From a2de3c3ecb3537af14679e7970147aa1fd325730 Mon Sep 17 00:00:00 2001
From: Alex Cabal <alex@alexcabal.com>
Date: Thu, 11 Jan 2024 13:08:02 -0600
Subject: [PATCH] Some type safety checks and rearrange file upload and mime
 type check code

---
 lib/Artwork.php       | 9 ++++-----
 lib/Museum.php        | 6 ++++++
 www/artworks/post.php | 8 ++++++--
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/lib/Artwork.php b/lib/Artwork.php
index 49fc915c..8b5ecee6 100644
--- a/lib/Artwork.php
+++ b/lib/Artwork.php
@@ -32,7 +32,7 @@ class Artwork extends PropertiesBase{
 	public ?int $ArtworkId = null;
 	public ?int $ArtistId = null;
 	public ?int $CompletedYear = null;
-	public ?bool $CompletedYearIsCirca = null;
+	public bool $CompletedYearIsCirca = false;
 	public ?DateTime $Created = null;
 	public ?DateTime $Updated = null;
 	public ?string $Status = null;
@@ -439,10 +439,6 @@ class Artwork extends PropertiesBase{
 				$error->Add(new Exceptions\InvalidImageUploadException($message));
 			}
 
-			if(!is_uploaded_file($uploadedFile['tmp_name'])){
-				$error->Add(new Exceptions\InvalidImageUploadException());
-			}
-
 			// Check for minimum dimensions
 			list($imageWidth, $imageHeight) = getimagesize($uploadedFile['tmp_name']);
 			if(!$imageWidth || !$imageHeight || $imageWidth < COVER_ARTWORK_IMAGE_MINIMUM_WIDTH || $imageHeight < COVER_ARTWORK_IMAGE_MINIMUM_HEIGHT){
@@ -553,7 +549,10 @@ class Artwork extends PropertiesBase{
 	 * @throws \Exceptions\InvalidImageUploadException
 	 */
 	public function Create(array $uploadedFile): void{
+		$this->MimeType = ImageMimeType::FromFile($uploadedFile['tmp_name'] ?? null);
+
 		$this->Validate($uploadedFile);
+
 		$this->Created = new DateTime();
 
 		// Can't assign directly to $this->Tags because it's hidden behind a getter
diff --git a/lib/Museum.php b/lib/Museum.php
index 6c56f46a..a93de547 100644
--- a/lib/Museum.php
+++ b/lib/Museum.php
@@ -1,4 +1,6 @@
 <?
+use function Safe\parse_url;
+
 class Museum extends PropertiesBase{
 	public int $MuseumId;
 	public string $Name;
@@ -16,6 +18,10 @@ class Museum extends PropertiesBase{
 			throw new Exceptions\InvalidUrlException($url);
 		}
 
+		if(!isset($parsedUrl['host'])){
+			throw new Exceptions\InvalidUrlException($url);
+		}
+
 		$result = Db::Query('
 			SELECT *
 			from Museums
diff --git a/www/artworks/post.php b/www/artworks/post.php
index 2ef90dfd..6cdec90a 100644
--- a/www/artworks/post.php
+++ b/www/artworks/post.php
@@ -29,7 +29,7 @@ try{
 
 		$artwork->Name = HttpInput::Str(POST, 'artwork-name', false);
 		$artwork->CompletedYear = HttpInput::Int(POST, 'artwork-year');
-		$artwork->CompletedYearIsCirca = HttpInput::Bool(POST, 'artwork-year-is-circa', false);
+		$artwork->CompletedYearIsCirca = HttpInput::Bool(POST, 'artwork-year-is-circa', false) ?? false;
 		$artwork->Tags = HttpInput::Str(POST, 'artwork-tags', false) ?? [];
 		$artwork->Status = HttpInput::Str(POST, 'artwork-status', false, COVER_ARTWORK_STATUS_UNVERIFIED);
 		$artwork->EbookWwwFilesystemPath = HttpInput::Str(POST, 'artwork-ebook-www-filesystem-path', false);
@@ -40,7 +40,6 @@ try{
 		$artwork->CopyrightPageUrl = HttpInput::Str(POST, 'artwork-copyright-page-url', false);
 		$artwork->ArtworkPageUrl = HttpInput::Str(POST, 'artwork-artwork-page-url', false);
 		$artwork->MuseumUrl = HttpInput::Str(POST, 'artwork-museum-url', false);
-		$artwork->MimeType = ImageMimeType::FromFile($_FILES['artwork-image']['tmp_name'] ?? null);
 		$artwork->Exception = HttpInput::Str(POST, 'artwork-exception', false);
 		$artwork->Notes = HttpInput::Str(POST, 'artwork-notes', false);
 
@@ -54,6 +53,11 @@ try{
 			$artwork->ReviewerUserId = $GLOBALS['User']->UserId;
 		}
 
+		// Confirm that the files came from POST
+		if(!is_uploaded_file($_FILES['artwork-image'])){
+			throw new Exceptions\InvalidImageUploadException();
+		}
+
 		$artwork->Create($_FILES['artwork-image'] ?? []);
 
 		$_SESSION['artwork'] = $artwork;