mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 12:03:21 +01:00
Code Issues Releases Wiki Activity

[ticket/9764] Allow $config['mime_triggers'] to be an empty string.

Browse Source 
explode('|', '') and explode('|', NULL) both return array(0 => '') which can
cause filespec::check_content() to reject everything starting with a '<'
character in case $config['mime_triggers'] is an empty string or not set.

fileupload::set_disallowed_content() now filters out empty strings by calling
array_diff() on the passed array, so setting $config['mime_triggers'] to an
empty string will turn off mime checking completely.

On the other side we want to fail safe if $config['mime_triggers'] is not set
at all. To do this, the array fileupload::$disallowed_content now contains some
default strings to be filtered out.

PHPBB3-9764
This commit is contained in:
Andreas Fischer 2010-10-28 21:41:14 +02:00
parent 6ff403c9f8
commit ac26bb458f
3 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
phpBB/includes/functions_posting.php
View File

@ -388,7 +388,7 @@ function upload_attachment($form_name, $forum_id, $local = false, $local_storage
include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx); include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx);
$upload = new fileupload(); $upload = new fileupload();
if ($config['check_attachment_content']) if ($config['check_attachment_content'] && isset($config['mime_triggers']))
{ {
$upload->set_disallowed_content(explode('|', $config['mime_triggers'])); $upload->set_disallowed_content(explode('|', $config['mime_triggers']));
} }

4
phpBB/includes/functions_upload.php
View File

@ -458,7 +458,7 @@ class fileerror extends filespec
class fileupload class fileupload
{ {
var $allowed_extensions = array(); var $allowed_extensions = array();
var $disallowed_content = array(); var $disallowed_content = array('body', 'head', 'html', 'img', 'plaintext', 'a href', 'pre', 'script', 'table', 'title');
var $max_filesize = 0; var $max_filesize = 0;
var $min_width = 0; var $min_width = 0;
var $min_height = 0; var $min_height = 0;
@ -539,7 +539,7 @@ class fileupload
{ {
if ($disallowed_content !== false && is_array($disallowed_content)) if ($disallowed_content !== false && is_array($disallowed_content))
{ {
$this->disallowed_content = $disallowed_content; $this->disallowed_content = array_diff($disallowed_content, array(''));
} }
} }

2
phpBB/includes/functions_user.php
View File

@ -2080,7 +2080,7 @@ function avatar_upload($data, &$error)
// Init upload class // Init upload class
include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx); include_once($phpbb_root_path . 'includes/functions_upload.' . $phpEx);
$upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height'], explode('|', $config['mime_triggers'])); $upload = new fileupload('AVATAR_', array('jpg', 'jpeg', 'gif', 'png'), $config['avatar_filesize'], $config['avatar_min_width'], $config['avatar_min_height'], $config['avatar_max_width'], $config['avatar_max_height'], (isset($config['mime_triggers']) ? explode('|', $config['mime_triggers']) : false));
if (!empty($_FILES['uploadfile']['name'])) if (!empty($_FILES['uploadfile']['name']))
{ {