wwwroot/inc/filez.inc

   1 <?php
   2
   3 class filez {
   4
   5 // Function that check if given filename is "secure" (for uploading)
   6 // Dont use for reading files, directory traversal is not checked
   7
   8 public static function upload_filename_secure($name){
   9         $suffix = array_pop(explode('.', basename($name)));
  10
  11         // This is unfornately blacklist
  12         // TODO extend for all possible server configuations
  13         // TODO: why js?
  14         $preg_disallowed = '/([a-z]*)(php|htm|inc|js|vbs|cgi|asp|jsp|htaccess|htpasswd|asmx)([a-z]*)$/i';
  15         if (preg_match($preg_disallowed, $suffix) > 0) {
  16                 return false;
  17         }
  18         return true;
  19 }
  20
  21 public static function upload_data_file($node_id) {
  22         if ( !filez::upload_filename_secure($_FILES['data_file']['name'])) {
  23                 $error = 'bad, naughty file type. Cruise missile launched.';
  24                 return false;
  25         }
  26         if (!is_dir(FILE_DIR.$_SESSION['user_id'])) {
  27                  mkdir(FILE_DIR.$_SESSION['user_id']);
  28         }
  29         $suffix = array_pop(explode('.', basename($_FILES['data_file']['name'])));
  30         copy($_FILES['data_file']['tmp_name'], FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix");
  31         symlink(FILE_DIR.$_SESSION['user_id'].'/'.$node_id.".$suffix",FILE_DIR.'/'.$node_id);
  32
  33 }
  34
  35 }
  36 ?>