php - Block certain files from being uploaded -
i need stop php, pl, cgi being uploaded website. how possible? i've tried many weird things , have no hope it, never work.
so yes, php, pl , cgi needs blocked.
code:
<?php session_start(); /** * handles post uploads, generates filenames, moves files around , commits * uploaded metadata database. */ require_once 'classes/response.class.php'; require_once 'classes/uploadexception.class.php'; require_once 'classes/uploadedfile.class.php'; require_once 'includes/database.inc.php'; /** * generates random name file, retrying until unused one. * * @param uploadedfile $file * * @return string */ function generatename($file) { global $db; global $doubledots; // start @ n retries, , --n until give $tries = pomf_files_retries; $length = pomf_files_length; $ext = pathinfo($file->name, pathinfo_extension); // check if extension double-dot extension and, if true, override $ext $revname = strrev($file->name); foreach ($doubledots $ddot) { if (stripos($revname, $ddot) === 0) { $ext = strrev($ddot); } } { // iterate until reach maximum number of retries if ($tries-- === 0) { throw new exception( 'gave trying find unused name', 500 ); // http status code "500 internal server error" } $chars = id_charset; $name = ''; ($i = 0; $i < $length; ++$i) { $name .= $chars[mt_rand(0, strlen($chars))]; } // add extension file name if (isset($ext) && $ext !== '') { $name .= '.'.$ext; } // check if file same name exist in database $q = $db->prepare('select count(filename) files filename = (:name)'); $q->bindvalue(':name', $name, pdo::param_str); $q->execute(); $result = $q->fetchcolumn(); // if does, generate new name } while ($result > 0); return $name; } /** * handles uploading , db entry file. * * @param uploadedfile $file * * @return array */ function uploadfile($file) { global $db; global $filter_mode; global $filter_mime; // handle file errors if ($file->error) { throw new uploadexception($file->error); } // check if mime type blocked if (!empty($filter_mime)) { if ($filter_mode == true) { //whitelist mode if (!in_array($file->mime, $filter_mime)) { throw new uploadexception(upload_err_extension); } } else { //blacklist mode if (in_array($file->mime, $filter_mime)) { throw new uploadexception(upload_err_extension); } } } // check if file same hash , size (a file same) // exist in database; if does, return proper link // , data. php deletes temporary file uploaded automatically. $q = $db->prepare('select filename, count(*) count files hash = (:hash) '. 'and size = (:size)'); $q->bindvalue(':hash', $file->getsha1(), pdo::param_str); $q->bindvalue(':size', $file->size, pdo::param_int); $q->execute(); $result = $q->fetch(); if ($result['count'] > 0) { return array( 'hash' => $file->getsha1(), 'name' => $file->name, 'url' => pomf_url.rawurlencode($result['filename']), 'size' => $file->size, ); } // generate name file $newname = generatename($file); // store file's full file path in memory $uploadfile = pomf_files_root . $newname; // attempt move static directory if (!move_uploaded_file($file->tempfile, $uploadfile)) { throw new exception( 'failed move file destination', 500 ); // http status code "500 internal server error" } // need change permissions new file make world readable if (!chmod($uploadfile, 0644)) { throw new exception( 'failed change file permissions', 500 ); // http status code "500 internal server error" } // add database if (empty($_session['id'])) { // query if user not logged in $q = $db->prepare('insert files (hash, originalname, filename, size, date, ' . 'expire, delid) values (:hash, :orig, :name, :size, :date, ' . ':exp, :del)'); } else { // query if user logged in (insert user id other data) $q = $db->prepare('insert files (hash, originalname, filename, size, date, ' . 'expire, delid, user) values (:hash, :orig, :name, :size, :date, ' . ':exp, :del, :user)'); $q->bindvalue(':user', $_session['id'], pdo::param_int); } // common parameters binding $q->bindvalue(':hash', $file->getsha1(), pdo::param_str); $q->bindvalue(':orig', strip_tags($file->name), pdo::param_str); $q->bindvalue(':name', $newname, pdo::param_str); $q->bindvalue(':size', $file->size, pdo::param_int); $q->bindvalue(':date', date('y-m-d'), pdo::param_str); $q->bindvalue(':exp', null, pdo::param_str); $q->bindvalue(':del', sha1($file->tempfile), pdo::param_str); $q->execute(); return array( 'hash' => $file->getsha1(), 'name' => $file->name, 'url' => pomf_url.rawurlencode($newname), 'size' => $file->size, ); } /** * reorder files array file. * * @param $_files * * @return array */ function diversearray($files) { $result = array(); foreach ($files $key1 => $value1) { foreach ($value1 $key2 => $value2) { $result[$key2][$key1] = $value2; } } return $result; } /** * reorganize $_files array saner. * * @param $_files * * @return array */ function refiles($files) { $result = array(); $files = diversearray($files); foreach ($files $file) { $f = new uploadedfile(); $f->name = $file['name']; $f->mime = $file['type']; $f->size = $file['size']; $f->tempfile = $file['tmp_name']; $f->error = $file['error']; //$f->expire = $file['expire']; $result[] = $f; } return $result; } $type = isset($_get['output']) ? $_get['output'] : 'json'; $response = new response($type); if (isset($_files['files'])) { $uploads = refiles($_files['files']); try { foreach ($uploads $upload) { $res[] = uploadfile($upload); } $response->send($res); } catch (exception $e) { $response->error($e->getcode(), $e->getmessage()); } } else { $response->error(400, 'no input file(s)'); } how?
php has no control on files before uploaded server. web server handle file upload , give access php file action. can php check mime type / file extension check if file uploaded valid , delete if not valid file need.
Comments
Post a Comment