sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00
Code Activity

feature-upload: fix the dot problem

Browse source
This commit is contained in:
Starbeamrainbowlabs 2020-04-21 21:18:50 +01:00
parent c1af093ada
commit a1b962a7b5
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
1 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
modules/feature-upload.php
View file

@ -1,7 +1,7 @@
<?php
register_module([
"name" => "Uploader",
"version" => "0.6.3",
"version" => "0.6.4",
"author" => "Starbeamrainbowlabs",
"description" => "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File/' prefix.",
"id" => "feature-upload",
@ -138,7 +138,8 @@ register_module([
// Calculate the target name, removing any characters we
// are unsure about.
$target_name = makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar");
// Also trim off whitespace (from both ends), and full stops (from the end)
$target_name = rtrim(trim(makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar")), ".");
$temp_filename = $_FILES["file"]["tmp_name"];
$mimechecker = finfo_open(FILEINFO_MIME_TYPE);
@ -183,18 +184,21 @@ register_module([
if(isset($settings->mime_mappings_overrides->$mime_type))
$file_extension = $settings->mime_mappings_overrides->$mime_type;
if(in_array($file_extension, [ "php", ".htaccess", "asp", "aspx" ]))
if(in_array($file_extension, [ "phtml", "php5", "php", ".htaccess", "asp", "aspx" ]))
{
http_response_code(415);
exit(page_renderer::render("Upload Error - $settings->sitename", "<p>The file you uploaded appears to be dangerous and has been discarded. Please contact $settings->sitename's administrator for assistance.</p>
<p>Additional information: The file uploaded appeared to be of type <code>$mime_type</code>, which mapped onto the extension <code>$file_extension</code>. This file extension has the potential to be executed accidentally by the web server.</p>"));
}
// Remove dots from both ends, just in case
$file_extension = trim($file_extension, ".");
// Rewrite the name to include the _actual_ file extension we've cleverly calculated :D
// The path to the place (relative to the wiki data root)
// that we're actually going to store the uploaded file itself
$new_filename = "$paths->upload_file_prefix$target_name$file_extension";
$new_filename = "$paths->upload_file_prefix$target_name.$file_extension";
// The path (relative, as before) to the description file
$new_description_filename = "$new_filename.md";