From bb2c83bddbf51c42815be3de60eab24fd87ae392 Mon Sep 17 00:00:00 2001 From: Wes Baker Date: Fri, 4 May 2012 18:44:24 -0400 Subject: Added a return false if an image doesn't pass XSS cleaning to prevent file_get_contents from returning a NULL and passing through unscathed. --- system/libraries/Upload.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 8ad67050d..4a4a66f73 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -850,6 +850,10 @@ class CI_Upload { { return TRUE; // its an image, no "triggers" detected in the first 256 bytes, we're good } + else + { + return FALSE; + } } if (($data = @file_get_contents($file)) === FALSE) @@ -1099,4 +1103,4 @@ class CI_Upload { } /* End of file Upload.php */ -/* Location: ./system/libraries/Upload.php */ \ No newline at end of file +/* Location: ./system/libraries/Upload.php */ -- cgit v1.2.3-24-g4f1b From 46d53fb8799eb2f84798f0e7a5f57b065c2482e2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 11 May 2012 13:42:24 +0300 Subject: Fix issue #1349 --- system/libraries/Upload.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 4a4a66f73..24d4bd4d0 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -725,7 +725,7 @@ class CI_Upload { public function get_extension($filename) { $x = explode('.', $filename); - return '.'.end($x); + return (count($x) !== 1) ? '.'.end($x) : ''; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 5645479c622eb36cf9869797896dc0921568c4a9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 May 2012 14:32:19 +0300 Subject: Clean up the libraries --- system/libraries/Upload.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 24d4bd4d0..271c6d21f 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -1036,7 +1036,7 @@ class CI_Upload { */ if (DIRECTORY_SEPARATOR !== '\\') { - $cmd = 'file --brief --mime ' . escapeshellarg($file['tmp_name']) . ' 2>&1'; + $cmd = 'file --brief --mime '.escapeshellarg($file['tmp_name']).' 2>&1'; if (function_exists('exec')) { @@ -1103,4 +1103,4 @@ class CI_Upload { } /* End of file Upload.php */ -/* Location: ./system/libraries/Upload.php */ +/* Location: ./system/libraries/Upload.php */ \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 470805b12a8a25faddc9caafe573c15dbd89f8ed Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 24 May 2012 21:57:21 +0300 Subject: Fix issues #44 & #110 --- system/libraries/Upload.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 271c6d21f..7456e922a 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -747,6 +747,8 @@ class CI_Upload { ';', '?', '/', + '!', + '#', '%20', '%22', '%3c', // < -- cgit v1.2.3-24-g4f1b From d261b1e89c3d4d5191036d5a5660ef6764e593a0 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 2 Jun 2012 11:12:16 +0100 Subject: Replaced `==` with `===` and `!=` with `!==` in /system/libraries --- system/libraries/Upload.php | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 7456e922a..e4cc54b21 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -223,7 +223,7 @@ class CI_Upload { } // if we're overriding, let's now make sure the new name and type is allowed - if ($this->_file_name_override != '') + if ($this->_file_name_override !== '') { $this->file_name = $this->_prep_filename($this->_file_name_override); @@ -276,7 +276,7 @@ class CI_Upload { } // Remove white spaces in the name - if ($this->remove_spaces == TRUE) + if ($this->remove_spaces === TRUE) { $this->file_name = preg_replace('/\s+/', '_', $this->file_name); } @@ -289,7 +289,7 @@ class CI_Upload { */ $this->orig_name = $this->file_name; - if ($this->overwrite == FALSE) + if ($this->overwrite === FALSE) { $this->file_name = $this->set_filename($this->upload_path, $this->file_name); @@ -397,7 +397,7 @@ class CI_Upload { */ public function set_filename($path, $filename) { - if ($this->encrypt_name == TRUE) + if ($this->encrypt_name === TRUE) { mt_srand(); $filename = md5(uniqid(mt_rand())).$this->file_ext; @@ -420,7 +420,7 @@ class CI_Upload { } } - if ($new_filename == '') + if ($new_filename === '') { $this->set_error('upload_bad_filename'); return FALSE; @@ -545,7 +545,7 @@ class CI_Upload { */ public function set_xss_clean($flag = FALSE) { - $this->xss_clean = ($flag == TRUE); + $this->xss_clean = ($flag === TRUE); } // -------------------------------------------------------------------- @@ -641,7 +641,7 @@ class CI_Upload { */ public function is_allowed_filesize() { - return ($this->max_size == 0 OR $this->max_size > $this->file_size); + return ($this->max_size === 0 OR $this->max_size > $this->file_size); } // -------------------------------------------------------------------- @@ -687,7 +687,7 @@ class CI_Upload { */ public function validate_upload_path() { - if ($this->upload_path == '') + if ($this->upload_path === '') { $this->set_error('upload_no_filepath'); return FALSE; @@ -809,12 +809,12 @@ class CI_Upload { { $file = $this->file_temp; - if (filesize($file) == 0) + if (filesize($file) === 0) { return FALSE; } - if (function_exists('memory_get_usage') && memory_get_usage() && ini_get('memory_limit') != '') + if (function_exists('memory_get_usage') && memory_get_usage() && ini_get('memory_limit') !== '') { $current = ini_get('memory_limit') * 1024 * 1024; @@ -884,14 +884,14 @@ class CI_Upload { { foreach ($msg as $val) { - $msg = ($CI->lang->line($val) == FALSE) ? $val : $CI->lang->line($val); + $msg = ($CI->lang->line($val) === FALSE) ? $val : $CI->lang->line($val); $this->error_msg[] = $msg; log_message('error', $msg); } } else { - $msg = ($CI->lang->line($msg) == FALSE) ? $msg : $CI->lang->line($msg); + $msg = ($CI->lang->line($msg) === FALSE) ? $msg : $CI->lang->line($msg); $this->error_msg[] = $msg; log_message('error', $msg); } @@ -926,7 +926,7 @@ class CI_Upload { { global $mimes; - if (count($this->mimes) == 0) + if (count($this->mimes) === 0) { if (defined('ENVIRONMENT') && is_file(APPPATH.'config/'.ENVIRONMENT.'/mimes.php')) { @@ -960,7 +960,7 @@ class CI_Upload { */ protected function _prep_filename($filename) { - if (strpos($filename, '.') === FALSE OR $this->allowed_types == '*') + if (strpos($filename, '.') === FALSE OR $this->allowed_types === '*') { return $filename; } -- cgit v1.2.3-24-g4f1b From 5036c9caabb12f90b9533d7fb417610e02a652ff Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 4 Jun 2012 15:34:56 +0300 Subject: Revert/optimize some changes from 773ccc318f2769c9b7579630569b5d8ba47b114b and d261b1e89c3d4d5191036d5a5660ef6764e593a0 --- system/libraries/Upload.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index e4cc54b21..bd97a611b 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -809,12 +809,12 @@ class CI_Upload { { $file = $this->file_temp; - if (filesize($file) === 0) + if (filesize($file) == 0) { return FALSE; } - if (function_exists('memory_get_usage') && memory_get_usage() && ini_get('memory_limit') !== '') + if (function_exists('memory_get_usage') && memory_get_usage() && ini_get('memory_limit')) { $current = ini_get('memory_limit') * 1024 * 1024; -- cgit v1.2.3-24-g4f1b From 39b1c11f5976104dce30fe83e1d3c6f9ed616122 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon Date: Mon, 4 Jun 2012 16:51:14 -0500 Subject: Direct return from mimes config, instead of using global $mimes; Global variables are generally a terrible idea, especially for something as simple as this. The mimes.php now returns an array instead of just injecting a variable name into the global namespace. --- system/libraries/Upload.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index bd97a611b..e31029e49 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -930,18 +930,16 @@ class CI_Upload { { if (defined('ENVIRONMENT') && is_file(APPPATH.'config/'.ENVIRONMENT.'/mimes.php')) { - include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'); + $this->mimes = include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'); } elseif (is_file(APPPATH.'config/mimes.php')) { - include(APPPATH.'config/mimes.php'); + $this->mimes = include(APPPATH.'config/mimes.php'); } else { return FALSE; } - - $this->mimes = $mimes; } return isset($this->mimes[$mime]) ? $this->mimes[$mime] : FALSE; -- cgit v1.2.3-24-g4f1b From 6ef498b49946ba74d610b3805fb908b163a7f03a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 5 Jun 2012 22:01:58 +0300 Subject: Added get_mimes() function to system/core/Commons.php.The MIMEs array from config/mimes.php is used by multiple core classes, libraries and helpers and each of them has implemented an own way of getting it, which is not needed and is hard to maintain. This also fixes issue #1411 --- system/libraries/Upload.php | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index e31029e49..c1e07de7a 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -78,6 +78,8 @@ class CI_Upload { $this->initialize($props); } + $this->mimes =& get_mimes(); + log_message('debug', 'Upload Class Initialized'); } @@ -113,7 +115,6 @@ class CI_Upload { 'image_type' => '', 'image_size_str' => '', 'error_msg' => array(), - 'mimes' => array(), 'remove_spaces' => TRUE, 'xss_clean' => FALSE, 'temp_prefix' => 'temp_file_', @@ -924,24 +925,6 @@ class CI_Upload { */ public function mimes_types($mime) { - global $mimes; - - if (count($this->mimes) === 0) - { - if (defined('ENVIRONMENT') && is_file(APPPATH.'config/'.ENVIRONMENT.'/mimes.php')) - { - $this->mimes = include(APPPATH.'config/'.ENVIRONMENT.'/mimes.php'); - } - elseif (is_file(APPPATH.'config/mimes.php')) - { - $this->mimes = include(APPPATH.'config/mimes.php'); - } - else - { - return FALSE; - } - } - return isset($this->mimes[$mime]) ? $this->mimes[$mime] : FALSE; } -- cgit v1.2.3-24-g4f1b From c839d28f4230dce0c658338f267b821cc16490a2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 7 Jun 2012 14:35:27 +0300 Subject: Remove some unnecessary function_exists() checks and some minor improvements --- system/libraries/Upload.php | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) (limited to 'system/libraries/Upload.php') diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index c1e07de7a..1f6aeeb6b 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -694,7 +694,7 @@ class CI_Upload { return FALSE; } - if (function_exists('realpath') && @realpath($this->upload_path) !== FALSE) + if (@realpath($this->upload_path) !== FALSE) { $this->upload_path = str_replace('\\', '/', realpath($this->upload_path)); } @@ -815,17 +815,17 @@ class CI_Upload { return FALSE; } - if (function_exists('memory_get_usage') && memory_get_usage() && ini_get('memory_limit')) + if (memory_get_usage() && ($memory_limit = ini_get('memory_limit'))) { - $current = ini_get('memory_limit') * 1024 * 1024; + $memory_limit *= 1024 * 1024; // There was a bug/behavioural change in PHP 5.2, where numbers over one million get output // into scientific notation. number_format() ensures this number is an integer // http://bugs.php.net/bug.php?id=43053 - $new_memory = number_format(ceil(filesize($file) + $current), 0, '.', ''); + $memory_limit = number_format(ceil(filesize($file) + $memory_limit), 0, '.', ''); - ini_set('memory_limit', $new_memory); // When an integer is used, the value is measured in bytes. - PHP.net + ini_set('memory_limit', $memory_limit); // When an integer is used, the value is measured in bytes. - PHP.net } // If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but @@ -849,14 +849,8 @@ class CI_Upload { // ]/i', $opening_bytes)) - { - return TRUE; // its an image, no "triggers" detected in the first 256 bytes, we're good - } - else - { - return FALSE; - } + // if its an image or no "triggers" detected in the first 256 bytes - we're good + return ! preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\s>]/i', $opening_bytes); } if (($data = @file_get_contents($file)) === FALSE) -- cgit v1.2.3-24-g4f1b