1
0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-01 14:30:32 +02:00

the chmod change i already had within the changelog (by mistake). This should further secure writable directories and created files.

Installation need to be tested on different hosts.

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8763 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
2008-08-16 19:06:18 +00:00
parent da65cd1397
commit 068096531f
10 changed files with 165 additions and 55 deletions

View File

@@ -121,9 +121,9 @@ class filespec
case 'avatar':
$this->extension = strtolower($this->extension);
$this->realname = $prefix . $user_id . '.' . $this->extension;
break;
case 'unique_ext':
default:
$this->realname = $prefix . md5(unique_id()) . '.' . $this->extension;
@@ -228,8 +228,8 @@ class filespec
{
return @filesize($filename);
}
/**
* Check the first 256 bytes for forbidden content
*/
@@ -239,7 +239,7 @@ class filespec
{
return true;
}
$fp = @fopen($this->filename, 'rb');
if ($fp !== false)
@@ -263,10 +263,11 @@ class filespec
*
* @param string $destination_path Destination path, for example $config['avatar_path']
* @param bool $overwrite If set to true, an already existing file will be overwritten
* @param octal $chmod Permission mask for chmodding the file after a successful move
* @param string $chmod Permission mask for chmodding the file after a successful move. The mode entered here reflects the mode of phpbb_chmod()
* @access public
* @see phpbb_chmod()
*/
function move_file($destination, $overwrite = false, $skip_image_check = false, $chmod = 0666)
function move_file($destination, $overwrite = false, $skip_image_check = false, $chmod = 'rwrite')
{
global $user, $phpbb_root_path;
@@ -345,7 +346,15 @@ class filespec
break;
}
@chmod($this->destination_file, $chmod);
// Backward compatibility - in versions prior to 3.0.3 $chmod was an octal
if (!is_string($chmod))
{
@chmod($this->destination_file, $chmod);
}
else
{
phpbb_chmod($this->destination_file, $chmod);
}
}
// Try to get real filesize from destination folder
@@ -416,7 +425,7 @@ class filespec
{
$size_lang = ($this->upload->max_filesize >= 1048576) ? $user->lang['MIB'] : (($this->upload->max_filesize >= 1024) ? $user->lang['KIB'] : $user->lang['BYTES'] );
$max_filesize = get_formatted_filesize($this->upload->max_filesize, false);
$this->error[] = sprintf($user->lang[$this->upload->error_prefix . 'WRONG_FILESIZE'], $max_filesize, $size_lang);
return false;
@@ -528,7 +537,7 @@ class fileupload
$this->max_filesize = (int) $max_filesize;
}
}
/**
* Set disallowed strings
*/
@@ -872,7 +881,7 @@ class fileupload
{
$file->error[] = sprintf($user->lang[$this->error_prefix . 'DISALLOWED_EXTENSION'], $file->get('extension'));
}
// MIME Sniffing
if (!$this->valid_content($file))
{