PHP WFUtility::isSafeFile Exemples

Exemple #1

Fichier : browser.php Projet : grlf/eyedock

 private function validateUploadedFile($file)
 {
     // check the POST data array
     if (empty($file)) {
         throw new InvalidArgumentException('Upload Failed: No data');
     }
     // tmp name must exist
     if (empty($file['tmp_name'])) {
         throw new InvalidArgumentException('Upload Failed: No data');
     }
     // check for tmp_name and is valid uploaded file
     if (!is_uploaded_file($file['tmp_name'])) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException('Upload Failed: Not an uploaded file');
     }
     $upload = $this->get('upload');
     // remove exif data
     if (!empty($upload['remove_exif']) && preg_match('#\\.(jpg|jpeg|png)$#i', $file['name'])) {
         if (WFUtility::removeExifData($file['tmp_name']) === false) {
             @unlink($file['tmp_name']);
             throw new InvalidArgumentException(WFText::_('WF_MANAGER_UPLOAD_EXIF_REMOVE_ERROR'));
         }
     }
     // check file for various issues
     if (WFUtility::isSafeFile($file) !== true) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException('Upload Failed: Invalid file');
     }
     // get extension
     $ext = WFUtility::getExtension($file['name']);
     // check extension is allowed
     $allowed = $this->getFileTypes('array');
     if (is_array($allowed) && !empty($allowed) && in_array(strtolower($ext), $allowed) === false) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException(WFText::_('WF_MANAGER_UPLOAD_INVALID_EXT_ERROR'));
     }
     $size = round(filesize($file['tmp_name']) / 1024);
     if (empty($upload['max_size'])) {
         $upload['max_size'] = 1024;
     }
     // validate size
     if ($size > (int) $upload['max_size']) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException(WFText::sprintf('WF_MANAGER_UPLOAD_SIZE_ERROR', $file['name'], $size, $upload['max_size']));
     }
     // validate mimetype
     if ($upload['validate_mimetype']) {
         wfimport('editor.libraries.classes.mime');
         if (WFMimeType::check($file['name'], $file['tmp_name']) === false) {
             @unlink($file['tmp_name']);
             throw new InvalidArgumentException(WFText::_('WF_MANAGER_UPLOAD_MIME_ERROR'));
         }
     }
 }

Exemple #2

Fichier : browser.php Projet : knigherrant/decopatio

 private function validateUploadedFile($file)
 {
     // check the POST data array
     if (empty($file)) {
         throw new InvalidArgumentException('INVALID UPLOAD DATA');
     }
     // tmp name must exist
     if (empty($file['tmp_name'])) {
         throw new InvalidArgumentException('INVALID UPLOAD DATA');
     }
     // check for tmp_name and is valid uploaded file
     if (!is_uploaded_file($file['tmp_name'])) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException('INVALID UPLOAD DATA');
     }
     if (WFUtility::isSafeFile($file) !== true) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException('INVALID UPLOAD DATA');
     }
     if (WFUtility::validateFileName($file['name']) === false) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException('INVALID UPLOAD DATA');
     }
     // get extension
     $ext = WFUtility::getExtension($file['name']);
     // check extension is allowed
     $allowed = $this->getFileTypes('array');
     if (is_array($allowed) && !empty($allowed) && in_array(strtolower($ext), $allowed) === false) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException(WFText::_('WF_MANAGER_UPLOAD_INVALID_EXT_ERROR'));
     }
     // validate image
     if (preg_match('#\\.(jpeg|jpg|jpe|png|gif|wbmp|bmp|tiff|tif|webp|psd|swc|iff|jpc|jp2|jpx|jb2|xbm|ico|xcf|odg)$#i', $file['name'])) {
         if (@getimagesize($file['tmp_name']) === false) {
             @unlink($file['tmp_name']);
             throw new InvalidArgumentException('INVALID IMAGE FILE');
         }
     }
     $upload = $this->get('upload');
     $size = round(filesize($file['tmp_name']) / 1024);
     if (empty($upload['max_size'])) {
         $upload['max_size'] = 1024;
     }
     // validate size
     if ($size > (int) $upload['max_size']) {
         @unlink($file['tmp_name']);
         throw new InvalidArgumentException(WFText::sprintf('WF_MANAGER_UPLOAD_SIZE_ERROR', $file['name'], $size, $upload['max_size']));
     }
     // validate mimetype
     if ($upload['validate_mimetype']) {
         wfimport('editor.libraries.classes.mime');
         if (WFMimeType::check($file['name'], $file['tmp_name']) === false) {
             @unlink($file['tmp_name']);
             throw new InvalidArgumentException('INVALID MIME TYPE');
         }
     }
     // check for html tags in files (IE XSS bug)
     if (!preg_match('#\\.(htm|html|xml|txt)$#i', $file['name'])) {
         $data = JFile::read($file['tmp_name'], false, 256);
         $tags = 'a,abbr,acronym,address,area,b,base,bdo,big,blockquote,body,br,button,caption,cite,code,col,colgroup,dd,del,dfn,div,dl,dt,em,fieldset,form,h1,h2,h3,h4,h5,h6,head,hr,html,i,img,input,ins,kbd,label,legend,li,link,map,meta,noscript,object,ol,optgroup,option,p,param,pre,q,samp,script,select,small,span,strong,style,sub,sup,table,tbody,td,textarea,tfoot,th,thead,title,tr,tt,ul,var';
         foreach (explode(',', $tags) as $tag) {
             // check for tag eg: <body> or <body
             if (stripos($data, '<' . $tag . '>') !== false || stripos($data, '<' . $tag . ' ') !== false) {
                 @unlink($file['tmp_name']);
                 throw new InvalidArgumentException('INVALID TAG IN FILE');
             }
         }
     }
 }