Add file type blacklist (#9)
This commit is contained in:
parent
ebdf4119b6
commit
4fc9c168bd
|
|
@ -26,6 +26,7 @@ replace_original = false
|
|||
max_size = 100
|
||||
enable_upload_removal = true
|
||||
enable_user_upload_removal = false
|
||||
blacklisted_file_types =
|
||||
|
||||
[credentials]
|
||||
allow_change_username = true
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ $dateFormat = "Y/m/d";
|
|||
$instanceName = "curload";
|
||||
$instanceDescription = "curload is a simple file uploading site allowing users to upload files.";
|
||||
$footerText = "Licensed under the GNU Affero General Public License version 3.0.";
|
||||
$blacklistedFileTypes = ""; // "exe|msi|AppImage|...."
|
||||
$enableUploadRemoval = true;
|
||||
$enableUserUploadRemoval = false;
|
||||
|
||||
|
|
@ -75,5 +76,6 @@ $enableUserUploadRemoval = $configEntries['enable_user_upload_removal'];
|
|||
$publicFileList = $configEntries['public_file_list'];
|
||||
$publicUserList = $configEntries['public_user_list'];
|
||||
$publicAccountCreation = $configEntries['public_account_create'];
|
||||
$blacklistedFileTypes = $configEntries['blacklisted_file_types'];
|
||||
$javaScript = $configEntries['javascript'];
|
||||
?>
|
||||
|
|
|
|||
2
core.php
2
core.php
|
|
@ -179,6 +179,8 @@ function printFileUploadForm($html, $Error) {
|
|||
if ($Error == "file") {
|
||||
$html .= "\t\t\t<p class=\"error\">No file specified.</p>\n";
|
||||
} else if ($Error == "size") {
|
||||
$html .= "\t\t\t<p class=\"error\">That file is not allowed.</p>\n";
|
||||
} else if ($Error == "type") {
|
||||
$html .= "\t\t\t<p class=\"error\">File is too big.</p>\n";
|
||||
} else if ($Error == "user") {
|
||||
$html .= "\t\t\t<p class=\"error\">File upload failed: No uploads left.</p>\n";
|
||||
|
|
|
|||
18
upload.php
18
upload.php
|
|
@ -118,11 +118,21 @@ if (!is_dir($uploadDir)) {
|
|||
}
|
||||
|
||||
$destinationFile = $uploadDir . basename($_FILES['file']['name']);
|
||||
$fileExtension = strtolower(pathinfo(basename($_FILES['file']['name']),PATHINFO_EXTENSION));
|
||||
|
||||
if (preg_match($blacklistedFileTypes, $fileExtension)) {
|
||||
if ($WebInterface == 0) {
|
||||
print "File type not allowed.";
|
||||
die();
|
||||
} else {
|
||||
header("Location: /?e=type");
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
// rename file if necessary
|
||||
if (!$replaceOriginal || $replaceOriginal == "false") {
|
||||
if (file_exists($destinationFile)) { // rename file to distinguish it from existing file
|
||||
$fileExtension = strtolower(pathinfo(basename($_FILES['file']['name']),PATHINFO_EXTENSION));
|
||||
if (isset($fileExtension)) {
|
||||
$extension = "." . $fileExtension;
|
||||
}
|
||||
|
|
@ -149,15 +159,17 @@ if (move_uploaded_file($_FILES['file']['tmp_name'], $destinationFile)) {
|
|||
$lastUsed = date($dateFormat);
|
||||
$DatabaseQuery = $Database->query('SELECT * FROM uploads');
|
||||
$Database->exec("INSERT INTO uploads(file, uploaddate, username, usertype) VALUES('$uploadedFile', '$lastUsed', '$Username', '$userType')");
|
||||
$ID = $Database->lastInsertRowID();
|
||||
|
||||
if ($WebInterface == 0) {
|
||||
print "$uploadedFile";
|
||||
} else {
|
||||
header("Location: $uploadedFile");
|
||||
header("Location: file.php?f=$ID");
|
||||
die();
|
||||
}
|
||||
|
||||
if (isset($_REQUEST['web'])) { // redirect back to index
|
||||
header("Redirect: $uploadedFile");
|
||||
header("Redirect: file.php?f=$ID");
|
||||
die();
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in a new issue