DedeBIZ
/
DedeV6
Obserwuj 2
Polub 0
Forkuj 0
Kod Oczekujące zmiany 0 Wydania 31 Aktywność
国内流行的内容管理系统(CMS)多端全媒体解决方案 https://www.dedebiz.com
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
2566 Commity
3 Gałęzie
93MB
Drzewo: 368c25caf6
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '368c25caf6'
${ noResults }
DedeV6/src/system/uploadsafe.inc.php

113 wiersze
4.5KB
Czysty Wina Historia 

  1. <?php

  2. if (!defined('DEDEINC')) exit ('dedebiz');

  3. if (isset($_FILES['GLOBALS'])) exit ('Request not allow!');

  4. /**

  5.  * 文件上传安全校验方法

  6.  *

  7.  * @version        $id:uploadsafe.inc.php 15:59 2020年8月19日 tianya $

  8.  * @package        DedeBIZ.Libraries

  9.  * @copyright      Copyright (c) 2022 DedeBIZ.COM

  10.  * @license        GNU GPL v2 (https://www.dedebiz.com/license)

  11.  * @link           https://www.dedebiz.com

  12.  */

  13. //为了防止会员通过注入,这里强制限定的某些文件类型禁止上传

  14. $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml|htm";

  15. $keyarr = array('name', 'type', 'tmp_name', 'size');

  16. if (

  17.     ($GLOBALS['cfg_html_editor'] == 'ckeditor' ||

  18.         $GLOBALS['cfg_html_editor'] == 'ckeditor4')  && isset($_FILES['upload'])

  19. ) {

  20.     $_FILES['imgfile'] = $_FILES['upload'];

  21.     $CKUpload = TRUE;

  22.     unset($_FILES['upload']);

  23. }

  24. foreach ($_FILES as $_key => $_value) {

  25.     foreach ($keyarr as $k) {

  26.         if (!isset($_FILES[$_key][$k])) {

  27.             exit('dedebiz');

  28.         }

  29.     }

  30.     if (preg_match('#^(cfg_|GLOBALS)#', $_key)) {

  31.         echo DedeAlert('危险的请求参数', ALERT_DANGER);

  32.         exit;

  33.     }

  34.     $$_key = $_FILES[$_key]['tmp_name'];

  35.     ${$_key.'_name'} = $_FILES[$_key]['name'];

  36.     ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);

  37.     ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']);

  38.     if (is_array(${$_key.'_name'}) && count(${$_key.'_name'}) > 0) {

  39.         foreach (${$_key.'_name'} as $key => $value) {

  40.             $value = trim($value);

  41.             if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) {

  42.                 if (!defined('DEDEADMIN')) {

  43.                     echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  44.                     exit;

  45.                 }

  46.             }

  47.         }

  48.     } else {

  49.         $fname = trim(${$_key.'_name'});

  50.         if (!empty($fname) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $fname) || !preg_match("#\.#", $fname))) {

  51.             if (!defined('DEDEADMIN')) {

  52.                 echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  53.                 exit;

  54.             }

  55.         }

  56.     }

  57.     if (empty(${$_key.'_size'})) {

  58.         ${$_key.'_size'} = @filesize($$_key);

  59.     }

  60.     $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");

  61.     if (is_array(${$_key.'_type'}) && count(${$_key.'_type'}) > 0) {

  62.         foreach (${$_key.'_type'} as $key => $value) {

  63.             if (in_array(strtolower(trim($value)), $imtypes)) {

  64.                 $image_dd = @getimagesize($$_key);

  65.                 if ($image_dd == false) {

  66.                     continue;

  67.                 }

  68.                 if (!is_array($image_dd)) {

  69.                     echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  70.                     exit;

  71.                 }

  72.             }

  73.             $imtypes = array(

  74.                 "image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"

  75.             );

  76.             if (in_array(strtolower(trim($value)), $imtypes)) {

  77.                 $image_dd = @getimagesize($$_key);

  78.                 if ($image_dd == false) {

  79.                     continue;

  80.                 }

  81.                 if (!is_array($image_dd)) {

  82.                     echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  83.                     exit;

  84.                 }

  85.             }

  86.         }

  87.     } else {

  88.         if (in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {

  89.             $image_dd = @getimagesize($$_key);

  90.             if ($image_dd == false) {

  91.                 continue;

  92.             }

  93.             if (!is_array($image_dd)) {

  94.                 echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  95.                 exit;

  96.             }

  97.         }

  98.         $imtypes = array(

  99.             "image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"

  100.         );

  101.         if (in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) {

  102.             $image_dd = @getimagesize($$_key);

  103.             if ($image_dd == false) {

  104.                 continue;

  105.             }

  106.             if (!is_array($image_dd)) {

  107.                 echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER);

  108.                 exit;

  109.             }

  110.         }

  111.     }

  112. }

  113. ?>