get_image_link fix

[mirrors/Kyberia-bloodline.git] / wwwroot / inc / filez.inc

diff --git a/wwwroot/inc/filez.inc b/wwwroot/inc/filez.inc
index b04932073c578de098468db60c71408e18c83003..5ca65c93c77d4bf06ac5c70f31d083b0727e60f5 100644 (file)
--- a/wwwroot/inc/filez.inc
+++ b/wwwroot/inc/filez.inc
@@ -1,7 +1,9 @@
 <?php
 class filez {
 
-function filez($id) {
+//XXX function not used, remove?
+
+public static function files($id) {
        global $db,$error;
        if (!is_dir(FILE_DIR.$_SESSION['user_id'])) {
                mkdir(FILE_DIR.$_SESSION['user_id']);
@@ -10,6 +12,22 @@ function filez($id) {
        return $_SESSION['user_id'].'/'.$_FILES['data_file']['name'];
 }
 
+// Function that check if given filename is "secure" (for uploading)
+// Dont use for reading files, directory traversal is not checked
+
+public static function filename_secure($name){
+       $suffix = array_pop(explode('.', basename($name)));
+       
+       // This is unfornately blacklist
+       // TODO extend for all possible server configuations
+       // TODO: why js?
+       $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess)([a-z]*)$/i';
+       if (preg_match($preg_disallowed, $suffix) > 0) {
+               return false;
+       }
+       return true;
+}
+
 }
 
 /*
@@ -43,4 +61,4 @@ function disk_usage($d, $depth = NULL) {
 }
 
 
-?>
\ No newline at end of file
+?>