GIT.Harvie.CZ / mirrors / Kyberia-bloodline.git / blame
| Commit | Line | Data |
|---|---|---|
| 51ff3226 | 1 | <?php |
| f657368b | 2 | |
| 233544e1 | 3 | class filez { |
| 51ff3226 | 4 | |
| f657368b | 5 | // Function that check if given filename is "secure" (for uploading) |
| 6 | // Dont use for reading files, directory traversal is not checked | |
| 7 | ||
| 233544e1 | 8 | public static function upload_filename_secure($name){ |
| f657368b | 9 | $suffix = array_pop(explode('.', basename($name))); |
| 10 | ||
| 11 | // This is unfornately blacklist | |
| 12 | // TODO extend for all possible server configuations | |
| 13 | // TODO: why js? | |
| 233544e1 | 14 | $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess|htpasswd|asmx)([a-z]*)$/i'; |
| f657368b | 15 | if (preg_match($preg_disallowed, $suffix) > 0) { |
| 16 | return false; | |
| 17 | } | |
| 18 | return true; | |
| 19 | } | |
| 20 | ||
| 84c1a473 DH |
21 | public static function upload_data_file($node_id) { |
| 22 | if ( !filez::upload_filename_secure($_FILES['data_file']['name'])) { | |
| 23 | $error = 'bad, naughty file type. Cruise missile launched.'; | |
| 24 | return false; | |
| 25 | } | |
| 26 | if (!is_dir(FILE_DIR.$_SESSION['user_id'])) { | |
| 27 | mkdir(FILE_DIR.$_SESSION['user_id']); | |
| 28 | } | |
| 29 | $suffix = array_pop(explode('.', basename($_FILES['data_file']['name']))); | |
| 30 | copy($_FILES['data_file']['tmp_name'], FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix"); | |
| 31 | symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix",FILE_DIR.'/'.$node_id); | |
| 32 | ||
| 33 | } | |
| 34 | ||
| 51ff3226 | 35 | } |
| f657368b | 36 | ?> |