Commit 9a38369d authored by Steven Wittens's avatar Steven Wittens
Browse files

#10560: Upload.module

- removing file checks for uid #1 to be consistent with the roles/permissions.
- renaming script files to .txt's to prevent accidental execution (we don't allow them by default, but you never know)
parent 00ceea09
...@@ -130,6 +130,8 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -130,6 +130,8 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
} }
// Don't do any checks for uid #1.
if ($user->uid != 1) {
// Validate file against all users roles. Only denies an upload when // Validate file against all users roles. Only denies an upload when
// all roles prevent it. // all roles prevent it.
foreach ($user->roles as $rid => $name) { foreach ($user->roles as $rid => $name) {
...@@ -151,6 +153,15 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -151,6 +153,15 @@ function upload_nodeapi(&$node, $op, $arg) {
$error['usersize']++; $error['usersize']++;
} }
} }
}
// Rename possibly executable scripts to prevent accidental execution.
// Uploaded files are attachments and should be shown in their original
// form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
}
if ($error['extension'] == count($user->roles) && $user->uid != 1) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>")));
......
...@@ -130,6 +130,8 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -130,6 +130,8 @@ function upload_nodeapi(&$node, $op, $arg) {
break; break;
} }
// Don't do any checks for uid #1.
if ($user->uid != 1) {
// Validate file against all users roles. Only denies an upload when // Validate file against all users roles. Only denies an upload when
// all roles prevent it. // all roles prevent it.
foreach ($user->roles as $rid => $name) { foreach ($user->roles as $rid => $name) {
...@@ -151,6 +153,15 @@ function upload_nodeapi(&$node, $op, $arg) { ...@@ -151,6 +153,15 @@ function upload_nodeapi(&$node, $op, $arg) {
$error['usersize']++; $error['usersize']++;
} }
} }
}
// Rename possibly executable scripts to prevent accidental execution.
// Uploaded files are attachments and should be shown in their original
// form, rather than run.
if (preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
$file->filename .= '.txt';
$file->filemime = 'text/plain';
}
if ($error['extension'] == count($user->roles) && $user->uid != 1) { if ($error['extension'] == count($user->roles) && $user->uid != 1) {
form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>"))); form_set_error('upload', t('Error attaching file %name: invalid extension', array('%name' => "<em>$file->filename</em>")));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment