mirror of
https://github.com/e107inc/e107.git
synced 2025-07-23 16:01:39 +02:00
Add some more checks to uploads
This commit is contained in:
e107steved
@@ -12,8 +12,8 @@
|
|||||||
| GNU General Public License (http://gnu.org).
|
| GNU General Public License (http://gnu.org).
|
||||||
|
|
|
|
||||||
| $Source: /cvs_backup/e107_0.8/e107_handlers/upload_handler.php,v $
|
| $Source: /cvs_backup/e107_0.8/e107_handlers/upload_handler.php,v $
|
||||||
| $Revision: 1.2 $
|
| $Revision: 1.3 $
|
||||||
| $Date: 2007-05-28 15:17:07 $
|
| $Date: 2007-06-26 20:27:02 $
|
||||||
| $Author: e107steved $
|
| $Author: e107steved $
|
||||||
+---------------------------------------------------------------+
|
+---------------------------------------------------------------+
|
||||||
*/
|
*/
|
||||||
@@ -30,13 +30,7 @@ function file_upload($uploaddir, $avatar = FALSE, $fileinfo = "", $overwrite = "
|
|||||||
if (!$uploaddir) {$uploaddir = e_FILE."public/";}
|
if (!$uploaddir) {$uploaddir = e_FILE."public/";}
|
||||||
if($uploaddir == e_THEME) {$pref['upload_storagetype'] = 1;}
|
if($uploaddir == e_THEME) {$pref['upload_storagetype'] = 1;}
|
||||||
|
|
||||||
if (is_readable(e_ADMIN.'filetypes.php')) {
|
$allowed_filetypes = get_allowed_filetypes();
|
||||||
$a_filetypes = trim(file_get_contents(e_ADMIN.'filetypes.php'));
|
|
||||||
$a_filetypes = explode(',', $a_filetypes);
|
|
||||||
foreach ($a_filetypes as $ftype) {
|
|
||||||
$allowed_filetypes[] = '.'.trim(str_replace('.', '', $ftype));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($pref['upload_storagetype'] == "2" && $avatar == FALSE)
|
if ($pref['upload_storagetype'] == "2" && $avatar == FALSE)
|
||||||
{
|
{
|
||||||
@@ -45,19 +39,14 @@ function file_upload($uploaddir, $avatar = FALSE, $fileinfo = "", $overwrite = "
|
|||||||
{
|
{
|
||||||
if ($file_userfile['tmp_name'][$c])
|
if ($file_userfile['tmp_name'][$c])
|
||||||
{
|
{
|
||||||
$fileext1 = substr(strrchr($file_userfile['name'][$c], "."), 1);
|
if (($file_status = vet_file($file_userfile['tmp_name'][$c], $file_userfile['name'][$c], $allowed_filetypes)) !== TRUE)
|
||||||
$fileext2 = substr(strrchr($file_userfile['name'][$c], "."), 0); // in case user has left off the . in allowed_filetypes
|
|
||||||
if (!in_array($fileext1, $allowed_filetypes) && !in_array(strtolower($fileext1), $allowed_filetypes) && !in_array(strtolower($file_userfile['type'][$c]), $allowed_filetypes))
|
|
||||||
{
|
|
||||||
if (!in_array($fileext2, $allowed_filetypes) && !in_array(strtolower($fileext2), $allowed_filetypes) && !in_array(strtolower($file_userfile['type'][$c]), $allowed_filetypes))
|
|
||||||
{
|
{
|
||||||
require_once(e_HANDLER."message_handler.php");
|
require_once(e_HANDLER."message_handler.php");
|
||||||
message_handler("MESSAGE", "".LANUPLOAD_1." '".$file_userfile['type'][$c]."' ".LANUPLOAD_2."");
|
message_handler("MESSAGE", "".LANUPLOAD_1." '".$file_userfile['type'][$c]."' ".LANUPLOAD_2." ({$file_status})");
|
||||||
return FALSE;
|
return FALSE;
|
||||||
require_once(FOOTERF);
|
require_once(FOOTERF);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
set_magic_quotes_runtime(0);
|
set_magic_quotes_runtime(0);
|
||||||
$data = mysql_escape_string(fread(fopen($file_userfile['tmp_name'][$c], "rb"), filesize($file_userfile['tmp_name'][$c])));
|
$data = mysql_escape_string(fread(fopen($file_userfile['tmp_name'][$c], "rb"), filesize($file_userfile['tmp_name'][$c])));
|
||||||
set_magic_quotes_runtime(get_magic_quotes_gpc());
|
set_magic_quotes_runtime(get_magic_quotes_gpc());
|
||||||
@@ -115,20 +104,15 @@ function file_upload($uploaddir, $avatar = FALSE, $fileinfo = "", $overwrite = "
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
$uploadfile = $files['tmp_name'][$key];
|
$uploadfile = $files['tmp_name'][$key];
|
||||||
$fileext1 = substr(strrchr($files['name'][$key], "."), 1);
|
if (($file_status = vet_file($uploadfile, $name, $allowed_filetypes)) !== TRUE)
|
||||||
$fileext2 = substr(strrchr($files['name'][$key], "."), 0);
|
|
||||||
if (!in_array($fileext1, $allowed_filetypes) && !in_array(strtolower($fileext1), $allowed_filetypes) && !in_array(strtolower($files['type'][$c]), $allowed_filetypes))
|
|
||||||
{
|
|
||||||
if (!in_array($fileext2, $allowed_filetypes) && !in_array(strtolower($fileext2), $allowed_filetypes) && !in_array(strtolower($files['type'][$c]), $allowed_filetypes))
|
|
||||||
{
|
{
|
||||||
require_once(e_HANDLER."message_handler.php");
|
require_once(e_HANDLER."message_handler.php");
|
||||||
message_handler("MESSAGE", LANUPLOAD_1." ".$files['type'][$key]." ".LANUPLOAD_2.".", __LINE__, __FILE__);
|
message_handler("MESSAGE", LANUPLOAD_1." ".$files['type'][$key]." ".LANUPLOAD_2.". ({$file_status})", __LINE__, __FILE__);
|
||||||
$f_message .= LANUPLOAD_1." ".$files['type'][$key]." ".LANUPLOAD_2."." . __LINE__ . __FILE__;
|
$f_message .= LANUPLOAD_1." ".$files['type'][$key]." ".LANUPLOAD_2."." . __LINE__ . __FILE__;
|
||||||
return FALSE;
|
return FALSE;
|
||||||
require_once(FOOTERF);
|
require_once(FOOTERF);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
$uploaded[$c]['name'] = $name;
|
$uploaded[$c]['name'] = $name;
|
||||||
$uploaded[$c]['rawname'] = $raw_name;
|
$uploaded[$c]['rawname'] = $raw_name;
|
||||||
@@ -201,4 +185,87 @@ function file_upload($uploaddir, $avatar = FALSE, $fileinfo = "", $overwrite = "
|
|||||||
|
|
||||||
return $uploaded;
|
return $uploaded;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Check uploaded file to try and identify dodgy content.
|
||||||
|
// Return TRUE if appears OK.
|
||||||
|
// Return a numeric reason code 1..9 if unacceptable
|
||||||
|
|
||||||
|
// $filename is the full path+name to the uploaded file on the server
|
||||||
|
// $target_name is the intended name of the file once transferred
|
||||||
|
// $allowed_filetypes is an array of permitted file extensions, in lower case, no leading '.'
|
||||||
|
// (usually generated from filetypes.php)
|
||||||
|
// if $unknown is FALSE, rejects totally unknown file extensions (even if in $allowed_filetypes).
|
||||||
|
// if $unknown is TRUE, accepts totally unknown file extensions.
|
||||||
|
// otherwise $unknown is a comma-separated list of additional permitted file extensions
|
||||||
|
function vet_file($filename, $target_name, $allowed_filetypes = '', $unknown = FALSE)
|
||||||
|
{
|
||||||
|
// 1. Start by checking against filetypes - that's the easy one!
|
||||||
|
$file_ext = strtolower(substr(strrchr($target_name, "."), 1));
|
||||||
|
if (!in_array($file_ext, $allowed_filetypes)) return 1;
|
||||||
|
|
||||||
|
|
||||||
|
// 2. For all files, read the first little bit to check for any flags etc
|
||||||
|
$res = fopen($filename, 'rb');
|
||||||
|
$tstr = fread($res,100);
|
||||||
|
fclose($res);
|
||||||
|
if ($tstr === FALSE) return 2; // If can't read file, not much use carrying on!
|
||||||
|
if (stristr($tstr,'<?php') !== FALSE) return 3; // Pretty certain exploit
|
||||||
|
if (stristr($tstr,'<?') !== FALSE) return 7; // Possible exploit - maybe allowable?
|
||||||
|
|
||||||
|
|
||||||
|
// 3. Now do what we can based on file extension
|
||||||
|
switch ($file_ext)
|
||||||
|
{
|
||||||
|
case 'jpg' :
|
||||||
|
case 'gif' :
|
||||||
|
case 'png' :
|
||||||
|
case 'jpeg' :
|
||||||
|
case 'pjpeg' :
|
||||||
|
case 'bmp' :
|
||||||
|
$ret = getimagesize($filename);
|
||||||
|
if (!is_array($ret)) return 4; // getimagesize didn't like something
|
||||||
|
if (($ret[0] == 0) || ($ret[1] == 0)) return 5; // Zero size picture or bad file format
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'zip' :
|
||||||
|
case 'gzip' :
|
||||||
|
case 'gz' :
|
||||||
|
case 'tar' :
|
||||||
|
case 'bzip' :
|
||||||
|
case 'pdf' :
|
||||||
|
break; // Just accept these
|
||||||
|
|
||||||
|
case 'php' :
|
||||||
|
case 'htm' :
|
||||||
|
case 'html' :
|
||||||
|
return 9; // Never accept these! Whatever the user thinks!
|
||||||
|
|
||||||
|
default :
|
||||||
|
if (is_boolean($unknown)) return ($unknown ? TRUE : 8);
|
||||||
|
$tmp = explode(',', $unknown);
|
||||||
|
for ($i = 0; $i < count($tmp); $i++) { $tmp[$i] = strtolower(trim(str_replace('.', '', $tmp[$i]))); }
|
||||||
|
if (!in_array($file_ext, $tmp)) return 6;
|
||||||
|
}
|
||||||
|
return TRUE; // Accepted here
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function get_allowed_filetypes($def_file = 'filetypes.php')
|
||||||
|
{
|
||||||
|
$ret = array();
|
||||||
|
|
||||||
|
if (is_readable(e_ADMIN.$def_file))
|
||||||
|
{
|
||||||
|
$a_filetypes = trim(file_get_contents(e_ADMIN.$def_file));
|
||||||
|
$a_filetypes = explode(',', $a_filetypes);
|
||||||
|
foreach ($a_filetypes as $ftype)
|
||||||
|
{
|
||||||
|
$ret[] = strtolower(trim(str_replace('.', '', $ftype)));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $ret;
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
Reference in New Issue
Block a user