5 // Function that check if given filename is "secure" (for uploading)
6 // Dont use for reading files, directory traversal is not checked
8 public static function upload_filename_secure($name){
9 $suffix = array_pop(explode('.', basename($name)));
11 // This is unfornately blacklist
12 // TODO extend for all possible server configuations
14 $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess|htpasswd|asmx)([a-z]*)$/i';
15 if (preg_match($preg_disallowed, $suffix) > 0) {
21 public static function upload_data_file($node_id) {
22 if ( !filez::upload_filename_secure($_FILES['data_file']['name'])) {
23 $error = 'bad, naughty file type. Cruise missile launched.';
26 if (!is_dir(FILE_DIR.$_SESSION['user_id'])) {
27 mkdir(FILE_DIR.$_SESSION['user_id']);
29 $suffix = array_pop(explode('.', basename($_FILES['data_file']['name'])));
30 copy($_FILES['data_file']['tmp_name'], FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix");
31 symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix",FILE_DIR.'/'.$node_id);