Allow () in filenames.
[pr0n] / perl / Sesse / pr0n / WebDAV.pm
index 9d23bb9668af0860e186f0a25ce3a2d1cb7dd559..fe599303220f919f2a632c427dcab4a0a7c5d2ee 100644 (file)
@@ -5,6 +5,8 @@ use warnings;
 use Sesse::pr0n::Common qw(error dberror);
 use Digest::SHA1;
 use MIME::Base64;
+use Apache2::Request;
+use Apache2::Upload;
 
 sub handler {
        my $r = shift;
@@ -107,7 +109,7 @@ EOF
                                        dberror($r, "Couldn't get events");
                
                                while (my $ref = $q->fetchrow_hashref()) {
-                                       my $id = $ref->{'id'};
+                                       my $id = $ref->{'event'};
                                        my $name = $ref->{'name'};
                                
                                        $name =~ s/&/\&/g;  # hack :-)
@@ -135,8 +137,8 @@ EOF
                        $r->headers_out->{'content-location'} = "/webdav/upload/$event/";
                        
                        # Check that we do indeed exist
-                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE id=?',
-                               undef, $event);
+                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE vhost=? AND event=?',
+                               undef, $r->get_server_name, $event);
                        if ($ref->{'numev'} != 1) {
                                $r->status(404);
                                $r->content_type('text/plain; charset=utf-8');
@@ -162,9 +164,9 @@ EOF
 
                        # List all the files within too, of course :-)
                        if ($depth >= 1) {
-                               my $q = $dbh->prepare('SELECT * FROM images WHERE event=?') or
+                               my $q = $dbh->prepare('SELECT * FROM images WHERE vhost=? AND event=?') or
                                        dberror($r, "Couldn't list images");
-                               $q->execute($event) or
+                               $q->execute($r->get_server_name, $event) or
                                        dberror($r, "Couldn't get events");
                
                                while (my $ref = $q->fetchrow_hashref()) {
@@ -218,8 +220,8 @@ EOF
                        $r->headers_out->{'content-location'} = "/webdav/upload/$event/autorename/";
                        
                        # Check that we do indeed exist
-                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE id=?',
-                               undef, $event);
+                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE vhost=? AND event=?',
+                               undef, $r->get_server_name, $event);
                        if ($ref->{'numev'} != 1) {
                                $r->status(404);
                                $r->content_type('text/plain; charset=utf-8');
@@ -251,8 +253,8 @@ EOF
                        my ($fname, $size, $mtime);
                        
                        # check if we have a pending fake file for this
-                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()',
-                               undef, $event, $filename);
+                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()',
+                               undef, $event, $r->get_server_name, $filename);
                        if ($ref->{'numfiles'} == 1) {
                                $fname = "/dev/null";
                                $size = 0;
@@ -294,16 +296,16 @@ EOF
                        my ($fname, $size, $mtime);
                        
                        # check if we have a pending fake file for this
-                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()',
-                               undef, $event, $filename);
+                       my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()',
+                               undef, $event, $r->get_server_name, $filename);
                        if ($ref->{'numfiles'} == 1) {
                                $fname = "/dev/null";
                                $size = 0;
                                $mtime = time;
                        } else {
                                # check if we have a "shadow file" for this
-                               my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE event=? AND filename=? AND expires_at > now()',
-                                       undef, $event, $filename);
+                               my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE vhost=? AND event=? AND filename=? AND expires_at > now()',
+                                       undef, $r->get_server_name, $event, $filename);
                                if (defined($ref)) {
                                        ($fname, $size, $mtime) = Sesse::pr0n::Common::stat_image_from_id($r, $ref->{'id'});
                                }
@@ -357,8 +359,8 @@ EOF
                my ($fname, $size, $mtime);
 
                # check if we have a pending fake file for this
-               my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()',
-                       undef, $event, $filename);
+               my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()',
+                       undef, $event, $r->get_server_name, $filename);
                if ($ref->{'numfiles'} == 1) {
                        $fname = "/dev/null";
                        $size = 0;
@@ -366,8 +368,8 @@ EOF
                } else {
                        # check if we have a "shadow file" for this
                        if (defined($autorename) && $autorename eq "autorename/") {
-                               my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE event=? AND filename=? AND expires_at > now()',
-                                       undef, $event, $filename);
+                               my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE host=? AND event=? AND filename=? AND expires_at > now()',
+                                       undef, $r->get_server_name, $event, $filename);
                                if (defined($ref)) {
                                        ($fname, $size, $mtime) = Sesse::pr0n::Common::stat_image_from_id($r, $ref->{'id'});
                                }
@@ -406,9 +408,9 @@ EOF
                my $orig_filename = $filename;
 
                # Remove evil characters
-               if ($filename =~ /[^a-zA-Z0-9._-]/) {
+               if ($filename =~ /[^a-zA-Z0-9._()-]/) {
                        if (defined($autorename) && $autorename eq "autorename/") {
-                               $filename =~ tr/a-zA-Z0-9.-/_/c;
+                               $filename =~ tr/a-zA-Z0-9.()-/_/c;
                        } else {
                                $r->status(403);
                                $r->content_type('text/plain; charset=utf-8');
@@ -422,11 +424,11 @@ EOF
                # make them happy
                # 
                if ($r->headers_in->{'content-length'} == 0) {
-                       $dbh->do('DELETE FROM fake_files WHERE expires_at <= now() OR (event=? AND filename=?);',
-                               undef, $event, $filename)
+                       $dbh->do('DELETE FROM fake_files WHERE expires_at <= now() OR (event=? AND vhost=? AND filename=?);',
+                               undef, $event, $r->get_server_name, $filename)
                                or dberror($r, "Couldn't prune fake_files");
-                       $dbh->do('INSERT INTO fake_files (event,filename,expires_at) VALUES (?,?,now() + interval \'30 seconds\');',
-                               undef, $event, $filename)
+                       $dbh->do('INSERT INTO fake_files (vhost,event,filename,expires_at) VALUES (?,?,?,now() + interval \'30 seconds\');',
+                               undef, $r->get_server_name, $event, $filename)
                                or dberror($r, "Couldn't add file");
                        $r->content_type('text/plain; charset="utf-8"');
                        $r->status(201);
@@ -444,8 +446,8 @@ EOF
                
                # Autorename if we need to
                if (defined($autorename) && $autorename eq "autorename/") {
-                       my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE event=? AND filename=?",
-                               undef, $event, $filename)
+                       my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE vhost=? AND event=? AND filename=?",
+                               undef, $r->get_server_name, $event, $filename)
                                or dberror($r, "Couldn't check for existing files");
                        if ($ref->{'numfiles'} > 0) {
                                $r->log->info("Renaming $filename to $newid.jpeg");
@@ -461,13 +463,13 @@ EOF
 
                        # Try to insert this new file
                        eval {
-                               $dbh->do('DELETE FROM fake_files WHERE event=? AND filename=?;',
-                                       undef, $event, $filename);
+                               $dbh->do('DELETE FROM fake_files WHERE vhost=? AND event=? AND filename=?',
+                                       undef, $r->get_server_name, $event, $filename);
                                        
-                               $dbh->do('INSERT INTO images (id,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?);',
-                                       undef, $newid, $event, $user, $takenby, $filename);
-                               $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE event=?',
-                                       undef, $event);
+                               $dbh->do('INSERT INTO images (id,vhost,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?,?)',
+                                       undef, $newid, $r->get_server_name, $event, $user, $takenby, $filename);
+                               $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?',
+                                       undef, $r->get_server_name, $event);
 
                                # Now save the file to disk
                                $fname = Sesse::pr0n::Common::get_disk_location($r, $newid);
@@ -500,18 +502,18 @@ EOF
                        if ($@) {
                                # Some error occurred, rollback and bomb out
                                $dbh->rollback;
-                               dberror($r, "Transaction aborted because $@");
+                               error($r, "Transaction aborted because $@");
                                unlink($fname);
                        }
                }
 
                # Insert a `shadow file' we can stat the next 30 secs
                if (defined($autorename) && $autorename eq "autorename/") {
-                       $dbh->do('DELETE FROM shadow_files WHERE expires_at <= now() OR (event=? AND filename=?);',
-                               undef, $event, $filename)
+                       $dbh->do('DELETE FROM shadow_files WHERE expires_at <= now() OR (vhost=? AND event=? AND filename=?);',
+                               undef, $r->get_server_name, $event, $filename)
                                or dberror($r, "Couldn't prune shadow_files");
-                       $dbh->do('INSERT INTO shadow_files (event,filename,id,expires_at) VALUES (?,?,?,now() + interval \'30 seconds\');',
-                               undef, $event, $orig_filename, $newid)
+                       $dbh->do('INSERT INTO shadow_files (vhost,event,filename,id,expires_at) VALUES (?,?,?,?,now() + interval \'30 seconds\');',
+                               undef, $r->get_server_name, $event, $orig_filename, $newid)
                                or dberror($r, "Couldn't add shadow file");
                        $r->log->info("Added shadow entry for $event/$filename");
                }
@@ -522,7 +524,130 @@ EOF
 
                return Apache2::Const::OK;
        }
+       
+       # Used by the XP publishing wizard -- largely the same as the code above
+       # but vastly simplified. Should we refactor?
+       if ($r->method eq "POST") {
+               my $apr = Apache2::Request->new($r);
+               my $client_size = $apr->param('size');
+               my $event = $apr->param('event');
+                               
+               my $file = $apr->upload('image');
+               my $filename = $file->filename();
+               if ($client_size != $file->size()) {
+                       $r->content_type('text/plain; charset="utf-8"');
+                       $r->status(403);
+                       $r->print("Client-size resizing detected; refusing automatically");
+
+                       $r->log->info("Client-size resized upload of $event/$filename detected");
+                       return Apache2::Const::OK;
+               }
+               
+               # Ugh, Windows XP seems to be sending this in... something that's not UTF-8, at least
+               my $takenby_given = Sesse::pr0n::Common::guess_charset($apr->param('takenby'));
+
+               if (defined($takenby_given) && $takenby_given !~ /^\s*$/ && $takenby_given !~ /[<>&]/ && length($takenby_given) <= 100) {
+                       $takenby = $takenby_given;
+               }
+               
+               my $ne_id = Sesse::pr0n::Common::guess_charset($apr->param('neweventid'));
+               my $ne_date = Sesse::pr0n::Common::guess_charset($apr->param('neweventdate'));
+               my $ne_desc = Sesse::pr0n::Common::guess_charset($apr->param('neweventdesc'));
+               if (defined($ne_id)) {
+                       # Trying to add a new event, let's see if it already exists
+                       my $q = $dbh->prepare('SELECT COUNT(*) AS cnt FROM events WHERE event=? AND vhost=?')
+                               or dberror($r, "Couldn't prepare event count");
+                       $q->execute($ne_id, $r->get_server_name)
+                               or dberror($r, "Couldn't execute event count");
+                       my $ref = $q->fetchrow_hashref;
+
+                       if ($ref->{'cnt'} == 0) {
+                               my @errors = Sesse::pr0n::Common::add_new_event($dbh, $ne_id, $ne_date, $ne_desc, $r->get_server_name);
+                               if (scalar @errors > 0) {
+                                       die "Couldn't add new event $ne_id: " . join(', ', @errors);
+                               }
+                       }
+
+                       $event = $ne_id;
+               }
+
+               # Remove evil characters
+               if ($filename =~ /[^a-zA-Z0-9._-]/) {
+                       $filename =~ tr/a-zA-Z0-9.-/_/c;
+               }
+               
+               # Get the new ID
+               my $ref = $dbh->selectrow_hashref("SELECT NEXTVAL('imageid_seq') AS id;");
+               my $newid = $ref->{'id'};
+               if (!defined($newid)) {
+                       dberror($r, "Couldn't get new ID");
+               }
+               
+               # Autorename if we need to
+               {
+                       my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE vhost=? AND event=? AND filename=?",
+                               undef, $r->get_server_name, $event, $filename)
+                               or dberror($r, "Couldn't check for existing files");
+                       if ($ref->{'numfiles'} > 0) {
+                               $r->log->info("Renaming $filename to $newid.jpeg");
+                               $filename = "$newid.jpeg";
+                       }
+               }
+               
+               {
+                       # Enable transactions and error raising temporarily
+                       local $dbh->{AutoCommit} = 0;
+                       local $dbh->{RaiseError} = 1;
+                       my $fname;
+
+                       # Try to insert this new file
+                       eval {
+                               $dbh->do('INSERT INTO images (id,vhost,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?,?)',
+                                       undef, $newid, $r->get_server_name, $event, $user, $takenby, $filename);
+                               $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?',
+                                       undef, $r->get_server_name, $event);
 
+                               # Now save the file to disk
+                               $fname = Sesse::pr0n::Common::get_disk_location($r, $newid);
+                               open NEWFILE, ">$fname"
+                                       or die "$fname: $!";
+
+                               my $buf;
+                               $file->slurp($buf);
+                               print NEWFILE $buf or die "write($fname): $!";
+                               close NEWFILE or die "close($fname): $!";
+                               
+                               # Orient stuff correctly
+                               system("/usr/bin/exifautotran", $fname) == 0
+                                       or die "/usr/bin/exifautotran: $!";
+
+                               # Make cache while we're at it.
+                               Sesse::pr0n::Common::ensure_cached($r, $filename, $newid, -1, -1, 1, 80, 64, 320, 256, -1, -1);
+                               
+                               # OK, we got this far, commit
+                               $dbh->commit;
+
+                               $r->log->notice("Successfully wrote $event/$filename to $fname");
+                       };
+                       if ($@) {
+                               # Some error occurred, rollback and bomb out
+                               $dbh->rollback;
+                               error($r, "Transaction aborted because $@");
+                               unlink($fname);
+               
+                               $r->content_type('text/plain; charset="utf-8"');
+                               $r->status(500);
+                               $r->print("Error: $@");
+                       }
+               }
+
+               $r->content_type('text/plain; charset="utf-8"');
+               $r->status(201);
+               $r->print("OK");
+
+               return Apache2::Const::OK;
+       }
+       
        # Yes, we fake locks. :-)
        if ($r->method eq "LOCK") {
                if ($r->uri !~ m#^/webdav/upload/([a-zA-Z0-9-]+)/(autorename/)?([a-zA-Z0-9._-]+)$#) {
@@ -577,11 +702,11 @@ EOF
                }
                
                my ($event, $autorename, $filename) = ($1, $2, $3);
-               $dbh->do('DELETE FROM images WHERE event=? AND filename=?;',
-                       undef, $event, $filename)
+               $dbh->do('DELETE FROM images WHERE vhost=? AND event=? AND filename=?',
+                       undef, $r->get_server_name, $event, $filename)
                        or dberror($r, "Couldn't remove file");
-               $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE id=?',
-                       undef, $event)
+               $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?',
+                       undef, $r->get_server_name, $event)
                        or dberror($r, "Couldn't invalidate cache");
                $r->status(200);
                $r->print("OK");
@@ -601,7 +726,7 @@ EOF
                $r->print("Sorry, you do not have access to that feature.");
                return Apache2::Const::OK;
        }
-       
+
        $r->content_type('text/plain; charset=utf-8');
        $r->log->error("unknown method " . $r->method);
        $r->status(500);