From 65bb0ad490f0151280c065791cdf28d6d0717668 Mon Sep 17 00:00:00 2001
From: rurban <rurban@96ab9672-09ca-45d6-a79d-3d69d39ca109>
Date: Wed, 18 Apr 2007 20:40:49 +0000
Subject: [PATCH] added DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS

git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@5659 96ab9672-09ca-45d6-a79d-3d69d39ca109
---
 config/config-default.ini |  3 ++-
 config/config-dist.ini    |  8 ++++++++
 lib/IniConfig.php         |  7 +++++--
 lib/plugin/UpLoad.php     | 33 ++++++++++++++++++++++++++++++---
 4 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/config/config-default.ini b/config/config-default.ini
index 7c88f53f4..b1afaa971 100644
--- a/config/config-default.ini
+++ b/config/config-default.ini
@@ -1,4 +1,4 @@
-; $Id: config-default.ini,v 1.50 2007-01-20 15:54:03 rurban Exp $
+; $Id: config-default.ini,v 1.51 2007-04-18 20:40:49 rurban Exp $
 ; This is the default PhpWiki configuration for undefined config.ini entries.
 
 ; recent development and debugging features:
@@ -21,6 +21,7 @@ ENABLE_DISCUSSION_LINK = false
 ENABLE_CAPTCHA = false
 USE_CAPTCHA_RANDOM_WORD = false
 ENABLE_ACDROPDOWN = true
+DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS = false
 ; deprecated, because non-free
 ENABLE_LIVESEARCH = false
 ENABLE_WYSIWYG = true
diff --git a/config/config-dist.ini b/config/config-dist.ini
index 92b592e84..c0dccc0b1 100644
--- a/config/config-dist.ini
+++ b/config/config-dist.ini
@@ -95,6 +95,14 @@
 ; edits it will be rejected as spam.
 ;NUM_SPAM_LINKS = 20
 
+; By setting DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS to true, you get
+; back the old behaviour to check only *bad* extensions of uploaded
+; files. However a server may treat other files with certain handlers,
+; like executable scripts, so we disable now everything and enable
+; only some extension.  See lib/plugin/UpLoad.php.
+; Default: false
+;DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS = false
+
 ; If GOOGLE_LINKS_NOFOLLOW is true, ref=nofollow is added to 
 ; all external links to discourage spam. You might want to turn it off,
 ; if you want to improve pageranks on external links.
diff --git a/lib/IniConfig.php b/lib/IniConfig.php
index 4405dd109..b218ca396 100644
--- a/lib/IniConfig.php
+++ b/lib/IniConfig.php
@@ -1,5 +1,5 @@
 <?php
-rcs_id('$Id: IniConfig.php,v 1.114 2007-02-17 22:49:24 rurban Exp $');
+rcs_id('$Id: IniConfig.php,v 1.115 2007-04-18 20:40:49 rurban Exp $');
 /**
  * A configurator intended to read its config from a PHP-style INI file,
  * instead of a PHP file.
@@ -196,7 +196,7 @@ function IniConfig($file) {
          'ENABLE_WYSIWYG', 'WYSIWYG_DEFAULT_PAGETYPE_HTML',
          'DISABLE_MARKUP_WIKIWORD', 'ENABLE_MARKUP_COLOR', 'ENABLE_MARKUP_TEMPLATE',
          'ENABLE_MARKUP_DIVSPAN', 'USE_BYTEA', 'UPLOAD_USERDIR', 'DISABLE_UNITS',
-	 'ENABLE_SEARCHHIGHLIGHT'
+	 'ENABLE_SEARCHHIGHLIGHT', 'DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS'
          );
 
     $rs = @parse_ini_file($file);
@@ -935,6 +935,9 @@ function fixup_dynamic_configs($file) {
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.114  2007/02/17 22:49:24  rurban
+// enable TEMP_DIR, fixes bug 1646080
+//
 // Revision 1.113  2007/01/27 21:52:54  rurban
 // Define TEMP_DIR always
 //
diff --git a/lib/plugin/UpLoad.php b/lib/plugin/UpLoad.php
index 3bcf5ff76..0439bcc39 100644
--- a/lib/plugin/UpLoad.php
+++ b/lib/plugin/UpLoad.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: UpLoad.php,v 1.24 2007-04-11 17:49:01 rurban Exp $');
+rcs_id('$Id: UpLoad.php,v 1.25 2007-04-18 20:40:48 rurban Exp $');
 /*
  Copyright 2003,2004,2007 $ThePhpWikiProgrammingTeam
 
@@ -56,6 +56,21 @@ extends WikiPlugin
     }
 
     function run($dbi, $argstr, &$request, $basepage) {
+        $this->allowed_extensions = explode("\n",
+"7z
+bz2
+doc
+gif
+gz
+jpeg
+jpg
+mp3
+pdf
+png
+rar
+tar
+txt
+zip");
         $this->disallowed_extensions = explode("\n",
 "ad[ep]
 asd
@@ -83,6 +98,7 @@ ops
 pcd
 p[ir]f
 php\d?
+phtml
 pl
 py
 reg
@@ -144,13 +160,21 @@ ws[cfh]");
 	    $u_userfile = preg_replace("/ /", "%20", $u_userfile);
             $userfile_tmpname = $userfile->getTmpName();
 	    $err_header = HTML::h2(fmt("ERROR uploading '%s': ", $userfile_name));
-            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/",
+            if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) . ")(\.|\$)/i",
                            $userfile_name))
             {
             	$message->pushContent($err_header);
                 $message->pushContent(fmt("Files with extension %s are not allowed.",
                                           join(", ", $this->disallowed_extensions)),HTML::br(),HTML::br());
-            } 
+            }
+            elseif (! DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS and 
+                    ! preg_match("/(\." . join("|\.", $this->allowed_extensions) . ")\$/i", 
+                               $userfile_name))
+            {
+            	$message->pushContent($err_header);
+                $message->pushContent(fmt("Only files with the extension %s are allowed.",
+                                          join(", ", $this->allowed_extensions)),HTML::br(),HTML::br());
+            }
             elseif (preg_match("/[^._a-zA-Z0-9- ]/", $userfile_name))
             {
             	$message->pushContent($err_header);
@@ -239,6 +263,9 @@ ws[cfh]");
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.24  2007/04/11 17:49:01  rurban
+// Chgeck against .php\d, i.e. php3
+//
 // Revision 1.23  2007/04/08 12:43:45  rurban
 // Important security fix!
 // Disallow files like "deface.php.3" also. Those are actually in the wild!
-- 
2.45.0