X-Git-Url: https://git.sesse.net/?p=pr0n;a=blobdiff_plain;f=perl%2FSesse%2Fpr0n%2FWebDAV.pm;h=fe599303220f919f2a632c427dcab4a0a7c5d2ee;hp=aecd9fdae7aa5ca713f4e87083556605c035b516;hb=7ed166d00c60530874566d5e67130464e6fc0415;hpb=b499b81784e502e480dd114bb1fc130f498ab224 diff --git a/perl/Sesse/pr0n/WebDAV.pm b/perl/Sesse/pr0n/WebDAV.pm index aecd9fd..fe59930 100644 --- a/perl/Sesse/pr0n/WebDAV.pm +++ b/perl/Sesse/pr0n/WebDAV.pm @@ -5,6 +5,8 @@ use warnings; use Sesse::pr0n::Common qw(error dberror); use Digest::SHA1; use MIME::Base64; +use Apache2::Request; +use Apache2::Upload; sub handler { my $r = shift; @@ -107,7 +109,7 @@ EOF dberror($r, "Couldn't get events"); while (my $ref = $q->fetchrow_hashref()) { - my $id = $ref->{'id'}; + my $id = $ref->{'event'}; my $name = $ref->{'name'}; $name =~ s/&/\&/g; # hack :-) @@ -135,8 +137,8 @@ EOF $r->headers_out->{'content-location'} = "/webdav/upload/$event/"; # Check that we do indeed exist - my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE id=?', - undef, $event); + my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE vhost=? AND event=?', + undef, $r->get_server_name, $event); if ($ref->{'numev'} != 1) { $r->status(404); $r->content_type('text/plain; charset=utf-8'); @@ -162,9 +164,9 @@ EOF # List all the files within too, of course :-) if ($depth >= 1) { - my $q = $dbh->prepare('SELECT * FROM images WHERE event=?') or + my $q = $dbh->prepare('SELECT * FROM images WHERE vhost=? AND event=?') or dberror($r, "Couldn't list images"); - $q->execute($event) or + $q->execute($r->get_server_name, $event) or dberror($r, "Couldn't get events"); while (my $ref = $q->fetchrow_hashref()) { @@ -218,8 +220,8 @@ EOF $r->headers_out->{'content-location'} = "/webdav/upload/$event/autorename/"; # Check that we do indeed exist - my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE id=?', - undef, $event); + my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numev FROM events WHERE vhost=? AND event=?', + undef, $r->get_server_name, $event); if ($ref->{'numev'} != 1) { $r->status(404); $r->content_type('text/plain; charset=utf-8'); @@ -251,8 +253,8 @@ EOF my ($fname, $size, $mtime); # check if we have a pending fake file for this - my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()', - undef, $event, $filename); + my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()', + undef, $event, $r->get_server_name, $filename); if ($ref->{'numfiles'} == 1) { $fname = "/dev/null"; $size = 0; @@ -294,16 +296,16 @@ EOF my ($fname, $size, $mtime); # check if we have a pending fake file for this - my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()', - undef, $event, $filename); + my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()', + undef, $event, $r->get_server_name, $filename); if ($ref->{'numfiles'} == 1) { $fname = "/dev/null"; $size = 0; $mtime = time; } else { # check if we have a "shadow file" for this - my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE event=? AND filename=? AND expires_at > now()', - undef, $event, $filename); + my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE vhost=? AND event=? AND filename=? AND expires_at > now()', + undef, $r->get_server_name, $event, $filename); if (defined($ref)) { ($fname, $size, $mtime) = Sesse::pr0n::Common::stat_image_from_id($r, $ref->{'id'}); } @@ -357,8 +359,8 @@ EOF my ($fname, $size, $mtime); # check if we have a pending fake file for this - my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND filename=? AND expires_at > now()', - undef, $event, $filename); + my $ref = $dbh->selectrow_hashref('SELECT count(*) AS numfiles FROM fake_files WHERE event=? AND vhost=? AND filename=? AND expires_at > now()', + undef, $event, $r->get_server_name, $filename); if ($ref->{'numfiles'} == 1) { $fname = "/dev/null"; $size = 0; @@ -366,8 +368,8 @@ EOF } else { # check if we have a "shadow file" for this if (defined($autorename) && $autorename eq "autorename/") { - my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE event=? AND filename=? AND expires_at > now()', - undef, $event, $filename); + my $ref = $dbh->selectrow_hashref('SELECT id FROM shadow_files WHERE host=? AND event=? AND filename=? AND expires_at > now()', + undef, $r->get_server_name, $event, $filename); if (defined($ref)) { ($fname, $size, $mtime) = Sesse::pr0n::Common::stat_image_from_id($r, $ref->{'id'}); } @@ -406,9 +408,9 @@ EOF my $orig_filename = $filename; # Remove evil characters - if ($filename =~ /[^a-zA-Z0-9._-]/) { + if ($filename =~ /[^a-zA-Z0-9._()-]/) { if (defined($autorename) && $autorename eq "autorename/") { - $filename =~ tr/a-zA-Z0-9.-/_/c; + $filename =~ tr/a-zA-Z0-9.()-/_/c; } else { $r->status(403); $r->content_type('text/plain; charset=utf-8'); @@ -422,11 +424,11 @@ EOF # make them happy # if ($r->headers_in->{'content-length'} == 0) { - $dbh->do('DELETE FROM fake_files WHERE expires_at <= now() OR (event=? AND filename=?);', - undef, $event, $filename) + $dbh->do('DELETE FROM fake_files WHERE expires_at <= now() OR (event=? AND vhost=? AND filename=?);', + undef, $event, $r->get_server_name, $filename) or dberror($r, "Couldn't prune fake_files"); - $dbh->do('INSERT INTO fake_files (event,filename,expires_at) VALUES (?,?,now() + interval \'30 seconds\');', - undef, $event, $filename) + $dbh->do('INSERT INTO fake_files (vhost,event,filename,expires_at) VALUES (?,?,?,now() + interval \'30 seconds\');', + undef, $r->get_server_name, $event, $filename) or dberror($r, "Couldn't add file"); $r->content_type('text/plain; charset="utf-8"'); $r->status(201); @@ -444,8 +446,8 @@ EOF # Autorename if we need to if (defined($autorename) && $autorename eq "autorename/") { - my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE event=? AND filename=?", - undef, $event, $filename) + my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE vhost=? AND event=? AND filename=?", + undef, $r->get_server_name, $event, $filename) or dberror($r, "Couldn't check for existing files"); if ($ref->{'numfiles'} > 0) { $r->log->info("Renaming $filename to $newid.jpeg"); @@ -461,13 +463,13 @@ EOF # Try to insert this new file eval { - $dbh->do('DELETE FROM fake_files WHERE event=? AND filename=?;', - undef, $event, $filename); + $dbh->do('DELETE FROM fake_files WHERE vhost=? AND event=? AND filename=?', + undef, $r->get_server_name, $event, $filename); - $dbh->do('INSERT INTO images (id,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?);', - undef, $newid, $event, $user, $takenby, $filename); - $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE id=?', - undef, $event); + $dbh->do('INSERT INTO images (id,vhost,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?,?)', + undef, $newid, $r->get_server_name, $event, $user, $takenby, $filename); + $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?', + undef, $r->get_server_name, $event); # Now save the file to disk $fname = Sesse::pr0n::Common::get_disk_location($r, $newid); @@ -507,11 +509,11 @@ EOF # Insert a `shadow file' we can stat the next 30 secs if (defined($autorename) && $autorename eq "autorename/") { - $dbh->do('DELETE FROM shadow_files WHERE expires_at <= now() OR (event=? AND filename=?);', - undef, $event, $filename) + $dbh->do('DELETE FROM shadow_files WHERE expires_at <= now() OR (vhost=? AND event=? AND filename=?);', + undef, $r->get_server_name, $event, $filename) or dberror($r, "Couldn't prune shadow_files"); - $dbh->do('INSERT INTO shadow_files (event,filename,id,expires_at) VALUES (?,?,?,now() + interval \'30 seconds\');', - undef, $event, $orig_filename, $newid) + $dbh->do('INSERT INTO shadow_files (vhost,event,filename,id,expires_at) VALUES (?,?,?,?,now() + interval \'30 seconds\');', + undef, $r->get_server_name, $event, $orig_filename, $newid) or dberror($r, "Couldn't add shadow file"); $r->log->info("Added shadow entry for $event/$filename"); } @@ -522,7 +524,130 @@ EOF return Apache2::Const::OK; } + + # Used by the XP publishing wizard -- largely the same as the code above + # but vastly simplified. Should we refactor? + if ($r->method eq "POST") { + my $apr = Apache2::Request->new($r); + my $client_size = $apr->param('size'); + my $event = $apr->param('event'); + + my $file = $apr->upload('image'); + my $filename = $file->filename(); + if ($client_size != $file->size()) { + $r->content_type('text/plain; charset="utf-8"'); + $r->status(403); + $r->print("Client-size resizing detected; refusing automatically"); + $r->log->info("Client-size resized upload of $event/$filename detected"); + return Apache2::Const::OK; + } + + # Ugh, Windows XP seems to be sending this in... something that's not UTF-8, at least + my $takenby_given = Sesse::pr0n::Common::guess_charset($apr->param('takenby')); + + if (defined($takenby_given) && $takenby_given !~ /^\s*$/ && $takenby_given !~ /[<>&]/ && length($takenby_given) <= 100) { + $takenby = $takenby_given; + } + + my $ne_id = Sesse::pr0n::Common::guess_charset($apr->param('neweventid')); + my $ne_date = Sesse::pr0n::Common::guess_charset($apr->param('neweventdate')); + my $ne_desc = Sesse::pr0n::Common::guess_charset($apr->param('neweventdesc')); + if (defined($ne_id)) { + # Trying to add a new event, let's see if it already exists + my $q = $dbh->prepare('SELECT COUNT(*) AS cnt FROM events WHERE event=? AND vhost=?') + or dberror($r, "Couldn't prepare event count"); + $q->execute($ne_id, $r->get_server_name) + or dberror($r, "Couldn't execute event count"); + my $ref = $q->fetchrow_hashref; + + if ($ref->{'cnt'} == 0) { + my @errors = Sesse::pr0n::Common::add_new_event($dbh, $ne_id, $ne_date, $ne_desc, $r->get_server_name); + if (scalar @errors > 0) { + die "Couldn't add new event $ne_id: " . join(', ', @errors); + } + } + + $event = $ne_id; + } + + # Remove evil characters + if ($filename =~ /[^a-zA-Z0-9._-]/) { + $filename =~ tr/a-zA-Z0-9.-/_/c; + } + + # Get the new ID + my $ref = $dbh->selectrow_hashref("SELECT NEXTVAL('imageid_seq') AS id;"); + my $newid = $ref->{'id'}; + if (!defined($newid)) { + dberror($r, "Couldn't get new ID"); + } + + # Autorename if we need to + { + my $ref = $dbh->selectrow_hashref("SELECT COUNT(*) AS numfiles FROM images WHERE vhost=? AND event=? AND filename=?", + undef, $r->get_server_name, $event, $filename) + or dberror($r, "Couldn't check for existing files"); + if ($ref->{'numfiles'} > 0) { + $r->log->info("Renaming $filename to $newid.jpeg"); + $filename = "$newid.jpeg"; + } + } + + { + # Enable transactions and error raising temporarily + local $dbh->{AutoCommit} = 0; + local $dbh->{RaiseError} = 1; + my $fname; + + # Try to insert this new file + eval { + $dbh->do('INSERT INTO images (id,vhost,event,uploadedby,takenby,filename) VALUES (?,?,?,?,?,?)', + undef, $newid, $r->get_server_name, $event, $user, $takenby, $filename); + $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?', + undef, $r->get_server_name, $event); + + # Now save the file to disk + $fname = Sesse::pr0n::Common::get_disk_location($r, $newid); + open NEWFILE, ">$fname" + or die "$fname: $!"; + + my $buf; + $file->slurp($buf); + print NEWFILE $buf or die "write($fname): $!"; + close NEWFILE or die "close($fname): $!"; + + # Orient stuff correctly + system("/usr/bin/exifautotran", $fname) == 0 + or die "/usr/bin/exifautotran: $!"; + + # Make cache while we're at it. + Sesse::pr0n::Common::ensure_cached($r, $filename, $newid, -1, -1, 1, 80, 64, 320, 256, -1, -1); + + # OK, we got this far, commit + $dbh->commit; + + $r->log->notice("Successfully wrote $event/$filename to $fname"); + }; + if ($@) { + # Some error occurred, rollback and bomb out + $dbh->rollback; + error($r, "Transaction aborted because $@"); + unlink($fname); + + $r->content_type('text/plain; charset="utf-8"'); + $r->status(500); + $r->print("Error: $@"); + } + } + + $r->content_type('text/plain; charset="utf-8"'); + $r->status(201); + $r->print("OK"); + + return Apache2::Const::OK; + } + # Yes, we fake locks. :-) if ($r->method eq "LOCK") { if ($r->uri !~ m#^/webdav/upload/([a-zA-Z0-9-]+)/(autorename/)?([a-zA-Z0-9._-]+)$#) { @@ -577,11 +702,11 @@ EOF } my ($event, $autorename, $filename) = ($1, $2, $3); - $dbh->do('DELETE FROM images WHERE event=? AND filename=?;', - undef, $event, $filename) + $dbh->do('DELETE FROM images WHERE vhost=? AND event=? AND filename=?', + undef, $r->get_server_name, $event, $filename) or dberror($r, "Couldn't remove file"); - $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE id=?', - undef, $event) + $dbh->do('UPDATE events SET last_update=CURRENT_TIMESTAMP WHERE vhost=? AND event=?', + undef, $r->get_server_name, $event) or dberror($r, "Couldn't invalidate cache"); $r->status(200); $r->print("OK"); @@ -601,7 +726,7 @@ EOF $r->print("Sorry, you do not have access to that feature."); return Apache2::Const::OK; } - + $r->content_type('text/plain; charset=utf-8'); $r->log->error("unknown method " . $r->method); $r->status(500);