Security: Check file extensions / allowed mime type

  • Fee

    (@wdfee)


    11 years, 1 month ago

    Hello Ruuttu,
    here is another patch for a little bit more security: Check the uploaded file against allowed file types.

    inside function find_filename() after line 376:
    $extension = strrchr($name, '.');
    add this:

    /* check for allowed extensions / mime type */
$ext = substr($extension,1);
$mimes = get_allowed_mime_types();
$mime_ok = false;
foreach ($mimes as $type => $mime) {
	if (strpos($type, $ext) !== false) {
		$mime_ok = true;
	}
}
if(!$mime_ok)
	return false;

    http://wordpress.org/extend/plugins/buddypress-group-folders/

Viewing 3 replies - 1 through 3 (of 3 total)
  • nathanegraham

    (@nathanegraham)

    11 years, 1 month ago

    Great work on these additions, Fee.

    Hills

    (@tianchx)

    10 years, 9 months ago

    Also we can define some file extensions that can be uploaded to group file folder. Fee’s code can be modified like this(you can define your own permitted file extensions):
    //////////////////////////////
    $ext = substr($extension,1);
    $ext = strtolower($ext);
    $mimes= array(‘rar’,’zip’,’jpg’,’gif’,’pdf’,’png’,’bmp’,’ico’,’tar’,’gz’,’gzip’,’7z’,’doc’);
    $mime_ok = false;
    if (in_array($ext,$mimes)) $mime_ok = true;
    if(!$mime_ok)
    return false;
    //////////////////////////////////

    HansRuedi

    (@schwarzaufweiss)

    10 years, 9 months ago

    Hi Rudolf,

    Based on that code would it be possible for you to provide a version with an input field in the gfold backend settings for allowed file extensions?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security: Check file extensions / allowed mime type’ is closed to new replies.