Addon: Upload addon (Admin addon)

[Dkozikowski+]

Name:
Add Addon

Desc:
You will never have to FTP to your addon folder again!
Once installed, this addon lets you upload an addon via the admin panel.

*pixelpost version 1.5beta1 required*

Addon Details:
Version: 1.0.3
Added: 2006-02-20
Updated: 2006-02-23
Category: addon
Requires Pixelpost version - 1.5beta1

Installation:
Extract the archive and add admin_addon_manager.php to your addons folder.

You can utilize this new feature by finding it under OPTIONS > ADD ADDON

Please note, this only works with single file addons. If an addon requires you to upload separate files to a different directory other than the /addons directory then you will have to manually upload that file.

CHANGE LOG:

02.22.2006 - v1.0.2

• FIXED: There was a small problem with the script running as soon as you login as admin, that should now be fixed.
• ADDED: I also added some code to prevent all file type uploads with the exception of the .php file extension.

02.23.2006 - v1.0.3

• CHANGED: Changed the way files were checked. In v1.0.1 & 1.0.2 files were checked by mime type. In v1.0.3 files are checked by extension.
• ADDED: Security check is added when upload function is called. In previous versions, uploads can be made remotely with no admin access required. Upgrade to v1.0.3 immediately!

Install this addon at your own risk! I'm not responsible for any mishaps this addon might cause. I'm no PHP programer, so if someone sees something that can be cleaned up, then please do so!

Download:
http://pixelpost.org/v1/devfiles/?id=153 (v1.0.3)

Screenshot:

[raminia+]

hope to see it in action.

[Dkozikowski+]

All should be OK with it now. I re-posted the link in the first post.

[se.nsuo.us]

Good job - works as advertised - the only improvement I can suggest is check for Admin login before doing a move_uploaded_file

To check for admin login do something like

PHP Code:

if(isset($_SESSION["pixelpost_admin"]) && $cfgrow['password'] == $_SESSION["pixelpost_admin"]) {
 // add the move_uploaded call here
} 


[Dkozikowski+]

i wasn't able to get the above code working properly. It worked a little too well actually. even if you were logged in as admin it would prevent the upload.

instead, I'm using this

PHP Code:

if($cfgrow['password'] != $_SESSION["pixelpost_admin"]) {
// move_uploaded call here 
} 


Seems to do the trick. i will update the file ASAP. I can't believe i didn't think to add a check like this. Thanks for pointing it out.

[se.nsuo.us]

Ummm... you are actually negating the check - what you are saying in code can be said in plain English as

"Check to see if the $cfgrow['password'] is not the same as $_SESSION["pixelpost_admin"] - if it is not then move uploaded file"

Try doing it the reverse way

PHP Code:

if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"]) {
    // Do nothing there is no valid login
} else {
        // Move the uploaded file
} 


If it still does not work post your code anyways I will look into it tomm

Cheers

[Dkozikowski+]

Weird. I understand what you are saying about the code i used, but it worked when i tested it. anyway, i applied your new code and it still does not upload. here is the full source:

PHP Code:

$path = '../addons/'; // Path to the addons folder
$allow_types = array('text/php'); // Allowable file types

if($_GET['x'] == "addAddon") {
// Check file type
if(!in_array($_FILES['file']['type'], $allow_types))
{
echo 'Error code removed for easy viewing within pixelpost forum'';
exit;
}
   // No problems?
    if ($_FILES['file']['error'] != UPLOAD_ERR_OK) {
       die('Error occurred during upload. Go back and try again.');
    }

   // Move file to our upload folder
    $newfile = $path . $_FILES['file']['name'];
    if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"]) {
    //*Do*nothing*there*is*no*valid*login
    } else {
    move_uploaded_file($_FILES['file']['tmp_name'], $newfile);
    }
    die('Success code removed for easy viewing within pixelpost forum');

} else {
// Display form:
function addonmanager_admin_addon()
{
    $show_form ="<div class='content>
    Start by choosing your addon by clicking on the Choose File / Browse button below.<br />
    Addons will always have a .php file extension.<br />
    Once your addon is selected, click the <i>Upload Addon</i> button to add the addon to pixelpost.<br /><br />
    <form method="post\" action=\"?x=addAddon\" enctype=\"multipart/form-data\"> 
    <input type=\"file\" name=\"file\" value=\"Select Addon\" /> <input type=\"submit\" value=\"Upload Addon\" style=\"width:100px;font-weight:bold;\">
    </form>
    </div>";

    echo $show_form;
}
}
?> 


[se.nsuo.us]

Ahhhh! found a GOTCHA for admin addons to get $cfgrow in your admin addon you have declare it as global so if you add

PHP Code:

global $cfgrow; 


somewhere near the top and then test

PHP Code:

if($cfgrow['password'] == $_SESSION["pixelpost_admin"]) { 


It will work.

Another thing -

PHP Code:

$_FILES['file']['type'] 


gives application/octet-stream for .php in my case, you might want to resort to testing the file extension instead of type

[Dkozikowski+]

Thank you very much se.nsuo.us

I revamped the code and now check for the extension, not type. I also cleaned the code up a bit! Let me know what you think now.

PHP Code:

// Variables
$uploaddir = "../addons/"; // Where you want the files to upload to - Important: Make sure this folders permissions is 0777!
$allowed_ext = "php"; // These are the allowed extensions of the files that are uploaded

if($_GET['x'] == "addAddon") {
global $cfgrow;
if($cfgrow['password'] == $_SESSION["pixelpost_admin"]) {
// Check Extension
$extension = pathinfo($_FILES['file']['name']);
$extension = $extension[extension];
$allowed_paths = explode(", ", $allowed_ext);
for($i = 0; $i < count($allowed_paths); $i++) {
if ($allowed_paths[$i] == "$extension") {
$ok = "1";
}
}
if ($ok == "1") {
// The Upload Part
if(is_uploaded_file($_FILES['file']['tmp_name']))
{
move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']);
// Addon uploaded message!
    die('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <meta http-equiv="refresh" content="8; URL=index.php?view=options&optionsview=add%20addon" />
    <title>Success</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <link rel="stylesheet" href="admin_index.css" type="text/css" />
    </head>
    <body>
    <br /><br />
    The addon has been successfully uploaded and added!<br />
    Please visit the <a href="index.php?view=addons">ADDONS</a> tab to view your addon.<br /><br />
    <a href="index.php?view=options&optionsview=add%20addon">You will be redirected now. Please click to be transferred back, if redirection doesn\'t work.</a>
    </body>
    </html>');
}
} else {
// Incorrect file extension error!
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html>
    <head>
    <meta http-equiv="refresh" content="10; URL=index.php?view=options&optionsview=add%20addon" />
    <title>Error</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <link rel="stylesheet" href="admin_index.css" type="text/css" />
    </head>
    <body>
    <br /><br />
    Either the file type you selected was not allowed or you have not chosen an addon to upload!<br />
    Please go back and select an addon with the correct file extension. E.G. - addon_name<strong>.php</strong> or select an addon to upload.<br /><br />
    <a href="index.php?view=options&optionsview=add%20addon">You will be redirected now. Please click to be transferred back, if redirection doesn\'t work.</a>
    </body>
    </html>';
exit;
}
}
}
// Display form.
function addonmanager_admin_addon() {
$show_form ="<div class='content'>
    Start by choosing your addon by clicking on the Choose File / Browse button below.<br />
    Addons will always have a .php file extension.<br />
    Once your addon is selected, click the <i>Upload Addon</i> button to add the addon to pixelpost.<br /><br />
    <form method=\"post\" action=\"?x=addAddon\" enctype=\"multipart/form-data\"> 
    <input type=\"file\" name=\"file\" value=\"Select Addon\" /> <input type=\"submit\" value=\"Upload Addon\" style=\"width:100px;font-weight:bold;\">
    </form>
    </div>";
    echo $show_form;
} 


[raminia+]

Quote:

Originally Posted by se.nsuo.us

Ahhhh! found a GOTCHA for admin addons to get $cfgrow in your admin addon you have declare it as global so if you add

PHP Code:

global $cfgrow; 


somewhere near the top and then test

PHP Code:

if($cfgrow['password'] == $_SESSION["pixelpost_admin"]) { 


It will work.

Another thing -

PHP Code:

$_FILES['file']['type'] 


gives application/octet-stream for .php in my case, you might want to resort to testing the file extension instead of type

could you please write about these GOTCHAs in pixelpost wiki?
www.raminia.com/ppwiki/