qfdong-github
GitHub
5 years ago
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 55 deletions
Unified View
Diff Options
-
+12 -55src/include/uploadsafe.inc.php
+ 12
- 55
src/include/uploadsafe.inc.php
View File
| @@ -1,13 +1,4 @@ | |||||
| <?php | <?php | ||||
| /** | |||||
| * 文件上传安全校验方法 | |||||
| * | |||||
| * @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $ | |||||
| * @package DedeCMS.Libraries | |||||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
| * @license http://help.dedecms.com/usersguide/license.html | |||||
| * @link http://www.dedecms.com | |||||
| */ | |||||
| if(!defined('DEDEINC')) exit('Request Error!'); | if(!defined('DEDEINC')) exit('Request Error!'); | ||||
| if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | ||||
| @@ -16,9 +7,7 @@ if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||||
| //这里强制限定的某些文件类型禁止上传 | //这里强制限定的某些文件类型禁止上传 | ||||
| $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | ||||
| $keyarr = array('name', 'type', 'tmp_name', 'size'); | $keyarr = array('name', 'type', 'tmp_name', 'size'); | ||||
| if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']) || | |||||
| $GLOBALS['cfg_html_editor']=='ckeditor4' && isset($_FILES['upload']) | |||||
| ) | |||||
| if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload'])) | |||||
| { | { | ||||
| $_FILES['imgfile'] = $_FILES['upload']; | $_FILES['imgfile'] = $_FILES['upload']; | ||||
| $CKUpload = TRUE; | $CKUpload = TRUE; | ||||
| @@ -41,33 +30,18 @@ foreach($_FILES as $_key=>$_value) | |||||
| ${$_key.'_name'} = $_FILES[$_key]['name']; | ${$_key.'_name'} = $_FILES[$_key]['name']; | ||||
| ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | ||||
| ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | ||||
| if (is_array(${$_key.'_name'})) { | |||||
| if (count(${$_key.'_name'}) > 0) { | |||||
| foreach (${$_key.'_name'} as $key => $value) { | |||||
| if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) { | |||||
| if(!defined('DEDEADMIN')) | |||||
| { | |||||
| exit('Not Admin Upload filetype not allow !'); | |||||
| } | |||||
| } | |||||
| } | |||||
| } | |||||
| } else { | |||||
| if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||||
| if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||||
| { | |||||
| if(!defined('DEDEADMIN')) | |||||
| { | { | ||||
| if(!defined('DEDEADMIN')) | |||||
| { | |||||
| exit('Not Admin Upload filetype not allow !'); | |||||
| } | |||||
| exit('Not Admin Upload filetype not allow !'); | |||||
| } | } | ||||
| } | } | ||||
| if(empty(${$_key.'_size'})) | if(empty(${$_key.'_size'})) | ||||
| { | { | ||||
| ${$_key.'_size'} = @filesize($$_key); | |||||
| ${$_key.'_size'} = @filesize($$_key); | |||||
| } | } | ||||
| $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } | |||||
| $imtypes = array | $imtypes = array | ||||
| ( | ( | ||||
| @@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value) | |||||
| "image/xpng", "image/wbmp", "image/bmp" | "image/xpng", "image/wbmp", "image/bmp" | ||||
| ); | ); | ||||
| if (is_array(${$_key.'_type'})) { | |||||
| if (count(${$_key.'_type'}) > 0) { | |||||
| foreach (${$_key.'_type'} as $key => $value) { | |||||
| if(in_array(strtolower(trim($value)), $imtypes)) | |||||
| { | |||||
| $image_dd = @getimagesize($$_key); | |||||
| if (!is_array($image_dd)) | |||||
| { | |||||
| exit('Upload filetype not allow !'); | |||||
| } | |||||
| } | |||||
| } | |||||
| } | |||||
| } else { | |||||
| if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||||
| if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||||
| { | |||||
| $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } | |||||
| if (!is_array($image_dd)) | |||||
| { | { | ||||
| $image_dd = @getimagesize($$_key); | |||||
| if (!is_array($image_dd)) | |||||
| { | |||||
| exit('Upload filetype not allow !'); | |||||
| } | |||||
| exit('Upload filetype not allow !'); | |||||
| } | } | ||||
| } | } | ||||
| } | } | ||||
| ?> | ?> | ||||