public static function canUpload( $file, &$err, $manager = '', $frontEnd = 0, $chunkEnabled = 0, $realSize = 0) { $paramsC = JComponentHelper::getParams( 'com_phocadownload' ); if ($frontEnd == 1) { $aft = $paramsC->get( 'allowed_file_types_upload', PhocaDownloadSettings::getDefaultAllowedMimeTypesUpload() ); $dft = $paramsC->get( 'disallowed_file_types_upload', '' ); $allowedMimeType = PhocaDownloadFile::getMimeTypeString($aft); $disallowedMimeType = PhocaDownloadFile::getMimeTypeString($dft); $ignoreUploadCh = 0; $ignoreUploadCheck = $params->get( 'ignore_file_types_check', 2 ); if ($ignoreUploadCheck == 1 || $ignoreUploadCheck == 4 ) { $ignoreUploadCh = 1; } } else { $aft = $paramsC->get( 'allowed_file_types_download', PhocaDownloadSettings::getDefaultAllowedMimeTypesDownload() ); $dft = $paramsC->get( 'disallowed_file_types_download', '' ); $allowedMimeType = PhocaDownloadFile::getMimeTypeString($aft); $disallowedMimeType = PhocaDownloadFile::getMimeTypeString($dft); $ignoreUploadCh = 0; $ignoreUploadCheck = $paramsC->get( 'ignore_file_types_check', 2 ); if ($ignoreUploadCheck == 5 || $ignoreUploadCheck == 5 ) { $ignoreUploadCh = 1; } } $paramsL = array(); $group = PhocaDownloadSettings::getManagerGroup($manager); if ($group['f'] == 2) { $paramsL['upload_extensions'] = 'gif,jpg,png,jpeg'; $paramsL['image_extensions'] = 'gif,jpg,png,jpeg'; $paramsL['upload_mime'] = 'image/jpeg,image/gif,image/png'; $paramsL['upload_mime_illegal'] ='application/x-shockwave-flash,application/msword,application/excel,application/pdf,application/powerpoint,text/plain,application/x-zip,text/html'; $paramsL['upload_ext_illegal'] = $disallowedMimeType['ext']; } else { $paramsL['upload_extensions'] = $allowedMimeType['ext']; $paramsL['image_extensions'] = 'bmp,gif,jpg,png,jpeg'; $paramsL['upload_mime'] = $allowedMimeType['mime']; $paramsL['upload_mime_illegal'] = $disallowedMimeType['mime']; $paramsL['upload_ext_illegal'] = $disallowedMimeType['ext']; } // The file doesn't exist if(empty($file['name'])) { $err = 'COM_PHOCADOWNLOAD_WARNING_INPUT_FILE_UPLOAD'; return false; } // Not safe file jimport('joomla.filesystem.file'); if ($file['name'] !== JFile::makesafe($file['name'])) { $err = 'COM_PHOCADOWNLOAD_WARNFILENAME'; return false; } $format = strtolower(JFile::getExt($file['name'])); if ($ignoreUploadCh == 1) { } else { $allowable = explode( ',', $paramsL['upload_extensions']); $notAllowable = explode( ',', $paramsL['upload_ext_illegal']); if(in_array($format, $notAllowable)) { $err = 'COM_PHOCADOWNLOAD_WARNFILETYPE_DISALLOWED'; return false; } //if (!in_array($format, $allowable)) { if ($format == '' || $format == false || (!in_array($format, $allowable))) { $err = 'COM_PHOCADOWNLOAD_WARNFILETYPE_NOT_ALLOWED'; return false; } } // Max size of image // If chunk method is used, we need to get computed size $maxSize = $paramsC->get( 'upload_maxsize', 3145728 ); if ((int)$frontEnd > 0) { $maxSize = $paramsC->get( 'user_file_upload_size', 3145728 ); } else { $maxSize = $paramsC->get( 'upload_maxsize', 3145728 ); } if ($chunkEnabled == 1) { if ((int)$maxSize > 0 && (int)$realSize > (int)$maxSize) { $err = 'COM_PHOCADOWNLOAD_WARNFILETOOLARGE'; return false; } } else { if ((int)$maxSize > 0 && (int)$file['size'] > (int)$maxSize) { $err = 'COM_PHOCADOWNLOAD_WARNFILETOOLARGE'; return false; } } // User (only in ucp) - Check the size of all files by users if ($frontEnd == 2) { $user = JFactory::getUser(); $maxUserUploadSize = (int)$paramsC->get( 'user_files_max_size', 20971520 ); $maxUserUploadCount = (int)$paramsC->get( 'user_files_max_count', 5 ); $allFile = PhocaDownloadUser:: getUserFileInfo($file, $user->id); if ($chunkEnabled == 1) { $fileSize = $realSize; } else { $fileSize = $file['size']; } if ((int)$maxUserUploadSize > 0 && (int) $allFile['size'] > $maxUserUploadSize) { $err = JText::_('COM_PHOCADOWNLOAD_WARNUSERFILESTOOLARGE'); return false; } if ((int) $allFile['count'] > $maxUserUploadCount) { $err = JText::_('COM_PHOCADOWNLOAD_WARNUSERFILESTOOMUCH'); return false; } } // Image check $imginfo = null; $images = explode( ',', $paramsL['image_extensions']); if(in_array($format, $images)) { // if its an image run it through getimagesize $group = PhocaDownloadSettings::getManagerGroup($manager); if($group['i'] == 1) { if ($chunkEnabled != 1) { if(($imginfo = getimagesize($file['tmp_name'])) === FALSE) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDIMG'; $err = $imginfo[0]; return false; } } } } else if(!in_array($format, $images)) { // if its not an image...and we're not ignoring it $allowed_mime = explode(',', $paramsL['upload_mime']); $illegal_mime = explode(',', $paramsL['upload_mime_illegal']); if(function_exists('finfo_open')) {// We have fileinfo $finfo = finfo_open(FILEINFO_MIME); $type = finfo_file($finfo, $file['tmp_name']); if(strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDMIME'; return false; } finfo_close($finfo); } else if(function_exists('mime_content_type')) { // we have mime magic $type = mime_content_type($file['tmp_name']); if(strlen($type) && !in_array($type, $allowed_mime) && in_array($type, $illegal_mime)) { $err = 'COM_PHOCADOWNLOAD_WARNINVALIDMIME'; return false; } } } // XSS Check $xss_check = JFile::read($file['tmp_name'],false,256); $html_tags = PhocaDownloadSettings::getHTMLTagsUpload(); foreach($html_tags as $tag) { // A tag is '<tagname ', so we need to add < and a space or '<tagname>' if(stristr($xss_check, '<'.$tag.' ') || stristr($xss_check, '<'.$tag.'>')) { $err = 'COM_PHOCADOWNLOAD_WARNIEXSS'; return false; } } return true; }