github
/
chevereto-free
mirror of https://github.com/rodber/chevereto-free
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: panic on unwanted extensions, close #101

1.5
Rodolfo Berrios 2021-10-03 10:10:18 -03:00
parent 5c8093f71e
commit 4c577af004
No known key found for this signature in database
GPG Key ID: D3AAC2481DBDD9FE
1 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
app/lib/classes/class.upload.php
View File

@ -84,7 +84,7 @@ class Upload
/** /**
* Do the thing. * Do the thing.
* *
* @Exeption 4xx * @Exception 4xx
*/ */
public function exec() public function exec()
{ {
@ -148,16 +148,9 @@ class Upload
} }
} }
/* $this->uploaded_file = G\name_unique_file($this->destination, $this->options['filenaming'], $this->fixed_filename);
* Set uploaded_file
* Local storage uploads will be allocated at the target destination $this->panicExtension($this->uploaded_file);
* External storage will be allocated to the temp directory
*/
if ($this->storage_id) {
$this->uploaded_file = G\forward_slash(dirname($this->downstream)) . '/' . Storage::getStorageValidFilename($this->fixed_filename, $this->storage_id, $this->options['filenaming'], $this->destination);
} else {
$this->uploaded_file = G\name_unique_file($this->destination, $this->options['filenaming'], $this->fixed_filename);
}
$this->source = [ $this->source = [
'filename' => $this->source_filename, // file.ext 'filename' => $this->source_filename, // file.ext
@ -297,6 +290,19 @@ class Upload
return $tempNam; return $tempNam;
} }
protected function panicExtension(string $filename) {
if(
G\ends_with('.php', $filename)
|| G\ends_with('.htaccess', $filename))
{
throw new UploadException(sprintf('Unwanted extension for %s', $filename));
}
$extension = G\get_file_extension($filename);
if(!in_array($extension, self::getEnabledImageFormats())) {
throw new UploadException(sprintf('Unable to handle upload for %s', $filename));
}
}
/** /**
* Fetch the $source file. * Fetch the $source file.
* *
@ -405,7 +411,7 @@ class Upload
throw new UploadException("Can't get target upload source info", 310); throw new UploadException("Can't get target upload source info", 310);
} }
// Valid image fileinto? // Valid image fileinfo?
if ($this->source_image_fileinfo['width'] == '' || $this->source_image_fileinfo['height'] == '') { if ($this->source_image_fileinfo['width'] == '' || $this->source_image_fileinfo['height'] == '') {
throw new UploadException('Invalid image', 311); throw new UploadException('Invalid image', 311);
} }