mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 20:30:39 +02:00
Code Issues Releases Wiki Activity

Checking of remote file-types during import and other cleanup.

Browse Source
This commit is contained in:
Cameron
2021-12-17 11:31:37 -08:00
parent d8ce385929
commit 90108eab3c
6 changed files with 34 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
e107_admin/image.php
View File

@@ -2486,7 +2486,11 @@ class media_admin_ui extends e_admin_ui
$fileName = empty($uploadCaption) ? str_replace(array('.php', '.html', '.asp', '.htm'),'',$fileName). '_' .time() : eHelper::dasherize(strtolower($uploadCaption)); $fileName = empty($uploadCaption) ? str_replace(array('.php', '.html', '.asp', '.htm'),'',$fileName). '_' .time() : eHelper::dasherize(strtolower($uploadCaption));
} }
if(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import')) if(!$fl->isAllowedType($_POST['upload_url']))
{
$mes->addError(defset('IMALAN_190', "Importing of this file-type is not allowed."));
}
elseif(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import'))
{ {
$mes->addError(IMALAN_176); $mes->addError(IMALAN_176);
} }

2
e107_handlers/comment_class.php
View File

@@ -271,7 +271,7 @@ class comment
$text = "\n<div{$indent}>\n".e107::getMessage()->render('postcomment', true, false);//temporary here $text = "\n<div{$indent}>\n".e107::getMessage()->render('postcomment', true, false);//temporary here
// $text .= "Indent = ".$indent; // $text .= "Indent = ".$indent;
$text .= "<form id='{$formid}' method='post' action='".str_replace('http:', '', $_SERVER['REQUEST_URI'])."' >"; $text .= "<form id='{$formid}' method='post' action='".str_replace('http:', '', e_REQUEST_URI)."' >";
$data = array( $data = array(
'action' => $action, 'action' => $action,

16
e107_handlers/file_class.php
View File

@@ -2177,7 +2177,7 @@
/** /**
* New in v2.1.9 * New in v2.1.9
* Check filename or path against filetypes.xml * Check filename, path or URL against filetypes.xml
* *
* @param $file - real path to file. * @param $file - real path to file.
* @param string $targetFile * @param string $targetFile
@@ -2191,12 +2191,26 @@
$targetFile = $file; $targetFile = $file;
} }
$remote = false;
if(strpos($targetFile,'http') === 0) // remote file.
{
$tmp = parse_url($targetFile);
$targetFile = $tmp['path'];
$remote = true;
}
$ext = pathinfo($targetFile, PATHINFO_EXTENSION); $ext = pathinfo($targetFile, PATHINFO_EXTENSION);
$types = $this->getAllowedFileTypes(); $types = $this->getAllowedFileTypes();
if(isset($types[$ext])) if(isset($types[$ext]))
{ {
if($remote)
{
return true;
}
$maxSize = $types[$ext] * 1024; $maxSize = $types[$ext] * 1024;
$fileSize = filesize($file); $fileSize = filesize($file);

6
e107_languages/English/admin/help/menus.php
View File

@@ -27,7 +27,7 @@ if(isset($_POST['reset']))
{ {
$sql->select("menus","*", "menu_location='".$mc."' ORDER BY menu_order"); $sql->select("menus","*", "menu_location='".$mc."' ORDER BY menu_order");
$count = 1; $count = 1;
$sql2 = new db; $sql2 = e107::getDb('sql2');
while(list($menu_id, $menu_name, $menu_location, $menu_order) = $sql->fetch()) while(list($menu_id, $menu_name, $menu_location, $menu_order) = $sql->fetch())
{ {
$sql2 ->update("menus", "menu_order='$count' WHERE menu_id='$menu_id' "); $sql2 ->update("menus", "menu_order='$count' WHERE menu_id='$menu_id' ");
@@ -48,7 +48,7 @@ $text = "The Menu-Manager allows you to place and arrange your menus within your
If you find the menus are not updating correctly, clicking the refresh button below may help. If you find the menus are not updating correctly, clicking the refresh button below may help.
[html] [html]
<form method='post' id='menurefresh' action='".$_SERVER['PHP_SELF']."'> <form method='post' id='menurefresh' action='".e_SELF."'>
<div> <div>
".$frm->admin_button('reset','Refresh','cancel')."</div> ".$frm->admin_button('reset','Refresh','cancel')."</div>
</form> </form>
@@ -58,4 +58,4 @@ If you find the menus are not updating correctly, clicking the refresh button be
"; ";
$text = $tp->toHTML($text, true); $text = $tp->toHTML($text, true);
$ns->tablerender("Menu Manager Help", $text); e107::getRender()->tablerender("Menu Manager Help", $text);

1
e107_languages/English/admin/lan_image.php
View File

@@ -215,3 +215,4 @@ define("IMALAN_186", "Enter some text to filter results");
define("IMALAN_187", "Convert to webp during import"); define("IMALAN_187", "Convert to webp during import");
define("IMALAN_188", "Convert to webp during render"); define("IMALAN_188", "Convert to webp during render");
define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)"); define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)");
define("IMALAN_190", "Importing of this file-type is not allowed.");

10
e107_tests/tests/unit/e_fileTest.php
View File

@@ -152,8 +152,14 @@ class e_fileTest extends \Codeception\Test\Unit
$isAllowedTest = array( $isAllowedTest = array(
array('path'=> 'somefile.bla', 'expected' => false), // suspicious array('path'=> 'somefile.bla', 'expected' => false), // suspicious
array('path'=> e_SYSTEM."filetypes.xml", 'expected' => true), // okay array('path'=> 'somefile.php', 'expected' => false), // suspicious
array('path'=> e_PLUGIN."gallery/images/butterfly.jpg", 'expected' => true), // okay array('path'=> 'somefile.exe', 'expected' => false), // suspicious
array('path'=> e_SYSTEM."filetypes.xml", 'expected' => true), // permitted
array('path'=> e_PLUGIN."gallery/images/butterfly.jpg", 'expected' => true), // permitted
array('path'=> 'http://127.0.0.1:8070/file.svg', 'expected'=>false), // not permitted
array('path'=> 'http://127.0.0.1:8070/butterfly.jpg', 'expected'=>true), // permitted
array('path'=> 'http://127.0.0.1/bla.php', 'expected'=>false), // suspicious
array('path'=> 'http://127.0.0.1/bla.php?butterfly.jpg', 'expected'=>false), // suspicious
); );
foreach($isAllowedTest as $file) foreach($isAllowedTest as $file)