You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

137 lines
4.3KB

  1. <?php
  2. /**
  3. * Implements data: URI for base64 encoded images supported by GD.
  4. */
  5. class HTMLPurifier_URIScheme_data extends HTMLPurifier_URIScheme
  6. {
  7. /**
  8. * @type bool
  9. */
  10. public $browsable = true;
  11. /**
  12. * @type array
  13. */
  14. public $allowed_types = array(
  15. // you better write validation code for other types if you
  16. // decide to allow them
  17. 'image/jpeg' => true,
  18. 'image/gif' => true,
  19. 'image/png' => true,
  20. );
  21. // this is actually irrelevant since we only write out the path
  22. // component
  23. /**
  24. * @type bool
  25. */
  26. public $may_omit_host = true;
  27. /**
  28. * @param HTMLPurifier_URI $uri
  29. * @param HTMLPurifier_Config $config
  30. * @param HTMLPurifier_Context $context
  31. * @return bool
  32. */
  33. public function doValidate(&$uri, $config, $context)
  34. {
  35. $result = explode(',', $uri->path, 2);
  36. $is_base64 = false;
  37. $charset = null;
  38. $content_type = null;
  39. if (count($result) == 2) {
  40. list($metadata, $data) = $result;
  41. // do some legwork on the metadata
  42. $metas = explode(';', $metadata);
  43. while (!empty($metas)) {
  44. $cur = array_shift($metas);
  45. if ($cur == 'base64') {
  46. $is_base64 = true;
  47. break;
  48. }
  49. if (substr($cur, 0, 8) == 'charset=') {
  50. // doesn't match if there are arbitrary spaces, but
  51. // whatever dude
  52. if ($charset !== null) {
  53. continue;
  54. } // garbage
  55. $charset = substr($cur, 8); // not used
  56. } else {
  57. if ($content_type !== null) {
  58. continue;
  59. } // garbage
  60. $content_type = $cur;
  61. }
  62. }
  63. } else {
  64. $data = $result[0];
  65. }
  66. if ($content_type !== null && empty($this->allowed_types[$content_type])) {
  67. return false;
  68. }
  69. if ($charset !== null) {
  70. // error; we don't allow plaintext stuff
  71. $charset = null;
  72. }
  73. $data = rawurldecode($data);
  74. if ($is_base64) {
  75. $raw_data = base64_decode($data);
  76. } else {
  77. $raw_data = $data;
  78. }
  79. if ( strlen($raw_data) < 12 ) {
  80. // error; exif_imagetype throws exception with small files,
  81. // and this likely indicates a corrupt URI/failed parse anyway
  82. return false;
  83. }
  84. // XXX probably want to refactor this into a general mechanism
  85. // for filtering arbitrary content types
  86. if (function_exists('sys_get_temp_dir')) {
  87. $file = tempnam(sys_get_temp_dir(), "");
  88. } else {
  89. $file = tempnam("/tmp", "");
  90. }
  91. file_put_contents($file, $raw_data);
  92. if (function_exists('exif_imagetype')) {
  93. $image_code = exif_imagetype($file);
  94. unlink($file);
  95. } elseif (function_exists('getimagesize')) {
  96. set_error_handler(array($this, 'muteErrorHandler'));
  97. $info = getimagesize($file);
  98. restore_error_handler();
  99. unlink($file);
  100. if ($info == false) {
  101. return false;
  102. }
  103. $image_code = $info[2];
  104. } else {
  105. trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
  106. }
  107. $real_content_type = image_type_to_mime_type($image_code);
  108. if ($real_content_type != $content_type) {
  109. // we're nice guys; if the content type is something else we
  110. // support, change it over
  111. if (empty($this->allowed_types[$real_content_type])) {
  112. return false;
  113. }
  114. $content_type = $real_content_type;
  115. }
  116. // ok, it's kosher, rewrite what we need
  117. $uri->userinfo = null;
  118. $uri->host = null;
  119. $uri->port = null;
  120. $uri->fragment = null;
  121. $uri->query = null;
  122. $uri->path = "$content_type;base64," . base64_encode($raw_data);
  123. return true;
  124. }
  125. /**
  126. * @param int $errno
  127. * @param string $errstr
  128. */
  129. public function muteErrorHandler($errno, $errstr)
  130. {
  131. }
  132. }