Commit 9a38369d authored by Steven Wittens's avatar Steven Wittens
Browse files

#10560: Upload.module

- removing file checks for uid #1 to be consistent with the roles/permissions.
- renaming script files to .txt's to prevent accidental execution (we don't allow them by default, but you never know)
parent 00ceea09
...@@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
} }
// Validate file against all users roles. Only denies an upload when // Don't do any checks for uid #1.
// all roles prevent it. if ($user->uid != 1) {
foreach ($user->roles as $rid => $name) { // Validate file against all users roles. Only denies an upload when
$extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); // all roles prevent it.
$uploadsize = variable_get("upload_uploadsize_$rid", 1); foreach ($user->roles as $rid => $name) {
$usersize = variable_get("upload_usersize_$rid", 1); $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps');
$uploadsize = variable_get("upload_uploadsize_$rid", 1);
$regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; $usersize = variable_get("upload_usersize_$rid", 1);
$regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i';
if (!preg_match($regex, $file->filename)) {
$error['extension']++;
}
if (!preg_match($regex, $file->filename)) { if ($file->filesize > $uploadsize * 1024 * 1024) {
$error['extension']++; $error['uploadsize']++;
} }
if ($file->filesize > $uploadsize * 1024 * 1024) { if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) {
$error['uploadsize']++; $error['usersize']++;
}
} }
}
if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { // Rename possibly executable scripts to prevent accidental execution.
$error['usersize']++; // Uploaded files are attachments and should be shown in their original
} // form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
} }
if ($error['extension'] == count($user->roles) && $user->uid != 1) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
......
...@@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -130,26 +130,37 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
} }
// Validate file against all users roles. Only denies an upload when // Don't do any checks for uid #1.
// all roles prevent it. if ($user->uid != 1) {
foreach ($user->roles as $rid => $name) { // Validate file against all users roles. Only denies an upload when
$extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps'); // all roles prevent it.
$uploadsize = variable_get("upload_uploadsize_$rid", 1); foreach ($user->roles as $rid => $name) {
$usersize = variable_get("upload_usersize_$rid", 1); $extensions = variable_get("upload_extensions_$rid", 'jpg jpeg gif png txt html doc xls pdf ppt pps');
$uploadsize = variable_get("upload_uploadsize_$rid", 1);
$regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i'; $usersize = variable_get("upload_usersize_$rid", 1);
$regex = '/\.('. ereg_replace(' +', '|', preg_quote($extensions)) .')$/i';
if (!preg_match($regex, $file->filename)) {
$error['extension']++;
}
if (!preg_match($regex, $file->filename)) { if ($file->filesize > $uploadsize * 1024 * 1024) {
$error['extension']++; $error['uploadsize']++;
} }
if ($file->filesize > $uploadsize * 1024 * 1024) { if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) {
$error['uploadsize']++; $error['usersize']++;
}
} }
}
if ($total_usersize + $file->filesize > $usersize * 1024 * 1024) { // Rename possibly executable scripts to prevent accidental execution.
$error['usersize']++; // Uploaded files are attachments and should be shown in their original
} // form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
} }
if ($error['extension'] == count($user->roles) && $user->uid != 1) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment