| 1 | <?php |
| 2 | |
| 3 | class filez { |
| 4 | |
| 5 | // Function that check if given filename is "secure" (for uploading) |
| 6 | // Dont use for reading files, directory traversal is not checked |
| 7 | |
| 8 | public static function upload_filename_secure($name){ |
| 9 | $suffix = array_pop(explode('.', basename($name))); |
| 10 | |
| 11 | // This is unfornately blacklist |
| 12 | // TODO extend for all possible server configuations |
| 13 | // TODO: why js? |
| 14 | $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess|htpasswd|asmx)([a-z]*)$/i'; |
| 15 | if (preg_match($preg_disallowed, $suffix) > 0) { |
| 16 | return false; |
| 17 | } |
| 18 | return true; |
| 19 | } |
| 20 | |
| 21 | public static function upload_data_file($node_id) { |
| 22 | if ( !filez::upload_filename_secure($_FILES['data_file']['name'])) { |
| 23 | $error = 'bad, naughty file type. Cruise missile launched.'; |
| 24 | return false; |
| 25 | } |
| 26 | if (!is_dir(FILE_DIR.$_SESSION['user_id'])) { |
| 27 | mkdir(FILE_DIR.$_SESSION['user_id']); |
| 28 | } |
| 29 | $suffix = array_pop(explode('.', basename($_FILES['data_file']['name']))); |
| 30 | copy($_FILES['data_file']['tmp_name'], FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix"); |
| 31 | symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix",FILE_DIR.'/'.$node_id); |
| 32 | |
| 33 | } |
| 34 | |
| 35 | } |
| 36 | ?> |