Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
make plupload only allowed files
  • Loading branch information
bobimicroweber committed Mar 11, 2022
1 parent 012af71 commit 33eb4cc
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 5 deletions.
4 changes: 2 additions & 2 deletions src/MicroweberPackages/App/functions/plupload.php
Expand Up @@ -56,9 +56,9 @@
$is_ext = get_file_extension($fileName_ext);
$is_ext = strtolower($is_ext);

$is_dangerous_file = $files_utils->is_dangerous_file($fileName_ext);
$is_allowed_file = $files_utils->is_allowed_file($fileName_ext);

if ($is_dangerous_file) {
if ($is_allowed_file == false) {
header("HTTP/1.1 401 Unauthorized");

die('{"jsonrpc" : "2.0", "error" : {"code":100, "message": "You cannot upload scripts or executable files"}}');
Expand Down
32 changes: 29 additions & 3 deletions src/MicroweberPackages/Utils/System/Files.php
Expand Up @@ -1020,7 +1020,7 @@ function get_dangerous_files_extentions()
'private',
'srl',
'zhtml',
'vbhtml',
'vbhtml',
'hypetemplate',
'obml15',
'hypesymbol',
Expand Down Expand Up @@ -1109,6 +1109,28 @@ public function is_dangerous_file($file_name)

}

public function is_allowed_file($fileName)
{
$allowedImages = $this->get_allowed_files_extensions_for_upload('images');
$allowedVideos = $this->get_allowed_files_extensions_for_upload('videos');
$allowedAudios = $this->get_allowed_files_extensions_for_upload('audios');
$allowedFiles = $this->get_allowed_files_extensions_for_upload('files');
$allowedDocuments = $this->get_allowed_files_extensions_for_upload('documents');
$allowedArchives = $this->get_allowed_files_extensions_for_upload('archives');

$allowed = array_merge_recursive($allowedImages,$allowedVideos,$allowedAudios,$allowedFiles,$allowedDocuments,$allowedArchives);

$isExt = get_file_extension($fileName);
$isExt = strtolower($isExt);

if (in_array($isExt, $allowed)) {
return true;
}

return false;
}



function get_allowed_files_extensions_for_upload($fileTypes = 'images')
{
Expand All @@ -1119,11 +1141,15 @@ function get_allowed_files_extensions_for_upload($fileTypes = 'images')
case 'img':
case 'image':
case 'images':
$are_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg';
$are_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg,webp,ico';
break;
case 'audio':
case 'audios':
$are_allowed .= ',mp3,mp4,ogg,wav,flac';
break;
case 'video':
case 'videos':
$are_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,wma,mov,wmv';
$are_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,ogv,3gp,3g2,wma,mov,wmv';
break;
case 'file':
case 'files':
Expand Down

0 comments on commit 33eb4cc

Please sign in to comment.