Changeset 1143


Ignore:
Timestamp:
12/21/08 05:04:08 (8 years ago)
Author:
gogo
Message:

Security patch - see ticket:1363

Location:
trunk/plugins
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/plugins/ExtendedFileManager/config.inc.php

    r937 r1143  
    281281  FALSE - No uploading allowed. 
    282282*/ 
    283 $IMConfig['allow_upload'] = true; 
     283$IMConfig['allow_upload'] = false; 
    284284 
    285285/* Maximum upload file size 
  • trunk/plugins/ExtendedFileManager/demo_images/.htaccess

    r714 r1143  
    1 php_flag engine off 
     1<IfModule mod_php.c> 
     2  php_flag engine off 
     3</IfModule> 
    24AddType text/html .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi 
  • trunk/plugins/ImageManager/Classes/ImageEditor.php

    r999 r1143  
    260260                        Return $base.'.gif'; 
    261261 
     262    // Ensure type is in acceptable image types 
     263    $valid_extensions = $this->manager->config['allowed_image_extensions'];     
     264    if(!in_array($ext, $valid_extensions)) 
     265                { 
     266      return $base . ".".strtolower($type ? $type : 'jpg'); 
     267                } 
     268     
    262269                Return $filename; 
    263270        } 
  • trunk/plugins/ImageManager/Classes/ImageManager.php

    r999 r1143  
    456456                                Return false; 
    457457                        } 
     458                } 
     459     
     460    $valid_extensions = $this->config['allowed_image_extensions']; 
     461    $afruext = strtolower(substr(strrchr($file['name'], "."), 1)); 
     462    if(!in_array($afruext, $valid_extensions)) 
     463                { 
     464                        Files::delFile($file['tmp_name']); 
     465                        Return 'Cannot upload $extension='.$afruext.'$ Files. Permission denied.'; 
    458466                } 
    459467 
  • trunk/plugins/ImageManager/config.inc.php

    r999 r1143  
    229229*/ 
    230230 
    231 $IMConfig['allow_upload'] = true; 
     231$IMConfig['allow_upload'] = false; 
    232232 
    233233// ------------------------------------------------------------------------- 
     
    248248 
    249249$IMConfig['validate_images'] = true; 
     250 
     251$IMConfig['allowed_image_extensions'] = array("jpg","gif","png","jpeg"); 
    250252 
    251253// ------------------------------------------------------------------------- 
Note: See TracChangeset for help on using the changeset viewer.