Skip to content

Commit

Permalink
Update Security
Browse files Browse the repository at this point in the history
  • Loading branch information
@kmkalam24
kmkalam24 committed Jan 22, 2023
1 parent 0d0472b commit a5beff7
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 78 deletions.
33 changes: 28 additions & 5 deletions core/config.php
View file
Expand Up @@ -50,21 +50,44 @@
$_SETTINGS["MAX_UPLOAD_SIZE"] = 8;

/**
* Define allowed mime type.
* Define allowed extension and mime type.
*
* Can be seen common mime type here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
* or
* https://www.iana.org/assignments/media-types/media-types.xhtml
*
*/

// Vaild image type for upload. must be in lower case
$_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"] = array("jpeg", "jpg", "png");
$_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"] = array(
"jpeg" => array("image/jpeg"),
"jpg" => array("image/jpeg"),
"png" => array("image/png")
);

// Valid document type for upload. must be in lower case
$_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"] = array("pdf", "msword", "vnd.openxmlformats-officedocument.wordprocessingml.document", "vnd.ms-excel", "vnd.openxmlformats-officedocument.spreadsheetml.sheet");

$_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"] = array(
"pdf" => array("application/pdf"),
"doc" => array("application/msword"),
"docx" => array("vnd.openxmlformats-officedocument.wordprocessingml.document"),
"xls" => array("application/vnd.ms-excel"),
"xlsx" => array("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
);
// Valid audio type for upload
$_SETTINGS["VALID_AUDIO_TYPE_FOR_UPLOAD"] = array("mpeg", "ogg", "opus", "aac", "wav", "webm");
$_SETTINGS["VALID_AUDIO_TYPE_FOR_UPLOAD"] = array(
"oga" => array("audio/ogg"),
"opus" => array("audio/opus"),
"wav" => array("audio/wav"),
"weba" => array("audio/webm")
);

// Valid video type for upload
$_SETTINGS["VALID_VIDEO_TYPE_FOR_UPLOAD"] = array(
"mpeg" => array("video/mpeg"),
"ogv" => array("video/ogg"),
"webm" => array("video/webm"),
"mp4" => array("video/mp4")
);

// Page title variable. All page title will be included here
$_SETTINGS["PAGE_TITLE"] = array();
Expand Down
125 changes: 52 additions & 73 deletions core/functions.php
View file
Expand Up @@ -1464,7 +1464,8 @@ function save_deleted_date($table, $data) {
* @param string $location Optional. Where the uploaded file has stored. Default is db and return an blob string
*
*/
function easyUpload(

function easyUpload(
array $file,
string $location="db",
string $newFileName="",
Expand All @@ -1480,109 +1481,87 @@ function easyUpload(

global $_SETTINGS;

$type = strtolower($type);
$extensionName = strtolower(explode("/", $file["type"])[1]);
$mimeType = strtolower($file["type"]);
$extension = explode(".", $file["name"]);
$extension = end($extension);

$maxUploadSize = $_SETTINGS["MAX_UPLOAD_SIZE"] * 1024 * 1024;

if ($maxUploadSize < $file["size"]) {
return "The file is exceeded the max upload size ({$_SETTINGS["MAX_UPLOAD_SIZE"]} MB)";
}

$validExtensionForUpload = [];
$validFileForUpload = [];
switch($type) {
case "image": $validExtensionForUpload = $_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"]; break;
case "document": $validExtensionForUpload = $_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"]; break;
case "video": $validExtensionForUpload = $_SETTINGS["VALID_VIDEO_TYPE_FOR_UPLOAD"]; break;
case "audio": $validExtensionForUpload = $_SETTINGS["VALID_AUDIO_TYPE_FOR_UPLOAD"]; break;
case "program": $validExtensionForUpload = $_SETTINGS["VALID_PROGRAM_TYPE_FOR_UPLOAD"]; break;
case 'all': $validExtensionForUpload = array_merge($_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"], $_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"]); break;
}

if(!in_array($extensionName, $validExtensionForUpload)) {

$validExtensionNameList = join(", ", $validExtensionForUpload);

return "Invalid {$type} type. Only {$validExtensionNameList} {$type} type are allowed to upload";
case "image": $validFileForUpload = $_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"]; break;
case "document": $validFileForUpload = $_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"]; break;
case "video": $validFileForUpload = $_SETTINGS["VALID_VIDEO_TYPE_FOR_UPLOAD"]; break;
case "audio": $validFileForUpload = $_SETTINGS["VALID_AUDIO_TYPE_FOR_UPLOAD"]; break;
case "program": $validFileForUpload = $_SETTINGS["VALID_PROGRAM_TYPE_FOR_UPLOAD"]; break;
case 'all': $validFileForUpload = array_merge($_SETTINGS["VALID_IMAGE_TYPE_FOR_UPLOAD"], $_SETTINGS["VALID_DOCUMENT_TYPE_FOR_UPLOAD"]); break;
}

/**
* If location is set to db then return the image as blob string
* Otherwise save the image in the desired location
*/
if($location == "db") {

return array (
"success" => true,
"imageType" => $file["type"],
"blobString" => file_get_contents($file["tmp_name"])
);

} else {

$uploadDir = DIR_UPLOAD . $location;
// Validate both file extension and mime type
if( isset( $validFileForUpload[$extension] ) AND in_array( $mimeType, $validFileForUpload[$extension] ) ) {

if(!is_dir($uploadDir) && !mkdir($uploadDir, 0777, true)) {
return "Error creating directory";
}

// If newFileName is not empty then change the file name by given
$file_name = rand().$file["name"];
if(!empty($newFileName)) {

$file_extension = explode(".", $file_name);
$file_extension = end($file_extension);
$file_name = $newFileName . "." . $file_extension;

}


if(move_uploaded_file($file["tmp_name"], $uploadDir ."/" . $file_name )) {

/**
* If location is set to db then return the image as blob string
* Otherwise save the image in the desired location
*/
if($location == "db") {

return array (
"success" => true,
"fileName" => $file_name
"success" => true,
"imageType" => $file["type"],
"blobString" => file_get_contents($file["tmp_name"])
);

} else {

$uploadDir = DIR_UPLOAD . $location;

return "Can not upload the file";
if(!is_dir($uploadDir) && !mkdir($uploadDir, 0777, true)) {
return "Error creating directory";
}

}
// If newFileName is not empty then change the file name by given
$file_name = rand().$file["name"];
if(!empty($newFileName)) {

/*
//upload code here
$data=file_get_contents($_FILES[$fileInputName]["tmp_name"]);
$file_extension = explode(".", $file_name);
$file_extension = end($file_extension);
$file_name = $newFileName . "." . $file_extension;

//upload webp
imagewebp(imagecreatefromstring($data),$location.$uploadedFileName.".webp",75);
}

//upload orginal image

switch($type){
if(move_uploaded_file($file["tmp_name"], $uploadDir ."/" . $file_name )) {

case "jpeg": imagejpeg(imagecreatefromstring($data),$location.$uploadedFileName.".jpeg",75);
imagejpeg(imagescale(imagecreatefromstring($data), 200, 200), $location.$uploadedFileName."_thumb.jpeg",80);
break;
case "png": imagepng(imagecreatefromstring($data),$location.$uploadedFileName.".png",75);
imagepng(imagescale(imagecreatefromstring($data), 200, 200), $location.$uploadedFileName."_thumb.png",80);
break;
default: imagejpeg(imagecreatefromstring($data),$location.$uploadedFileName.".jpg",75);
imagejpeg(imagescale(imagecreatefromstring($data), 200, 200), $location.$uploadedFileName."_thumb.jpg",80);
break;
return array (
"success" => true,
"fileName" => $file_name
);

} else {

return "Can not upload the file";

}

}

//upload webp thumb
imagewebp(imagescale(imagecreatefromstring($data), 200, 200), $location.$uploadedFileName."_thumb.webp",80);

*/
} else {

}
return "Invalid {$type} type."; // Only {$validExtensionNameList} {$type} type are allowed to upload";

}

}


function easyUpload_back(
string $fileInputName,
string $type="image",
Expand Down

0 comments on commit a5beff7

Please sign in to comment.