Project

General

Profile

« Previous | Next » 

Revision 1476

Added by Dietmar over 13 years ago

! optimize blacklist handling, add more separator ",#|;"
set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc.
  1. fix sctrict warnings in media if default theme ist not Argos Theme
    + add new settings value in install, upgrade-script and core module

View differences:

upload.php
2 2 
/**
3 3 
 *
4 4 
 * @category        admin
5 
 * @package         admintools
5 
 * @package         media
6 6 
 * @author          WebsiteBaker Project
7 7 
 * @copyright       2004-2009, Ryan Djurovich
8 8 
 * @copyright       2009-2011, Website Baker Org. e.V.
......
41 41 
// Include the WB functions file
42 42 
require_once(WB_PATH.'/framework/functions.php');
43 43 

  		




  
  44
  
    
$directory = ($target == '/') ?  '' : $target;


  		




  
  45
  
    
$dirlink = 'index.php?dir='.$directory;


  		




  
  46
  
    
$rootlink = 'index.php?dir=';


  		




  
  47
  
    

  		




  44
  48
  
    
// Check to see if target contains ../


  		




  45
  49
  
    
if (!check_media_path($target, false))


  		




  46
  50
  
    
{


  		




  ......




  64
  68
  
    

  		




  65
  69
  
    
$file_extensions=explode(",",$file_extension_string);


  		




  66
  70
  
    
// get from settings and add to forbidden list


  		




  67
  
  
    
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);


  		




  68
  
  
    
// hardcodet forbidden filetypes


  		




  69
  
  
    
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;


  		




  
  71
  
    
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);


  		




  70
  72
  
    
// Loop through the files


  		




  71
  73
  
    
$good_uploads = 0;


  		




  72
  74
  
    
$sum_dirs = 0;


  		




  73
  75
  
    
$sum_files = 0;


  		




  74
  76
  
    

  		




  75
  
  
    
for($count = 1; $count <= 10; $count++) {


  		




  
  77
  
    
for($count = 1; $count <= 10; $count++)


  		




  
  78
  
    
{


  		




  76
  79
  
    
	// If file was upload to tmp


  		




  77
  
  
    
	if(isset($_FILES["file$count"]['name'])) {


  		




  
  80
  
    
	if(isset($_FILES["file$count"]['name']))


  		




  
  81
  
    
	{


  		




  78
  82
  
    
		// Remove bad characters


  		




  79
  83
  
    
		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;


  		




  80
  84
  
    
		// Check if there is still a filename left


  		




  ......




  82
  86
  
    
		$info = pathinfo($filename);


  		




  83
  87
  
    
		$ext = isset($info['extension']) ? $info['extension'] : '';


  		




  84
  88
  
    

  		




  85
  
  
    
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) {


  		




  
  89
  
    
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) )


  		




  
  90
  
    
		{


  		




  86
  91
  
    
			// Move to relative path (in media folder)


  		




  87
  92
  
    
			if(file_exists($relative.$filename) AND $overwrite == true) {


  		




  88
  93
  
    
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {


  		




  ......




  120
  125
  
    
 */


  		




  121
  126
  
    
function pclzipCheckValidFile($p_event, &$p_header)


  		




  122
  127
  
    
{


  		




  123
  
  
    
                         //  return 1;


  		




  124
  
  
    
	$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);


  		




  125
  
  
    
	// hardcodet forbidden filetypes


  		




  126
  
  
    
	$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;


  		




  
  128
  
    
    //  return 1;


  		




  
  129
  
    
// Check for potentially malicious files


  		




  
  130
  
    
	$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);


  		




  127
  131
  
    
	$info = pathinfo($p_header['filename']);


  		




  128
  132
  
    
	$ext = isset($info['extension']) ? $info['extension'] : '';


  		




  129
  133
  
    
	$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');


  		




  ......




  139
  143
  
    

  		




  140
  144
  
    
// If the user chose to unzip the first file, unzip into the current folder


  		




  141
  145
  
    
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {


  		




  
  146
  
    
	// Required to unzip file.


  		




  
  147
  
    
	require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');


  		




  142
  148
  
    
	$archive = new PclZip($filename1);


  		




  143
  
  
    

  		




  144
  149
  
    
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');


  		




  145
  150
  
    

  		




  146
  151
  
    
	if($list == 0) {


  		




  ......




  161
  166
  
    
unset($list);


  		




  162
  167
  
    
if($sum_files == 1) {


  		




  163
  168
  
    
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );


  		




  
  169
  
    
} elseif($sum_files > 1) {


  		




  
  170
  
    
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );


  		




  164
  171
  
    
} else {


  		




  165
  
  
    
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );


  		




  
  172
  
    
	$admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );


  		




  166
  173
  
    
}


  		




  167
  174
  
    

  		




  168
  175
  
    
// Print admin


  		












Also available in:  Unified diff