[pLog-svn] r6966 - in plog/branches/lifetype-1.2/class: data/validator template
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Wed Jan 27 07:16:57 EST 2010
Author: jondaley
Date: 2010-01-27 07:16:57 -0500 (Wed, 27 Jan 2010)
New Revision: 6966
Modified:
plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
plog/branches/lifetype-1.2/class/template/templatesandbox.class.php
Log:
make the blacklist stricter - we'll avoid all future web server bugs with who knows what character they use to delimit extensions in the middle of a filename
Modified: plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php 2010-01-27 12:15:08 UTC (rev 6965)
+++ plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php 2010-01-27 12:16:57 UTC (rev 6966)
@@ -81,15 +81,9 @@
// check if the filename extension is forbidden or not
$fileName = basename($upload->getFileName());
foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
- if( Glob::fnmatch( $file, $fileName )) {
+ if( Glob::fnmatch( $file."*", $fileName )) {
return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
}
- if( Glob::fnmatch( $file.".*", $fileName )) {
- return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
- }
- if( Glob::fnmatch( $file.";*", $fileName )) {
- return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
- }
}
return true;
@@ -106,7 +100,6 @@
$fileName = basename($upload->getFileName());
foreach( explode( " ", $allowedFilesStr ) as $file ) {
if( Glob::fnmatch( $file, $fileName )) {
-// print("it's a valid file!");
return true;
}
}
Modified: plog/branches/lifetype-1.2/class/template/templatesandbox.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/template/templatesandbox.class.php 2010-01-27 12:15:08 UTC (rev 6965)
+++ plog/branches/lifetype-1.2/class/template/templatesandbox.class.php 2010-01-27 12:16:57 UTC (rev 6966)
@@ -48,15 +48,9 @@
// otherwise, turn the thing into an array and go through all of them
lt_include( PLOG_CLASS_PATH.'class/misc/glob.class.php' );
foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
- $files = Glob::myGlob( $folder, $file );
+ $files = Glob::myGlob( $folder, $file."*" );
if( count($files) > 0 )
return false;
- $files = Glob::myGlob( $folder, $file.".*" );
- if( count($files) > 0 )
- return false;
- $files = Glob::myGlob( $folder, $file.";*" );
- if( count($files) > 0 )
- return false;
}
return true;
More information about the pLog-svn
mailing list