siteurl' );
        $upload_path = get_option( 'upload_path' );
        $upload_path = trim($upload_path);
        $main_override = is_multisite() && defined( 'MULTISITE' ) && is_main_site();
        if ( empty($upload_path) ) {
                $dir = WP_CONTENT_DIR . '/uploads';
        } else {
                $dir = $upload_path;
                if ( 'wp-content/uploads' == $upload_path ) {
                        $dir = WP_CONTENT_DIR . '/uploads';
                } elseif ( 0 !== strpos($dir, ABSPATH) ) {
                        // $dir is absolute, $upload_path is (maybe) relative to ABSPATH
                        $dir = path_join( ABSPATH, $dir );
                }
        }

        if ( !$url = get_option( 'upload_url_path' ) ) {
                if ( empty($upload_path) || ( 'wp-content/uploads' == $upload_path ) || ( $upload_path == $dir ) )
                        $url = WP_CONTENT_URL . '/uploads';
                else
                        $url = trailingslashit( $siteurl ) . $upload_path;
        }

        if ( defined('UPLOADS') && !$main_override && ( !isset( $switched ) || $switched === false ) ) {
                $dir = ABSPATH . UPLOADS;
                $url = trailingslashit( $siteurl ) . UPLOADS;
        }

        if ( is_multisite() && !$main_override && ( !isset( $switched ) || $switched === false ) ) {
                if ( defined( 'BLOGUPLOADDIR' ) )
                        $dir = untrailingslashit(BLOGUPLOADDIR);
                $url = str_replace( UPLOADS, 'files', $url );
        }

        $bdir = $dir;
        $burl = $url;

        $subdir = '';
        if ( get_option( 'uploads_use_yearmonth_folders' ) ) {
                // Generate the yearly and monthly dirs
                if ( !$time )
                        $time = current_time( 'mysql' );
                $y = substr( $time, 0, 4 );
                $m = substr( $time, 5, 2 );
                $subdir = "/$y/$m";
        }

        $dir .= $subdir;
        $url .= $subdir;

        $uploads = apply_filters( 'upload_dir', array( 'path' => $dir, 'url' => $url, 'subdir' => $subdir, 'basedir' => $bdir, 'baseurl' => $burl, 'error' => false ) );

        // Make sure we have an uploads dir
        if ( ! wp_mkdir_p( $uploads['path'] ) ) {
                $message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), $uploads['path'] );
                return array( 'error' => $message );
        }

        return $uploads;
}

/**
 * Get a filename that is sanitized and unique for the given directory.
 *
 * If the filename is not unique, then a number will be added to the filename
 * before the extension, and will continue adding numbers until the filename is
 * unique.
 *
 * The callback is passed three parameters, the first one is the directory, the
 * second is the filename, and the third is the extension.
 *
 * @since 2.5.0
 *
 * @param string $dir
 * @param string $filename
 * @param mixed $unique_filename_callback Callback.
 * @return string New filename, if given wasn't unique.
 */
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
        // sanitize the file name before we begin processing
        $filename = sanitize_file_name($filename);

        // separate the filename into a name and extension
        $info = pathinfo($filename);
        $ext = !empty($info['extension']) ? '.' . $info['extension'] : '';
        $name = basename($filename, $ext);

        // edge case: if file is named '.ext', treat as an empty name
        if ( $name === $ext )
                $name = '';

        // Increment the file number until we have a unique file to save in $dir. Use callback if supplied.
        if ( $unique_filename_callback && is_callable( $unique_filename_callback ) ) {
                $filename = call_user_func( $unique_filename_callback, $dir, $name, $ext );
        } else {
                $number = '';

                // change '.ext' to lower case
                if ( $ext && strtolower($ext) != $ext ) {
                        $ext2 = strtolower($ext);
                        $filename2 = preg_replace( '|' . preg_quote($ext) . '$|', $ext2, $filename );

                        // check for both lower and upper case extension or image sub-sizes may be overwritten
                        while ( file_exists($dir . "/$filename") || file_exists($dir . "/$filename2") ) {
                                $new_number = $number + 1;
                                $filename = str_replace( "$number$ext", "$new_number$ext", $filename );
                                $filename2 = str_replace( "$number$ext2", "$new_number$ext2", $filename2 );
                                $number = $new_number;
                        }
                        return $filename2;
                }

                while ( file_exists( $dir . "/$filename" ) ) {
                        if ( '' == "$number$ext" )
                                $filename = $filename . ++$number . $ext;
                        else
                                $filename = str_replace( "$number$ext", ++$number . $ext, $filename );
                }
        }

        return $filename;
}

/**
 * Create a file in the upload folder with given content.
 *
 * If there is an error, then the key 'error' will exist with the error message.
 * If success, then the key 'file' will have the unique file path, the 'url' key
 * will have the link to the new file. and the 'error' key will be set to false.
 *
 * This function will not move an uploaded file to the upload folder. It will
 * create a new file with the content in $bits parameter. If you move the upload
 * file, read the content of the uploaded file, and then you can give the
 * filename and content to this function, which will add it to the upload
 * folder.
 *
 * The permissions will be set on the new file automatically by this function.
 *
 * @since 2.0.0
 *
 * @param string $name
 * @param null $deprecated Never used. Set to null.
 * @param mixed $bits File content
 * @param string $time Optional. Time formatted in 'yyyy/mm'.
 * @return array
 */
function wp_upload_bits( $name, $deprecated, $bits, $time = null ) {
        if ( !empty( $deprecated ) )
                _deprecated_argument( __FUNCTION__, '2.0' );

        if ( empty( $name ) )
                return array( 'error' => __( 'Empty filename' ) );

        $wp_filetype = wp_check_filetype( $name );
        if ( !$wp_filetype['ext'] )
                return array( 'error' => __( 'Invalid file type' ) );

        $upload = wp_upload_dir( $time );

        if ( $upload['error'] !== false )
                return $upload;

        $upload_bits_error = apply_filters( 'wp_upload_bits', array( 'name' => $name, 'bits' => $bits, 'time' => $time ) );
        if ( !is_array( $upload_bits_error ) ) {
                $upload[ 'error' ] = $upload_bits_error;
                return $upload;
        }

        $filename = wp_unique_filename( $upload['path'], $name );

        $new_file = $upload['path'] . "/$filename";
        if ( ! wp_mkdir_p( dirname( $new_file ) ) ) {
                $message = sprintf( __( 'Unable to create directory %s. Is its parent directory writable by the server?' ), dirname( $new_file ) );
                return array( 'error' => $message );
        }

        $ifp = @ fopen( $new_file, 'wb' );
        if ( ! $ifp )
                return array( 'error' => sprintf( __( 'Could not write file %s' ), $new_file ) );

        @fwrite( $ifp, $bits );
        fclose( $ifp );
        clearstatcache();

        // Set correct file permissions
        $stat = @ stat( dirname( $new_file ) );
        $perms = $stat['mode'] & 0007777;
        $perms = $perms & 0000666;
        @ chmod( $new_file, $perms );
        clearstatcache();

        // Compute the URL
        $url = $upload['url'] . "/$filename";

        return array( 'file' => $new_file, 'url' => $url, 'error' => false );
}

/**
 * Retrieve the file type based on the extension name.
 *
 * @package WordPress
 * @since 2.5.0
 * @uses apply_filters() Calls 'ext2type' hook on default supported types.
 *
 * @param string $ext The extension to search.
 * @return string|null The file type, example: audio, video, document, spreadsheet, etc. Null if not found.
 */
function wp_ext2type( $ext ) {
        $ext2type = apply_filters( 'ext2type', array(
                'audio'       => array( 'aac', 'ac3',  'aif',  'aiff', 'm3a',  'm4a',   'm4b', 'mka', 'mp1', 'mp2',  'mp3', 'ogg', 'oga', 'ram', 'wav', 'wma' ),
                'video'       => array( 'asf', 'avi',  'divx', 'dv',   'flv',  'm4v',   'mkv', 'mov', 'mp4', 'mpeg', 'mpg', 'mpv', 'ogm', 'ogv', 'qt',  'rm', 'vob', 'wmv' ),
                'document'    => array( 'doc', 'docx', 'docm', 'dotm', 'odt',  'pages', 'pdf', 'rtf', 'wp',  'wpd' ),
                'spreadsheet' => array( 'numbers',     'ods',  'xls',  'xlsx', 'xlsb',  'xlsm' ),
                'interactive' => array( 'key', 'ppt',  'pptx', 'pptm', 'odp',  'swf' ),
                'text'        => array( 'asc', 'csv',  'tsv',  'txt' ),
                'archive'     => array( 'bz2', 'cab',  'dmg',  'gz',   'rar',  'sea',   'sit', 'sqx', 'tar', 'tgz',  'zip', '7z' ),
                'code'        => array( 'css', 'htm',  'html', 'php',  'js' ),
        ));
        foreach ( $ext2type as $type => $exts )
                if ( in_array( $ext, $exts ) )
                        return $type;
}

/**
 * Retrieve the file type from the file name.
 *
 * You can optionally define the mime array, if needed.
 *
 * @since 2.0.4
 *
 * @param string $filename File name or path.
 * @param array $mimes Optional. Key is the file extension with value as the mime type.
 * @return array Values with extension first and mime type.
 */
function wp_check_filetype( $filename, $mimes = null ) {
        if ( empty($mimes) )
                $mimes = get_allowed_mime_types();
        $type = false;
        $ext = false;

        foreach ( $mimes as $ext_preg => $mime_match ) {
                $ext_preg = '!\.(' . $ext_preg . ')$!i';
                if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
                        $type = $mime_match;
                        $ext = $ext_matches[1];
                        break;
                }
        }

        return compact( 'ext', 'type' );
}

/**
 * Attempt to determine the real file type of a file.
 * If unable to, the file name extension will be used to determine type.
 *
 * If it's determined that the extension does not match the file's real type,
 * then the "proper_filename" value will be set with a proper filename and extension.
 *
 * Currently this function only supports validating images known to getimagesize().
 *
 * @since 3.0.0
 *
 * @param string $file Full path to the image.
 * @param string $filename The filename of the image (may differ from $file due to $file being in a tmp directory)
 * @param array $mimes Optional. Key is the file extension with value as the mime type.
 * @return array Values for the extension, MIME, and either a corrected filename or false if original $filename is valid
 */
function wp_check_filetype_and_ext( $file, $filename, $mimes = null ) {

        $proper_filename = false;

        // Do basic extension validation and MIME mapping
        $wp_filetype = wp_check_filetype( $filename, $mimes );
        extract( $wp_filetype );

        // We can't do any further validation without a file to work with
        if ( ! file_exists( $file ) )
                return compact( 'ext', 'type', 'proper_filename' );

        // We're able to validate images using GD
        if ( $type && 0 === strpos( $type, 'image/' ) && function_exists('getimagesize') ) {

                // Attempt to figure out what type of image it actually is
                $imgstats = @getimagesize( $file );

                // If getimagesize() knows what kind of image it really is and if the real MIME doesn't match the claimed MIME
                if ( !empty($imgstats['mime']) && $imgstats['mime'] != $type ) {
                        // This is a simplified array of MIMEs that getimagesize() can detect and their extensions
                        // You shouldn't need to use this filter, but it's here just in case
                        $mime_to_ext = apply_filters( 'getimagesize_mimes_to_exts', array(
                                'image/jpeg' => 'jpg',
                                'image/png'  => 'png',
                                'image/gif'  => 'gif',
                                'image/bmp'  => 'bmp',
                                'image/tiff' => 'tif',
                        ) );

                        // Replace whatever is after the last period in the filename with the correct extension
                        if ( ! empty( $mime_to_ext[ $imgstats['mime'] ] ) ) {
                                $filename_parts = explode( '.', $filename );
                                array_pop( $filename_parts );
                                $filename_parts[] = $mime_to_ext[ $imgstats['mime'] ];
                                $new_filename = implode( '.', $filename_parts );

                                if ( $new_filename != $filename )
                                        $proper_filename = $new_filename; // Mark that it changed

                                // Redefine the extension / MIME
                                $wp_filetype = wp_check_filetype( $new_filename, $mimes );
                                extract( $wp_filetype );
                        }
                }
        }

        // Let plugins try and validate other types of files
        // Should return an array in the style of array( 'ext' => $ext, 'type' => $type, 'proper_filename' => $proper_filename )
        return apply_filters( 'wp_check_filetype_and_ext', compact( 'ext', 'type', 'proper_filename' ), $file, $filename, $mimes );
}

/**
 * Retrieve list of allowed mime types and file extensions.
 *
 * @since 2.8.6
 *
 * @return array Array of mime types keyed by the file extension regex corresponding to those types.
 */
function get_allowed_mime_types() {
        static $mimes = false;

        if ( !$mimes ) {
                // Accepted MIME types are set here as PCRE unless provided.
                $mimes = apply_filters( 'upload_mimes', array(
                'jpg|jpeg|jpe' => 'image/jpeg',
                'gif' => 'image/gif',
                'png' => 'image/png',
                'bmp' => 'image/bmp',
                'tif|tiff' => 'image/tiff',
                'ico' => 'image/x-icon',
                'asf|asx|wax|wmv|wmx' => 'video/asf',
                'avi' => 'video/avi',
                'divx' => 'video/divx',
                'flv' => 'video/x-flv',
                'mov|qt' => 'video/quicktime',
                'mpeg|mpg|mpe' => 'video/mpeg',
                'txt|asc|c|cc|h' => 'text/plain',
                'csv' => 'text/csv',
                'tsv' => 'text/tab-separated-values',
                'ics' => 'text/calendar',
                'rtx' => 'text/richtext',
                'css' => 'text/css',
                'htm|html' => 'text/html',
                'mp3|m4a|m4b' => 'audio/mpeg',
                'mp4|m4v' => 'video/mp4',
                'ra|ram' => 'audio/x-realaudio',
                'wav' => 'audio/wav',
                'ogg|oga' => 'audio/ogg',
                'ogv' => 'video/ogg',
                'mid|midi' => 'audio/midi',
                'wma' => 'audio/wma',
                'mka' => 'audio/x-matroska',
                'mkv' => 'video/x-matroska',
                'rtf' => 'application/rtf',
                'js' => 'application/javascript',
                'pdf' => 'application/pdf',
                'doc|docx' => 'application/msword',
                'pot|pps|ppt|pptx|ppam|pptm|sldm|ppsm|potm' => 'application/vnd.ms-powerpoint',
                'wri' => 'application/vnd.ms-write',
                'xla|xls|xlsx|xlt|xlw|xlam|xlsb|xlsm|xltm' => 'application/vnd.ms-excel',
                'mdb' => 'application/vnd.ms-access',
                'mpp' => 'application/vnd.ms-project',
                'docm|dotm' => 'application/vnd.ms-word',
                'pptx|sldx|ppsx|potx' => 'application/vnd.openxmlformats-officedocument.presentationml',
                'xlsx|xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml',
                'docx|dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml',
                'onetoc|onetoc2|onetmp|onepkg' => 'application/onenote',
                'swf' => 'application/x-shockwave-flash',
                'class' => 'application/java',
                'tar' => 'application/x-tar',
                'zip' => 'application/zip',
                'gz|gzip' => 'application/x-gzip',
                'rar' => 'application/rar',
                '7z' => 'application/x-7z-compressed',
                'exe' => 'application/x-msdownload',
                // openoffice formats
                'odt' => 'application/vnd.oasis.opendocument.text',
                'odp' => 'application/vnd.oasis.opendocument.presentation',
                'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
                'odg' => 'application/vnd.oasis.opendocument.graphics',
                'odc' => 'application/vnd.oasis.opendocument.chart',
                'odb' => 'application/vnd.oasis.opendocument.database',
                'odf' => 'application/vnd.oasis.opendocument.formula',
                // wordperfect formats
                'wp|wpd' => 'application/wordperfect',
                ) );
        }

        return $mimes;
}

/**
 * File validates against allowed set of defined rules.
 *
 * A return value of '1' means that the $file contains either '..' or './'. A
 * return value of '2' means that the $file contains ':' after the first
 * character. A return value of '3' means that the file is not in the allowed
 * files list.
 *
 * @since 1.2.0
 *
 * @param string $file File path.
 * @param array $allowed_files List of allowed files.
 * @return int 0 means nothing is wrong, greater than 0 means something was wrong.
 */
function validate_file( $file, $allowed_files = '' ) {
        if ( false !== strpos( $file, '..' ) )
                return 1;

        if ( false !== strpos( $file, './' ) )
                return 1;

        if ( ! empty( $allowed_files ) && ! in_array( $file, $allowed_files ) )
                return 3;

        if (':' == substr( $file, 1, 1 ) )
                return 2;

        return 0;
}

/**
 * Strip close comment and close php tags from file headers used by WP.
 * See http://core.trac.wordpress.org/ticket/8497
 *
 * @since 2.8.0
 *
 * @param string $str
 * @return string
 */
function _cleanup_header_comment($str) {
        return trim(preg_replace("/\s*(?:\*\/|\?>).*/", '', $str));
}

/**
 * Retrieve metadata from a file.
 *
 * Searches for metadata in the first 8kiB of a file, such as a plugin or theme.
 * Each piece of metadata must be on its own line. Fields can not span multiple
 * lines, the value will get cut at the end of the first line.
 *
 * If the file data is not within that first 8kiB, then the author should correct
 * their plugin file and move the data headers to the top.
 *
 * @see http://codex.wordpress.org/File_Header
 *
 * @since 2.9.0
 * @param string $file Path to the file
 * @param array $default_headers List of headers, in the format array('HeaderKey' => 'Header Name')
 * @param string $context If specified adds filter hook "extra_{$context}_headers"
 */
function get_file_data( $file, $default_headers, $context = '' ) {
        // We don't need to write to the file, so just open for reading.
        $fp = fopen( $file, 'r' );

        // Pull only the first 8kiB of the file in.
        $file_data = fread( $fp, 8192 );

        // PHP will close file handle, but we are good citizens.
        fclose( $fp );

        if ( $context != '' ) {
                $extra_headers = apply_filters( "extra_{$context}_headers", array() );

                $extra_headers = array_flip( $extra_headers );
                foreach( $extra_headers as $key=>$value ) {
                        $extra_headers[$key] = $key;
                }
                $all_headers = array_merge( $extra_headers, (array) $default_headers );
        } else {
                $all_headers = $default_headers;
        }

        foreach ( $all_headers as $field => $regex ) {
                preg_match( '/^[ \t\/*#@]*' . preg_quote( $regex, '/' ) . ':(.*)$/mi', $file_data, ${$field});
                if ( !empty( ${$field} ) )
                        ${$field} = _cleanup_header_comment( ${$field}[1] );
                else
                        ${$field} = '';
        }

        $file_data = compact( array_keys( $all_headers ) );

        return $file_data;
}