Move file upload validation to core osTicket class

5a161de3 · Peter Rotich · f1bf14d0 · 5a161de3 · 5a161de3
Commit 5a161de3 authored 12 years ago by Peter Rotich
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -538,22 +538,11 @@ class Config {
        return ($this->allowAttachments() && $this->config['allow_email_attachments']);
    }

+    /* Needed by upgrader on 1.6 and older releases upgrade - not not remove */
    function getUploadDir() {
        return $this->config['upload_dir'];
    }
    
-    //simply checking if destination dir is usable..nothing to do with permission to upload!
-    function canUploadFiles() {   
-        $dir=$this->config['upload_dir'];
-        return ($dir && is_writable($dir))?TRUE:FALSE;
-    }
-
-    function canUploadFileType($filename) {       
-        $ext = strtolower(preg_replace("/.*\.(.{3,4})$/", "$1", $filename));
-        $allowed=$this->config['allowed_filetypes']?array_map('trim',explode(',',strtolower($this->config['allowed_filetypes']))):null;
-        return ($ext && is_array($allowed) && (in_array(".$ext",$allowed) || in_array(".*",$allowed)))?TRUE:FALSE;
-    }
-
    function updateSettings($vars,&$errors) {

        if(!$vars || $errors)

--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -109,6 +109,45 @@ class osTicket {

        return false;
    }
+    
+    function isFileTypeAllowed($file, $mimeType='') {
+       
+        if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes()))
+            return false;
+
+        //Return true if all file types are allowed (.*)
+        if(trim($allowedFileTypes)=='.*') return true;
+
+        $allowed = array_map('trim', explode(',', strtolower($allowedFileTypes)));
+        $filename = is_array($file)?$file['name']:$file;
+
+        $ext = strtolower(preg_replace("/.*\.(.{3,4})$/", "$1", $filename));
+
+        //TODO: Check MIME type - file ext. shouldn't be solely trusted.
+
+        return ($ext && is_array($allowed) && in_array(".$ext", $allowed));
+    }
+
+    /* Function expects a well formatted array - see  Format::files()
+       It's up to the caller to reject the upload on error.
+     */
+    function validateFileUploads(&$files) {
+       
+        $errors=0;
+        foreach($files as &$file) {
+            if(!$this->isFileTypeAllowed($file))
+                $file['error']='Invalid file type for '.$file['name'];
+            elseif($file['size']>$this->getConfig()->getMaxFileSize())
+                $file['error']=sprintf('File (%s) is too big. Maximum of %s bytes allowed',
+                        $file['name'], $this->getConfig()->getMaxFileSize());
+            elseif(!$file['error'] && !is_uploaded_file($file['tmp_name']))
+                $file['error']='Invalid or bad upload POST';
+
+            if($file['error']) $errors++;
+        }
+
+        return (!$errors);
+    }

    function addExtraHeader($header) {
        $this->headers[md5($header)] = $header;