summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-06-16 23:03:03 +0200
committerAndrey Andreev <narf@bofh.bg>2012-06-16 23:03:03 +0200
commitd60e700640c2a67f74acff090b94d06117bfc203 (patch)
treed635f7b54dcd22a9ab135905dec36d868396d9ac
parent81c3208b79cca353b27ecd4bdf00d4b6e7c91b2c (diff)
Add an option to disable MIME detection in the Upload library (issue #1494)
-rw-r--r--system/libraries/Upload.php16
-rw-r--r--user_guide_src/source/libraries/file_uploading.rst3
2 files changed, 16 insertions, 3 deletions
diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php
index c96daaf15..d381440cd 100644
--- a/system/libraries/Upload.php
+++ b/system/libraries/Upload.php
@@ -59,6 +59,7 @@ class CI_Upload {
public $error_msg = array();
public $mimes = array();
public $remove_spaces = TRUE;
+ public $detect_mime = TRUE;
public $xss_clean = FALSE;
public $temp_prefix = 'temp_file_';
public $client_name = '';
@@ -116,6 +117,7 @@ class CI_Upload {
'image_size_str' => '',
'error_msg' => array(),
'remove_spaces' => TRUE,
+ 'detect_mime' => TRUE,
'xss_clean' => FALSE,
'temp_prefix' => 'temp_file_',
'client_name' => ''
@@ -209,7 +211,13 @@ class CI_Upload {
// Set the uploaded data as class variables
$this->file_temp = $_FILES[$field]['tmp_name'];
$this->file_size = $_FILES[$field]['size'];
- $this->_file_mime_type($_FILES[$field]);
+
+ // Skip MIME type detection?
+ if ($this->detect_mime !== FALSE)
+ {
+ $this->_file_mime_type($_FILES[$field]);
+ }
+
$this->file_type = preg_replace('/^(.+?);.*$/', '\\1', $this->file_type);
$this->file_type = strtolower(trim(stripslashes($this->file_type), '"'));
$this->file_name = $this->_prep_filename($_FILES[$field]['name']);
@@ -990,7 +998,7 @@ class CI_Upload {
*/
if (function_exists('finfo_file'))
{
- $finfo = finfo_open(FILEINFO_MIME);
+ $finfo = @finfo_open(FILEINFO_MIME);
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
{
$mime = @finfo_file($finfo, $file['tmp_name']);
@@ -1021,7 +1029,9 @@ class CI_Upload {
*/
if (DIRECTORY_SEPARATOR !== '\\')
{
- $cmd = 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1';
+ $cmd = function_exists('escapeshellarg')
+ ? 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1'
+ : 'file --brief --mime '.$file['tmp_name'].' 2>&1';
if (function_exists('exec'))
{
diff --git a/user_guide_src/source/libraries/file_uploading.rst b/user_guide_src/source/libraries/file_uploading.rst
index 414d84f0b..65cd5c722 100644
--- a/user_guide_src/source/libraries/file_uploading.rst
+++ b/user_guide_src/source/libraries/file_uploading.rst
@@ -215,6 +215,9 @@ Preference Default Value Options Descripti
that can not be discerned by the person uploading it.
**remove_spaces** TRUE TRUE/FALSE (boolean) If set to TRUE, any spaces in the file name will be converted to
underscores. This is recommended.
+**detect_mime** TRUE TRUE/FALSE (boolean) If set to TRUE, a server side detection of the file type will be
+ performed to avoid code injection attacks. DO NOT disable this option
+ unless you have no other option as that would cause a security risk.
============================ ================= ======================= ======================================================================
Setting preferences in a config file