From ad878474cef6792626e90a0b83f25a392b04fb15 Mon Sep 17 00:00:00 2001
From: Celestora <kitsuruko@gmail.com>
Date: Fri, 15 Oct 2021 12:34:59 +0300
Subject: [PATCH] Videos: Implement checks to prevent uploads of non-video
 files or mediacontainers without vstreams

Resolves #234
Sorry, Beatrice
---
 Web/Models/Entities/Video.php      | 22 +++++++++++++++++++---
 Web/Presenters/VideosPresenter.php |  2 ++
 Web/Presenters/WallPresenter.php   |  2 ++
 Web/Util/Shell/Shell.php           | 15 ++++++++++-----
 4 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/Web/Models/Entities/Video.php b/Web/Models/Entities/Video.php
index 7b35153f..492dafed 100644
--- a/Web/Models/Entities/Video.php
+++ b/Web/Models/Entities/Video.php
@@ -1,8 +1,7 @@
 <?php declare(strict_types=1);
 namespace openvk\Web\Models\Entities;
 use openvk\Web\Util\Shell\Shell;
-use openvk\Web\Util\Shell\Shell\Exceptions\ShellUnavailableException;
-use openvk\Web\Util\Shell\Shell\Exceptions\UnknownCommandException;
+use openvk\Web\Util\Shell\Shell\Exceptions\{ShellUnavailableException, UnknownCommandException};
 use openvk\Web\Models\VideoDrivers\VideoDriver;
 use Nette\InvalidStateException as ISE;
 
@@ -18,7 +17,24 @@ class Video extends Media
     
     protected function saveFile(string $filename, string $hash): bool
     {
-        if(!Shell::commandAvailable("ffmpeg")) exit(VIDEOS_FRIENDLY_ERROR);
+        if(!Shell::commandAvailable("ffmpeg") || !Shell::commandAvailable("ffprobe"))
+            exit(VIDEOS_FRIENDLY_ERROR);
+        
+        $error     = NULL;
+        $streams   = Shell::ffprobe("-i", $filename, "-show_streams", "-select_streams v", "-loglevel error")->execute($error);
+        if($error !== 0)
+            throw new \DomainException("$filename is not a valid video file");
+        else if(empty($streams) || ctype_space($streams))
+            throw new \DomainException("$filename does not contain any video streams");
+        
+        $durations = [];
+        preg_match('%duration=([0-9\.]++)%', $streams, $durations);
+        if(sizeof($durations[1]) === 0)
+            throw new \DomainException("$filename does not contain any meaningful video streams");
+        
+        foreach($durations[1] as $duration)
+            if(floatval($duration) < 1.0)
+                throw new \DomainException("$filename does not contain any meaningful video streams");
         
         try {
             if(!is_dir($dirId = $this->pathFromHash($hash)))
diff --git a/Web/Presenters/VideosPresenter.php b/Web/Presenters/VideosPresenter.php
index d2974413..47d529ac 100644
--- a/Web/Presenters/VideosPresenter.php
+++ b/Web/Presenters/VideosPresenter.php
@@ -68,6 +68,8 @@ final class VideosPresenter extends OpenVKPresenter
                         $video->setLink($this->postParam("link"));
                     else
                         $this->flashFail("err", "Нету видеозаписи", "Выберите файл или укажите ссылку.");
+                } catch(\DomainException $ex) {
+                    $this->flashFail("err", "Произошла ошибка", "Файл повреждён или не содержит видео." );
                 } catch(ISE $ex) {
                     $this->flashFail("err", "Произошла ошибка", "Возможно, ссылка некорректна.");
                 }
diff --git a/Web/Presenters/WallPresenter.php b/Web/Presenters/WallPresenter.php
index 05a844b4..600cfb83 100644
--- a/Web/Presenters/WallPresenter.php
+++ b/Web/Presenters/WallPresenter.php
@@ -200,6 +200,8 @@ final class WallPresenter extends OpenVKPresenter
             if($_FILES["_vid_attachment"]["error"] === UPLOAD_ERR_OK) {
                 $video = Video::fastMake($this->user->id, $this->postParam("text"), $_FILES["_vid_attachment"]);
             }
+        } catch(\DomainException $ex) {
+            $this->flashFail("err", "Не удалось опубликовать пост", "Файл медиаконтента повреждён.");
         } catch(ISE $ex) {
             $this->flashFail("err", "Не удалось опубликовать пост", "Файл медиаконтента повреждён или слишком велик.");
         }
diff --git a/Web/Util/Shell/Shell.php b/Web/Util/Shell/Shell.php
index 85efa6ff..2bf1e214 100644
--- a/Web/Util/Shell/Shell.php
+++ b/Web/Util/Shell/Shell.php
@@ -16,14 +16,16 @@ class Shell
     
     static function commandAvailable(string $name): bool
     {
-        if(!Shell::shellAvailable()) throw new Exceptions\ShellUnavailableException;
+        if(!Shell::shellAvailable())
+            throw new Exceptions\ShellUnavailableException;
         
         return !is_null(`command -v $name`);
     }
     
     static function __callStatic(string $name, array $arguments): object
     {
-        if(!Shell::commandAvailable($name)) throw new Exceptions\UnknownCommandException($name);
+        if(!Shell::commandAvailable($name))
+            throw new Exceptions\UnknownCommandException($name);
         
         $command = implode(" ", array_merge([$name], $arguments));
         
@@ -36,14 +38,17 @@ class Shell
                 $this->command = $cmd;
             }
             
-            function execute(): string
+            function execute(?int &$result = nullptr): string
             {
-                return shell_exec($this->command);
+                $stdout = [];
+                exec($this->command, $stdout, $result);
+                
+                return implode(PHP_EOL, $stdout);
             }
             
             function start(): string
             {
-                shell_exec("nohup " . $this->command . " > /dev/null 2>/dev/null &");
+                system("nohup " . $this->command . " > /dev/null 2>/dev/null &");
                 
                 return $this->command;
             }