- Fix: Ensure PHP files are present in dist/extensions alongside JavaScript files using them

- Fix: Bug in obtaining `extPath` in ext-server_opensave.js - Enhancement: Add config `avoidClientSide` to avoid using client-side support by default (and always require server) - Build: Require Node 8.5
2019-04-18 21:13:48 +08:00
parent 1d56d75837
commit 13835a368c
18 changed files with 397 additions and 207 deletions
--- a/dist/extensions/allowedMimeTypes.php
+++ b/dist/extensions/allowedMimeTypes.php
@@ -0,0 +1,12 @@
+<?php
+
+$allowedMimeTypesBySuffix = array(
+  'svg' => 'image/svg+xml;charset=UTF-8',
+  'png' => 'image/png',
+  'jpeg' => 'image/jpeg',
+  'bmp' => 'image/bmp',
+  'webp' => 'image/webp',
+  'pdf' => 'application/pdf'
+);
+
+?>
--- a/dist/extensions/ext-server_opensave.js
+++ b/dist/extensions/ext-server_opensave.js
@@ -4868,7 +4868,8 @@ var svgEditorExtension_server_opensave = (function () {
      var _init = _asyncToGenerator(
      /*#__PURE__*/
      regeneratorRuntime.mark(function _callee5(_ref) {
-        var $, decode64, encode64, importLocale, strings, svgEditor, extPath, svgCanvas, getFileNameFromTitle, xhtmlEscape, clientDownloadSupport, saveSvgAction, saveImgAction, cancelled, openSvgAction, importSvgAction, importImgAction, openSvgForm, importSvgForm, importImgForm, rebuildInput;
+        var $, decode64, encode64, importLocale, strings, svgEditor, _svgEditor$curConfig, extPath, avoidClientSide, svgCanvas, getFileNameFromTitle, xhtmlEscape, clientDownloadSupport, saveSvgAction, saveImgAction, cancelled, openSvgAction, importSvgAction, importImgAction, openSvgForm, importSvgForm, importImgForm, rebuildInput;
+
        return regeneratorRuntime.wrap(function _callee5$(_context5) {
          while (1) {
            switch (_context5.prev = _context5.next) {
@@ -4974,6 +4975,10 @@ var svgEditorExtension_server_opensave = (function () {
                };

                clientDownloadSupport = function _ref6(filename, suffix, uri) {
+                  if (avoidClientSide) {
+                    return false;
+                  }
+
                  var support = $('<a>')[0].download === '';
                  var a;

@@ -5006,7 +5011,7 @@ var svgEditorExtension_server_opensave = (function () {
              case 7:
                strings = _context5.sent;
                svgEditor = this;
-                extPath = svgEditor.curConfig, svgCanvas = svgEditor.canvas;
+                _svgEditor$curConfig = svgEditor.curConfig, extPath = _svgEditor$curConfig.extPath, avoidClientSide = _svgEditor$curConfig.avoidClientSide, svgCanvas = svgEditor.canvas;
                /**
                 *
                 * @returns {string}
--- a/dist/extensions/fileopen.php
+++ b/dist/extensions/fileopen.php
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<?php
+/*
+ * fileopen.php
+ * To be used with ext-server_opensave.js for SVG-edit
+ *
+ * Licensed under the MIT License
+ *
+ * Copyright(c) 2010 Alexis Deveria
+ *
+ */
+  // Very minimal PHP file, all we do is Base64 encode the uploaded file and
+  // return it to the editor
+
+  if (!isset($_REQUEST['type'])) {
+    echo 'No type given';
+    exit;
+  }
+  $type = $_REQUEST['type'];
+  if (!in_array($type, array('load_svg', 'import_svg', 'import_img'))) {
+    echo 'Not a recognized type';
+    exit;
+  }
+
+  require('allowedMimeTypes.php');
+
+  $file = $_FILES['svg_file']['tmp_name'];
+
+  $output = file_get_contents($file);
+
+  $prefix = '';
+
+  // Make Data URL prefix for import image
+  if ($type == 'import_img') {
+    $info = getimagesize($file);
+    if (!in_array($info['mime'], $allowedMimeTypesBySuffix)) {
+      echo 'Disallowed MIME for supplied file';
+      exit;
+    }
+    $prefix = 'data:' . $info['mime'] . ';base64,';
+  }
+?>
+<html>
+  <head>
+  <meta charset="utf-8" />
+  <title>-</title>
+  <script>
+
+top.svgEditor.processFile("<?php
+
+// This should be safe since SVG edit does its own filtering (e.g., if an SVG file contains scripts)
+echo $prefix . base64_encode($output);
+
+?>", "<?php echo $type; ?>");
+  </script>
+</head>
+<body></body>
+</html>
--- a/dist/extensions/filesave.php
+++ b/dist/extensions/filesave.php
@@ -0,0 +1,60 @@
+<?php
+/*
+ * filesave.php
+ * To be used with ext-server_opensave.js for SVG-edit
+ *
+ * Licensed under the MIT License
+ *
+ * Copyright(c) 2010 Alexis Deveria
+ *
+ */
+
+function encodeRFC5987ValueChars ($str) {
+  // See https://tools.ietf.org/html/rfc5987#section-3.2.1
+  // For better readability within headers, add back the characters escaped by rawurlencode but still allowable
+  // Although RFC3986 reserves "!" (%21), RFC5987 does not
+  return preg_replace_callback('@%(2[1346B]|5E|60|7C)@', function ($matches) {
+    return chr('0x' . $matches[1]);
+  }, rawurlencode($str));
+}
+
+require('allowedMimeTypes.php');
+
+$mime = (!isset($_POST['mime']) || !in_array($_POST['mime'], $allowedMimeTypesBySuffix)) ? 'image/svg+xml;charset=UTF-8' : $_POST['mime'];
+
+if (!isset($_POST['output_svg']) && !isset($_POST['output_img'])) {
+  die('post fail');
+}
+
+$file = '';
+
+$suffix = '.' . array_search($mime, $allowedMimeTypesBySuffix);
+
+if (isset($_POST['filename']) && strlen($_POST['filename']) > 0) {
+  $file = $_POST['filename'] . $suffix;
+} else {
+  $file = 'image' . $suffix;
+}
+
+if ($suffix == '.svg') {
+  $contents = $_POST['output_svg'];
+} else {
+  $contents = $_POST['output_img'];
+  $pos = (strpos($contents, 'base64,') + 7);
+  $contents = base64_decode(substr($contents, $pos));
+}
+
+header('Cache-Control: public');
+header('Content-Description: File Transfer');
+
+// See https://tools.ietf.org/html/rfc6266#section-4.1
+header("Content-Disposition: attachment; filename*=UTF-8''" . encodeRFC5987ValueChars(
+  // preg_replace('@[\\\\/:*?"<>|]@', '', $file) // If we wanted to strip Windows-disallowed characters server-side (but not a security issue, so we can strip client-side instead)
+  $file
+));
+header('Content-Type: ' .  $mime);
+header('Content-Transfer-Encoding: binary');
+
+echo $contents;
+
+?>
--- a/dist/extensions/savefile.php
+++ b/dist/extensions/savefile.php
@@ -0,0 +1,16 @@
+<?php
+  // You must first create a file "savefile_config.php" in this extensions directory and do whatever
+  //   checking of user credentials, etc. that you wish; otherwise anyone will be able to post SVG
+  //   files to your server which may cause disk space or possibly security problems
+  require('savefile_config.php');
+  if (!isset($_POST['output_svg'])) {
+    print 'You must supply output_svg';
+    exit;
+  }
+  $svg = $_POST['output_svg'];
+  $filename = (isset($_POST['filename']) && !empty($_POST['filename']) ? preg_replace('@[\\\\/:*?"<>|]@u', '_', $_POST['filename']) : 'saved') . '.svg'; // These characters are indicated as prohibited by Windows
+
+  $fh = fopen($filename, 'w') or die("Can't open file");
+  fwrite($fh, $svg);
+  fclose($fh);
+?>