diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-09-13 19:14:32 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-09-13 19:14:32 +0000 |
| commit | 9a38369d0cbeddbdea5dc08889c006cb0870f969 (patch) | |
| tree | 7c548a412945208fa51609ab3946c88f8eaeabcf | |
| parent | 00ceea09866874a249b75a74b3d70f00899c8d9d (diff) | |
| download | brdo-9a38369d0cbeddbdea5dc08889c006cb0870f969.tar.gz brdo-9a38369d0cbeddbdea5dc08889c006cb0870f969.tar.bz2 | |
#10560: Upload.module
- removing file checks for uid #1 to be consistent with the roles/permissions.
- renaming script files to .txt's to prevent accidental execution (we don't allow them by default, but you never know)
| -rw-r--r-- | modules/upload.module | 43 | ||||
| -rw-r--r-- | modules/upload/upload.module | 43 |
2 files changed, 54 insertions, 32 deletions
diff --git a/modules/upload.module b/modules/upload.module index e9c226084..e9cd1e8c9 100644 --- a/modules/upload.module +++ b/modules/upload.module @@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) { break; } - // Validate file against all users roles. Only denies an upload when - // all roles prevent it. - foreach ($user->roles as $rid => $name) { - $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); - $uploadsize = variable_get("upload_uploadsize_$rid", 1); - $usersize = variable_get("upload_usersize_$rid", 1); - - $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; + // Don't do any checks for uid #1. + if ($user->uid != 1) { + // Validate file against all users roles. Only denies an upload when + // all roles prevent it. + foreach ($user->roles as $rid => $name) { + $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); + $uploadsize = variable_get("upload_uploadsize_$rid", 1); + $usersize = variable_get("upload_usersize_$rid", 1); + + $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; + + if (!preg_match($regex, $file->filename)) { + $error['extension']++; + } - if (!preg_match($regex, $file->filename)) { - $error['extension']++; - } + if ($file->filesize > $uploadsize * 1024 * 1024) { + $error['uploadsize']++; + } - if ($file->filesize > $uploadsize * 1024 * 1024) { - $error['uploadsize']++; + if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { + $error['usersize']++; + } } + } - if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { - $error['usersize']++; - } + // Rename possibly executable scripts to prevent accidental execution. + // Uploaded files are attachments and should be shown in their original + // form, rather than run. + if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) { + $file->filename .= '.txt'; + $file->filemime = 'text/plain'; } if ($error['extension'] == count($user->roles) && $user->uid != 1) { diff --git a/modules/upload/upload.module b/modules/upload/upload.module index e9c226084..e9cd1e8c9 100644 --- a/modules/upload/upload.module +++ b/modules/upload/upload.module @@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) { break; } - // Validate file against all users roles. Only denies an upload when - // all roles prevent it. - foreach ($user->roles as $rid => $name) { - $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); - $uploadsize = variable_get("upload_uploadsize_$rid", 1); - $usersize = variable_get("upload_usersize_$rid", 1); - - $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; + // Don't do any checks for uid #1. + if ($user->uid != 1) { + // Validate file against all users roles. Only denies an upload when + // all roles prevent it. + foreach ($user->roles as $rid => $name) { + $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); + $uploadsize = variable_get("upload_uploadsize_$rid", 1); + $usersize = variable_get("upload_usersize_$rid", 1); + + $regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; + + if (!preg_match($regex, $file->filename)) { + $error['extension']++; + } - if (!preg_match($regex, $file->filename)) { - $error['extension']++; - } + if ($file->filesize > $uploadsize * 1024 * 1024) { + $error['uploadsize']++; + } - if ($file->filesize > $uploadsize * 1024 * 1024) { - $error['uploadsize']++; + if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { + $error['usersize']++; + } } + } - if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { - $error['usersize']++; - } + // Rename possibly executable scripts to prevent accidental execution. + // Uploaded files are attachments and should be shown in their original + // form, rather than run. + if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) { + $file->filename .= '.txt'; + $file->filemime = 'text/plain'; } if ($error['extension'] == count($user->roles) && $user->uid != 1) { |