[pLog-svn] r6966 - in plog/branches/lifetype-1.2/class: data/validator template

[jondaley at devel.lifetype.net]

Author: jondaley
Date: 2010-01-27 07:16:57 -0500 (Wed, 27 Jan 2010)
New Revision: 6966

Modified:
   plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
   plog/branches/lifetype-1.2/class/template/templatesandbox.class.php
Log:
make the blacklist stricter - we'll avoid all future web server bugs with who knows what character they use to delimit extensions in the middle of a filename

Modified: plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php	2010-01-27 12:15:08 UTC (rev 6965)
+++ plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php	2010-01-27 12:16:57 UTC (rev 6966)
@@ -81,15 +81,9 @@
             // check if the filename extension is forbidden or not
             $fileName = basename($upload->getFileName());
             foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
-            	if( Glob::fnmatch( $file, $fileName )) {
+            	if( Glob::fnmatch( $file."*", $fileName )) {
                 	return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
                 }
-            	if( Glob::fnmatch( $file.".*", $fileName )) {
-                	return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
-                }
-            	if( Glob::fnmatch( $file.";*", $fileName )) {
-                	return UPLOAD_VALIDATOR_ERROR_FORBIDDEN_EXTENSION;
-                }
             }
 
         	return true;			
@@ -106,7 +100,6 @@
             $fileName = basename($upload->getFileName());
             foreach( explode( " ", $allowedFilesStr ) as $file ) {
             	if( Glob::fnmatch( $file, $fileName )) {
-//					print("it's a valid file!");
                 	return true;
                 }
             }

Modified: plog/branches/lifetype-1.2/class/template/templatesandbox.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/template/templatesandbox.class.php	2010-01-27 12:15:08 UTC (rev 6965)
+++ plog/branches/lifetype-1.2/class/template/templatesandbox.class.php	2010-01-27 12:16:57 UTC (rev 6966)
@@ -48,15 +48,9 @@
             // otherwise, turn the thing into an array and go through all of them
 			lt_include( PLOG_CLASS_PATH.'class/misc/glob.class.php' );			
             foreach( explode( " ", $forbiddenFilesStr ) as $file ) {
-                $files = Glob::myGlob( $folder, $file );
+                $files = Glob::myGlob( $folder, $file."*" );
                 if( count($files) > 0 )
                 	return false;
-                $files = Glob::myGlob( $folder, $file.".*" );
-                if( count($files) > 0 )
-                	return false;
-                $files = Glob::myGlob( $folder, $file.";*" );
-                if( count($files) > 0 )
-                	return false;
             }
 
             return true;