DedeBIZ
/
DedeV6
Watch 2
Star 0
Fork 0
Code Pull Requests 0 Releases 31 Activity
国内流行的内容管理系统(CMS)多端全媒体解决方案 https://www.dedebiz.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
328 Commits
3 Branches
93MB
Tree: a5f68b377f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a5f68b377f'
${ noResults }
DedeV6/src/include/uploadsafe.inc.php

117 lines
4.2KB
Raw Blame History 

  1. <?php

  2. 

  3. /**

  4.  * 文件上传安全校验方法

  5.  *

  6.  * @version        $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $

  7.  * @package        DedeBIZ.Libraries

  8.  * @copyright      Copyright (c) 2021, DedeBIZ.COM

  9.  * @license        https://www.dedebiz.com/license

  10.  * @link           https://www.dedebiz.com

  11.  */

  12. if (!defined('DEDEINC')) exit('Request Error!');

  13. 

  14. if (isset($_FILES['GLOBALS'])) exit('Request not allow!');

  15. 

  16. //为了防止用户通过注入的可能性改动了数据库

  17. //这里强制限定的某些文件类型禁止上传

  18. $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";

  19. $keyarr = array('name', 'type', 'tmp_name', 'size');

  20. if (

  21.     ($GLOBALS['cfg_html_editor'] == 'ckeditor' ||

  22.         $GLOBALS['cfg_html_editor'] == 'ckeditor4')  && isset($_FILES['upload'])

  23. ) {

  24.     $_FILES['imgfile'] = $_FILES['upload'];

  25.     $CKUpload = TRUE;

  26.     unset($_FILES['upload']);

  27. }

  28. foreach ($_FILES as $_key => $_value) {

  29.     foreach ($keyarr as $k) {

  30.         if (!isset($_FILES[$_key][$k])) {

  31.             exit('Request Error!');

  32.         }

  33.     }

  34.     if (preg_match('#^(cfg_|GLOBALS)#', $_key)) {

  35.         exit('Request var not allow for uploadsafe!');

  36.     }

  37.     $$_key = $_FILES[$_key]['tmp_name'];

  38.     ${$_key . '_name'} = $_FILES[$_key]['name'];

  39.     ${$_key . '_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);

  40.     ${$_key . '_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']);

  41. 

  42.     if (is_array(${$_key . '_name'}) && count(${$_key . '_name'}) > 0) {

  43.         foreach (${$_key . '_name'} as $key => $value) {

  44.             if (!empty($value) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", $value) || !preg_match("#\.#", $value))) {

  45.                 if (!defined('DEDEADMIN')) {

  46.                     exit('Not Admin Upload filetype not allow !');

  47.                 }

  48.             }

  49.         }

  50.     } else {

  51.         if (!empty(${$_key . '_name'}) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", ${$_key . '_name'}) || !preg_match("#\.#", ${$_key . '_name'}))) {

  52.             if (!defined('DEDEADMIN')) {

  53.                 exit('Not Admin Upload filetype not allow !');

  54.             }

  55.         }

  56.     }

  57. 

  58.     if (empty(${$_key . '_size'})) {

  59.         ${$_key . '_size'} = @filesize($$_key);

  60.     }

  61.     $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");

  62. 

  63.     if (is_array(${$_key . '_type'}) && count(${$_key . '_type'}) > 0) {

  64.         foreach (${$_key . '_type'} as $key => $value) {

  65.             if (in_array(strtolower(trim($value)), $imtypes)) {

  66.                 $image_dd = @getimagesize($$_key);

  67.                 if ($image_dd == false) {

  68.                     continue;

  69.                 }

  70.                 if (!is_array($image_dd)) {

  71.                     exit('Upload filetype not allow !');

  72.                 }

  73.             }

  74. 

  75.             $imtypes = array(

  76.                 "image/pjpeg", "image/jpeg", "image/gif", "image/png",

  77.                 "image/xpng", "image/wbmp", "image/bmp"

  78.             );

  79. 

  80.             if (in_array(strtolower(trim($value)), $imtypes)) {

  81.                 $image_dd = @getimagesize($$_key);

  82.                 if ($image_dd == false) {

  83.                     continue;

  84.                 }

  85.                 if (!is_array($image_dd)) {

  86.                     exit('Upload filetype not allow !');

  87.                 }

  88.             }

  89.         }

  90.     } else {

  91.         if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) {

  92.             $image_dd = @getimagesize($$_key);

  93.             if ($image_dd == false) {

  94.                 continue;

  95.             }

  96.             if (!is_array($image_dd)) {

  97.                 exit('Upload filetype not allow !');

  98.             }

  99.         }

  100. 

  101.         $imtypes = array(

  102.             "image/pjpeg", "image/jpeg", "image/gif", "image/png",

  103.             "image/xpng", "image/wbmp", "image/bmp"

  104.         );

  105. 

  106.         if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) {

  107.             $image_dd = @getimagesize($$_key);

  108.             if ($image_dd == false) {

  109.                 continue;

  110.             }

  111.             if (!is_array($image_dd)) {

  112.                 exit('Upload filetype not allow !');

  113.             }

  114.         }

  115.     }

  116. }