Jump to content
mcmannehan

Upload Class File

Recommended Posts

Posted (edited)

I wondering, why the check for illegal character dosen't exist!!! In the frozen and in the boostrap 4 version. So i recommand change complett the function parse to this:

Start about at line 35 catalog/admin/includes/classes/upload.php

function parse() {
      global $messageStack;

      $file = array();

      if (isset($_FILES[$this->file])) {
        $file = array('name' => $_FILES[$this->file]['name'],
                      'type' => $_FILES[$this->file]['type'],
                      'size' => $_FILES[$this->file]['size'],
                      'tmp_name' => $_FILES[$this->file]['tmp_name']);
      } elseif (isset($_FILES[$this->file])) {
        $file = array('name' => $_FILES[$this->file]['name'],
                      'type' => $_FILES[$this->file]['type'],
                      'size' => $_FILES[$this->file]['size'],
                      'tmp_name' => $_FILES[$this->file]['tmp_name']);
      }

      if ( tep_not_null($file['tmp_name']) && ($file['tmp_name'] != 'none') && is_uploaded_file($file['tmp_name']) ) {
        if (sizeof($this->extensions) > 0) {
          if (!in_array(strtolower(substr($file['name'], strrpos($file['name'], '.')+1)), $this->extensions)) {
            if ($this->message_location == 'direct') {
              $messageStack->add(ERROR_FILETYPE_NOT_ALLOWED, 'error');
            } else {
              $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
            }

            return false;
          }
        }
        //BOC by mcmannehan
        if (preg_match('/^([-\.\w]+)$/', $file['name']) !== true) {
      		$message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']);
        	if ($this->message_location == 'direct') {
          	$messageStack->add($message, 'error');
        	} else {
          	$messageStack->add_session($message, 'error');
        	}
      		return false;
      	}
        //EOC 
        $this->set_file($file);
        $this->set_filename($file['name']);
        $this->set_tmp_filename($file['tmp_name']);

        return $this->check_destination();
      } else {
        if ($this->message_location == 'direct') {
          $messageStack->add(WARNING_NO_FILE_UPLOADED, 'warning');
        } else {
          $messageStack->add_session(WARNING_NO_FILE_UPLOADED, 'warning');
        }

        return false;
      }
    }

And add to the catalog/admin/includes/languages/english.php:

const ERROR_FILE_ILLEGAL_CHAR = 'Invalid character in the file name! <strong>%s</strong>. Spaces and special characters are not allowed in Internet filenames. Allowed are: a-z A-Z 0-9 - _';

"const" have some restriction but it's much more better and faster than define.

Edited by mcmannehan

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Share this post


Link to post
Share on other sites

Changes in the Regex are wrong. For to allow only a-z A-Z 0-9 - _ .

The regex must be:

if (preg_match('/^[-A-Za-z0-9._]+$/i', $file['name']) == false) {
      	$message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']);
        if ($this->message_location == 'direct') {
          $messageStack->add($message, 'error');
        } else {
          $messageStack->add_session($message, 'error');
        }
      	return false;
      }

 


  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Share this post


Link to post
Share on other sites

Verification is the wrong approach.
Special characters must be removed.
Ideally SEO Friendly Images

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×