mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-06 00:37:42 +02:00
Code Issues Releases Wiki Activity

And more new features for reasonable paranoia.

Browse Source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8555 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Henry Sudhof
2008-05-15 14:10:11 +00:00
parent 9413af5e1a
commit fc12c00219
10 changed files with 79 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
phpBB/includes/functions_upload.php
View File

@@ -228,6 +228,34 @@ class filespec
{
return @filesize($filename);
}
/**
* Check the first 256 bytes for forbidden content
*/
function check_content($disallowed_content)
{
if (empty($disallowed_content))
{
return true;
}
$fp = @fopen($this->filename, 'rb');
if ($fp !== false)
{
$ie_mime_relevant = fread($fp, 256);
fclose($fp);
foreach ($disallowed_content as $forbidden)
{
if (stripos($ie_mime_relevant, '<' . $forbidden) !== false)
{
return false;
}
}
}
return true;
}
/**
* Move file to destination folder
@@ -427,6 +455,7 @@ class fileerror extends filespec
class fileupload
{
var $allowed_extensions = array();
var $disallowed_content = array();
var $max_filesize = 0;
var $min_width = 0;
var $min_height = 0;
@@ -446,12 +475,13 @@ class fileupload
* @param int $max_height Maximum image height (only checked for images)
*
*/
function fileupload($error_prefix = '', $allowed_extensions = false, $max_filesize = false, $min_width = false, $min_height = false, $max_width = false, $max_height = false)
function fileupload($error_prefix = '', $allowed_extensions = false, $max_filesize = false, $min_width = false, $min_height = false, $max_width = false, $max_height = false, $disallowed_content = false)
{
$this->set_allowed_extensions($allowed_extensions);
$this->set_max_filesize($max_filesize);
$this->set_allowed_dimensions($min_width, $min_height, $max_width, $max_height);
$this->set_error_prefix($error_prefix);
$this->set_disallowed_content($disallowed_content);
}
/**
@@ -463,6 +493,7 @@ class fileupload
$this->min_width = $this->min_height = $this->max_width = $this->max_height = 0;
$this->error_prefix = '';
$this->allowed_extensions = array();
$this->disallowed_content = array();
}
/**
@@ -497,6 +528,17 @@ class fileupload
$this->max_filesize = (int) $max_filesize;
}
}
/**
* Set disallowed strings
*/
function set_disallowed_content($disallowed_content)
{
if ($disallowed_content !== false && is_array($disallowed_content))
{
$this->disallowed_content = $disallowed_content;
}
}
/**
* Set error prefix
@@ -830,6 +872,12 @@ class fileupload
{
$file->error[] = sprintf($user->lang[$this->error_prefix . 'DISALLOWED_EXTENSION'], $file->get('extension'));
}
// MIME Sniffing
if (!$this->valid_content($file))
{
$file->error[] = sprintf($user->lang[$this->error_prefix . 'DISALLOWED_CONTENT']);
}
}
/**
@@ -869,6 +917,15 @@ class fileupload
return (isset($_FILES[$form_name]) && $_FILES[$form_name]['name'] != 'none') ? true : false;
}
/**
* Check for allowed extension
*/
function valid_content(&$file)
{
return ($file->check_content($this->disallowed_content));
}
/**
* Return image type/extension mapping
*/