mirror of
https://github.com/phpbb/phpbb.git
synced 2025-08-01 22:40:39 +02:00
[ticket/9764] Allow $config['mime_triggers'] to be an empty string.
explode('|', '') and explode('|', NULL) both return array(0 => '') which can cause filespec::check_content() to reject everything starting with a '<' character in case $config['mime_triggers'] is an empty string or not set. fileupload::set_disallowed_content() now filters out empty strings by calling array_diff() on the passed array, so setting $config['mime_triggers'] to an empty string will turn off mime checking completely. On the other side we want to fail safe if $config['mime_triggers'] is not set at all. To do this, the array fileupload::$disallowed_content now contains some default strings to be filtered out. PHPBB3-9764
This commit is contained in:
@@ -458,7 +458,7 @@ class fileerror extends filespec
|
||||
class fileupload
|
||||
{
|
||||
var $allowed_extensions = array();
|
||||
var $disallowed_content = array();
|
||||
var $disallowed_content = array('body', 'head', 'html', 'img', 'plaintext', 'a href', 'pre', 'script', 'table', 'title');
|
||||
var $max_filesize = 0;
|
||||
var $min_width = 0;
|
||||
var $min_height = 0;
|
||||
@@ -539,7 +539,7 @@ class fileupload
|
||||
{
|
||||
if ($disallowed_content !== false && is_array($disallowed_content))
|
||||
{
|
||||
$this->disallowed_content = $disallowed_content;
|
||||
$this->disallowed_content = array_diff($disallowed_content, array(''));
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user