/** * Function is responsible for validating a safe file and saving it to the * associated directory, then returning the target path * * @param array $fileArray * @param string $type * @param string $directory * @return string */ function save_file($fileArray, $type = null, $directory = '') { //reasons to fail if (!BRequest::get('files', false) || !is_array($fileArray)) { return false; } if (!file_is_safe($fileArray, $type)) { return false; } //initializing $parts = pathinfo($fileArray['name']); $original_name = $parts['basename']; $target_path = FivePath::clean(strtolower(UPLOADS . DS . $directory . DS . create_guid() . '.' . $parts['extension'])); if (!move_uploaded_file($fileArray['tmp_name'], $target_path)) { return false; } //success return str_replace(ABSPATH, '', $target_path); }
/** * Searches the directory paths for a given file. * * @access protected * @param array|string $path An path or array of path to search in * @param string $file The file name to look for. * @return mixed The full path and file name for the target file, or boolean false if the file is not found in any of the paths. * @since 1.5 */ function files_find($paths, $file) { settype($paths, 'array'); //force to array // start looping through the path set foreach ($paths as $path) { // get the path to the file $fullname = FivePath::clean($path . DS . $file); // is the path based on a stream? if (strpos($path, '://') === false) { // not a stream, so do a realpath() to avoid directory // traversal attempts on the local file system. $path = realpath($path); // needed for substr() later $fullname = realpath($fullname); } // the substr() check added to make sure that the realpath() // results in a directory registered so that // non-registered directores are not accessible via directory // traversal attempts. if (file_exists($fullname) && substr($fullname, 0, strlen($path)) == $path) { return $fullname; } } // could not find the file in the set of paths return false; }
/** * Checks for snooping outside of the file system root * * @param string $path A file system path to check * @return string A cleaned version of the path * @since 1.5 */ function check($path) { if (strpos($path, '..') !== false) { trigger_error('FivePath::check Use of relative paths not permitted', E_USER_WARNING); // don't translate exit; } $path = FivePath::clean($path); if (strpos($path, FivePath::clean(ABSPATH)) !== 0) { trigger_error('FivePath::check Snooping out of bounds @ ' . $path, E_USER_WARNING); // don't translate exit; } }