Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hey, im using a filebrowser to manage uploaded and downloaded files. It is Quixplorer under the mplicenced. um. ive adapted it to fit what im doing and ive messed around with it a lot. but one thing i cant figure out is how to block certain types of file from being uploaded (php and html and perl) so that i dont ahve someone upload a script and hack me. here is the upload code. if more code is needed to properly help me, i can provide it.
if you see any other security issues, please let me know.Code: Select all
function upload_items($dir) { // upload file
if(($GLOBALS["permissions"]&01)!=01) show_error($GLOBALS["error_msg"]["accessfunc"]);
// Execute
if(isset($GLOBALS['__POST']["confirm"]) && $GLOBALS['__POST']["confirm"]=="true") {
$cnt=count($GLOBALS['__FILES']['userfile']['name']);
$err=false;
$err_avaliable=isset($GLOBALS['__FILES']['userfile']['error']);
// upload files & check for errors
for($i=0;$i<$cnt;$i++) {
$errors[$i]=NULL;
$tmp = $GLOBALS['__FILES']['userfile']['tmp_name'][$i];
$items[$i] = stripslashes($GLOBALS['__FILES']['userfile']['name'][$i]);
if($err_avaliable) $up_err = $GLOBALS['__FILES']['userfile']['error'][$i];
else $up_err=(file_exists($tmp)?0:4);
$abs = get_abs_item($dir,$items[$i]);
if($items[$i]=="" || $up_err==4) continue;
if($up_err==1 || $up_err==2) {
$errors[$i]=$GLOBALS["error_msg"]["miscfilesize"];
$err=true; continue;
}
if($up_err==3) {
$errors[$i]=$GLOBALS["error_msg"]["miscfilepart"];
$err=true; continue;
}
if(!@is_uploaded_file($tmp)) {
$errors[$i]=$GLOBALS["error_msg"]["uploadfile"];
$err=true; continue;
}
if(@file_exists($abs)) {
$errors[$i]=$GLOBALS["error_msg"]["itemdoesexist"];
$err=true; continue;
}
// Upload
if(function_exists("move_uploaded_file")) {
$ok = @move_uploaded_file($tmp, $abs);
} else {
$ok = @copy($tmp, $abs);
@unlink($tmp); // try to delete...
}
if($ok===false) {
$errors[$i]=$GLOBALS["error_msg"]["uploadfile"];
$err=true; continue;
}
}
if($err) { // there were errors
$err_msg="";
for($i=0;$i<$cnt;$i++) {
if($errors[$i]==NULL) continue;
$err_msg .= $items[$i]." : ".$errors[$i]."<BR>\n";
}
show_error($err_msg);
}
header("Location: ".make_link("list",$dir,NULL));
return;
}
show_header($GLOBALS["messages"]["actupload"]);
// List
echo "<BR><FORM enctype=\"multipart/form-data\" action=\"".make_link("upload",$dir,NULL);
echo "\" method=\"post\">\n<INPUT type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"";
echo get_max_file_size()."\"><INPUT type=\"hidden\" name=\"confirm\" value=\"true\"><TABLE>\n";
for($i=0;$i<10;$i++) {
echo "<TR><TD nowrap align=\"center\">";
echo "<INPUT name=\"userfile[]\" type=\"file\" size=\"40\"></TD></TR>\n";
}
echo "</TABLE>\n<BR><TABLE><TR><TD><INPUT type=\"submit\" value=\"".$GLOBALS["messages"]["btnupload"];
echo "\"></TD>\n<TD><input type=\"button\" value=\"".$GLOBALS["messages"]["btncancel"];
echo "\" onClick=\"javascript:location='".make_link("list",$dir,NULL)."';\">\n</TD></TR></FORM></TABLE><BR>\n";
return;
}
//------------------------------------------------------------------------------
?>feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]