From 5a161de38c15c7afb9b89210f9faf79e8b6c01ad Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Wed, 25 Jul 2012 11:28:05 -0400
Subject: [PATCH] Move file upload validation to core osTicket class
---
include/class.config.php | 13 +------------
include/class.osticket.php | 39 ++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/include/class.config.php b/include/class.config.php
index dd6c4bf77..2c9afb244 100644
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -538,22 +538,11 @@ class Config {
return ($this->allowAttachments() && $this->config['allow_email_attachments']);
}
+ /* Needed by upgrader on 1.6 and older releases upgrade - not not remove */
function getUploadDir() {
return $this->config['upload_dir'];
}
- //simply checking if destination dir is usable..nothing to do with permission to upload!
- function canUploadFiles() {
- $dir=$this->config['upload_dir'];
- return ($dir && is_writable($dir))?TRUE:FALSE;
- }
-
- function canUploadFileType($filename) {
- $ext = strtolower(preg_replace("/.*\.(.{3,4})$/", "$1", $filename));
- $allowed=$this->config['allowed_filetypes']?array_map('trim',explode(',',strtolower($this->config['allowed_filetypes']))):null;
- return ($ext && is_array($allowed) && (in_array(".$ext",$allowed) || in_array(".*",$allowed)))?TRUE:FALSE;
- }
-
function updateSettings($vars,&$errors) {
if(!$vars || $errors)
diff --git a/include/class.osticket.php b/include/class.osticket.php
index 5f75d0fd1..e6f34740e 100644
--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -109,6 +109,45 @@ class osTicket {
return false;
}
+
+ function isFileTypeAllowed($file, $mimeType='') {
+
+ if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes()))
+ return false;
+
+ //Return true if all file types are allowed (.*)
+ if(trim($allowedFileTypes)=='.*') return true;
+
+ $allowed = array_map('trim', explode(',', strtolower($allowedFileTypes)));
+ $filename = is_array($file)?$file['name']:$file;
+
+ $ext = strtolower(preg_replace("/.*\.(.{3,4})$/", "$1", $filename));
+
+ //TODO: Check MIME type - file ext. shouldn't be solely trusted.
+
+ return ($ext && is_array($allowed) && in_array(".$ext", $allowed));
+ }
+
+ /* Function expects a well formatted array - see Format::files()
+ It's up to the caller to reject the upload on error.
+ */
+ function validateFileUploads(&$files) {
+
+ $errors=0;
+ foreach($files as &$file) {
+ if(!$this->isFileTypeAllowed($file))
+ $file['error']='Invalid file type for '.$file['name'];
+ elseif($file['size']>$this->getConfig()->getMaxFileSize())
+ $file['error']=sprintf('File (%s) is too big. Maximum of %s bytes allowed',
+ $file['name'], $this->getConfig()->getMaxFileSize());
+ elseif(!$file['error'] && !is_uploaded_file($file['tmp_name']))
+ $file['error']='Invalid or bad upload POST';
+
+ if($file['error']) $errors++;
+ }
+
+ return (!$errors);
+ }
function addExtraHeader($header) {
$this->headers[md5($header)] = $header;
--
GitLab