killing mime magic (was: Re: [development] Drupal 4.7 release
schedule)
Karoly Negyesi
karoly at negyesi.net
Wed Jan 18 11:36:46 UTC 2006
> (never ever allowed in security land so I am told) opt-in security:
=== modified file 'includes/file.inc'
--- includes/file.inc
+++ includes/file.inc
@@ -156,7 +156,10 @@
else {
$file->filemime = $_FILES["edit"]["type"][$source];
}
- if (((substr($file->filemime, 0, 5) == 'text/' ||
strpos($file->filemime, 'javascript')) && (substr($file->filename, -4) !=
'.txt')) || preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) {
+ preg_match('/\.(.+)$/', $file->filename, $m);
+ $extension = $m[1];
+ $allowed_extensions = variable_get('file_allowed_extensions',
array('jpg', 'jpeg', 'gif', 'png', 'txt', 'html', 'doc', 'xls', 'pdf',
'ppt', 'pps'));
+ if (((substr($file->filemime, 0, 5) == 'text/' ||
strpos($file->filemime, 'javascript')) && ($extension != 'txt')) ||
!in_array($extension, $allowed_extensions)) {
$file->filemime = 'text/plain';
rename($file->filepath, $file->filepath .'.txt');
$file->filepath .= '.txt';
From here, you take over.
Regards
NK
More information about the development
mailing list