0ct0pu5/forkbb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update Core\Files

Browse source 
Here is mimeType() function as a fool protection.
This commit is contained in:
Visman 2021-11-27 15:18:39 +07:00
parent a2afaf6261
commit 94002ba6cc
1 changed files with 36 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
app/Core/Files.php
View file

@ -926,16 +926,34 @@ class Files
if ($file instanceof Image) {
return $file->ext();
} elseif (\is_string($file)) {
// ???? проверка на наличие файла?
$mimeType = \mime_content_type($file);
return $this->imageType[$mimeType] ?? null;
return $this->imageType[$this->mimeType($file)] ?? null;
} else {
return null;
}
}
/**
* Определяет mime тип файла
*/
public function mimeType(string $path): string
{
$default = 'unknown/unknown';
if (
$this->isBadPath($path)
|| ! \is_file($path)
|| ! \is_readable($path)
) {
return $default;
}
if (\function_exists('\\mime_content_type')) {
return \mime_content_type($path) ?: $default;
} else {
return $default;
}
}
/**
* Получает файл(ы) из формы
*/
@ -986,7 +1004,7 @@ class Files
$cur = $this->uploadOneFile($file);
return ! $cur instanceof File ? false : $cur;
return $cur instanceof File ? $cur : false;
}
/**
@ -1025,6 +1043,12 @@ class Files
return null;
}
if ($this->isBadPath($file['tmp_name'])) {
$this->error = 'Bad path to tmp file';
return null;
}
if (! \is_uploaded_file($file['tmp_name'])) {
$this->error = 'The specified file was not uploaded';
@ -1057,7 +1081,7 @@ class Files
}
}
$mimeType = \mime_content_type($file['tmp_name']);
$mimeType = $this->mimeType($file['tmp_name']);
if (! isset($this->mimeToExt[$mimeType])) {
$this->error = "Unknown mime type of the file: {$mimeType}";
@ -1093,4 +1117,9 @@ class Files
return null;
}
}
public function isBadPath(string $path): bool
{
return false !== \strpos($path, '//') || \preg_match('%\bphar\b%i', $path);
}
}