Forum Moderators: coopster
I am facing a very strange and difficult (for me at least) problem to solve. Some users of my forum cannot upload zip or rar (and probably other types) files. The bugs are reported by mozilla users. Here is the code:
function process_upload() {
global $ibforums, $std, $HTTP_POST_FILES, $DB, $FILE_UPLOAD;
//-------------------------------------------------
// Set up some variables to stop carpals developing
//-------------------------------------------------
$FILE_NAME = $HTTP_POST_FILES['FILE_UPLOAD']['name'];
$FILE_SIZE = $HTTP_POST_FILES['FILE_UPLOAD']['size'];
$FILE_TYPE = $HTTP_POST_FILES['FILE_UPLOAD']['type'];
// Naughty Opera adds the filename on the end of the
// mime type - we don't want this.
$FILE_TYPE = preg_replace( "/^(.+?);.*$/", "\\1", $FILE_TYPE );
$attach_data = array( 'attach_id' => "",
'attach_hits' => "",
'attach_type' => "",
'attach_file' => "",
);
//-------------------------------------------------
// Return if we don't have a file to upload
//-------------------------------------------------
// Naughty Mozilla likes to use "none" to indicate an empty upload field.
// I love universal languages that aren't universal.
if ($HTTP_POST_FILES['FILE_UPLOAD']['name'] == "" or!$HTTP_POST_FILES['FILE_UPLOAD']['name'] or ($HTTP_POST_FILES['FILE_UPLOAD']['name'] == "none") ) return $attach_data;
//-------------------------------------------------
// Return empty handed if we don't have permission to use
// uploads
//-------------------------------------------------
if ( ($this->can_upload!= 1) and ($ibforums->member['g_attach_max'] < 1) ) return $attach_data;
//-------------------------------------------------
// Load our mime types config file.
//-------------------------------------------------
require "./conf_mime_types.php";
//-------------------------------------------------
// Are we allowing this type of file?
//-------------------------------------------------
//
// I am supposing the error is HERE:
//
if ($mime_types[ $FILE_TYPE ][0]!= 1)
{
$this->obj['post_errors'] = 'invalid_mime_type';
return $attach_data;
}
//-------------------------------------------------
// Check the file size
//-------------------------------------------------
if ($FILE_SIZE > ($ibforums->member['g_attach_max']*1024))
{
$std->Error( array( LEVEL => 1, MSG => 'upload_to_big') );
}
//-------------------------------------------------
// Make the uploaded file safe
//-------------------------------------------------
$FILE_NAME = preg_replace( "/[^\w\.]/", "_", $FILE_NAME );
$real_file_name = "post-".$this->forum['id']."-".time(); // Note the lack of extension!
if (preg_match( "/\.(txt圭gi如l夸s地sp如hp多tml多tm夸sp夸ar)/", $FILE_NAME ))
{
$FILE_TYPE = 'text/plain';
}
//-------------------------------------------------
// Add on the extension...
//-------------------------------------------------
$ext = '.ibf';
switch($FILE_TYPE)
{
case 'image/gif':
$ext = '.gif';
break;
case 'image/jpeg':
$ext = '.jpg';
break;
case 'image/pjpeg':
$ext = '.jpg';
break;
case 'image/x-png':
$ext = '.png';
break;
case 'image/png':
$ext = '.png';
break;
default:
$ext = '.ibf';
break;
}
$real_file_name .= $ext;
//-------------------------------------------------
// If we are previewing the post, we don't want to
// add the attachment to the database, so we return
// the array with the filename. We would have returned
// earlier if there was an error
//-------------------------------------------------
if ($this->obj['preview_post'])
{
return array( 'FILE_NAME' => $FILE_NAME );
}
//-------------------------------------------------
// Copy the upload to the uploads directory
//-------------------------------------------------
if (! @move_uploaded_file( $HTTP_POST_FILES['FILE_UPLOAD']['tmp_name'], $ibforums->vars['upload_dir']."/".$real_file_name) )
{
$this->obj['post_errors'] = 'upload_failed';
return $attach_data;
}
else
{
@chmod( $ibforums->vars['upload_dir']."/".$real_file_name, 0777 );
}
//-------------------------------------------------
// set the array, and enter the info into the DB
// We don't have an extension on the file in the
// hope that it make it more difficult to execute
// a script on our server.
//-------------------------------------------------
$attach_data['attach_id'] = $real_file_name;
$attach_data['attach_hits'] = 0;
$attach_data['attach_type'] = $FILE_TYPE;
$attach_data['attach_file'] = $FILE_NAME;
return $attach_data;
}
Here is conf_mime_types.php:
<?php
$mime_types = array(
// mime allow post img type allow avatar
"application/pdf" => array( 1, 'pdf.gif' , 'PDF Document' ,0 ) ,
"image/x-png" => array( 1, 'quicktime.gif' , 'PNG Image' , 1 ) ,
"image/png" => array( 1, 'quicktime.gif' , 'PNG Image' , 1 ) ,
"video/vivo" => array( 1, 'win_player.gif', 'VIVO Movie' ,0 ) ,
"application/x-compress" => array( 1, 'zip.gif' , 'Compressed File',0) ,
"video/x-msvideo" => array( 1, 'win_player.gif', 'MS Video' ,0 ) ,
"text/html" => array( 1, 'html.gif' , 'HTML Page' ,0 ) ,
"audio/x-pn-realaudio" => array( 1, 'real_audio.gif', 'Real Audio File',0) ,
"image/gif" => array( 1, 'gif.gif' , 'GIF Image' ,1 ) ,
"video/mpeg" => array( 1, 'quicktime.gif' , 'MPEG Video' ,0) ,
"image/ico" => array( 1, 'gif.gif' , 'Icon File' ,0) ,
"application/x-tar" => array( 1, 'zip.gif' , 'TAR Ball' ,0) ,
"image/x-MS-bmp" => array( 1, 'bmp.gif' , 'BMP Image' ,0) ,
"image/tiff" => array( 1, 'quicktime.gif' , 'TIFF Image' ,0) ,
"text/richtext" => array( 1, 'txt.gif' , 'Rich Text' ,0) ,
"audio/x-realaudio" => array( 1, 'realaudio.gif' , 'Real Audio' ,0) ,
"application/mac-binhex40" => array( 1, 'stuffit.gif' , 'Mac Binary' ,0) ,
"audio/x-aiff" => array( 1, 'quicktime.gif' , 'AIFF File' ,0) ,
"application/x-gzip" => array( 1, 'zip.gif' , 'GZIP File' ,0) ,
"application/zip" => array( 1, 'zip.gif' , 'ZIP File' ,0) ,
"application/postscript" => array( 1, 'postscript.gif', 'Postscript' ,0) ,
"application/msword" => array( 1, 'word.gif' , 'MS Word doc' ,0) ,
"video/quicktime" => array( 1, 'quicktime.gif' , 'QuickTime Movie',0) ,
"application/powerpoint" => array( 1, 'apps.gif' , 'PowerPoint Doc' ,0) ,
"audio/x-wav" => array( 1, 'sound.gif' , 'WAV File' ,0) ,
"audio/x-mpeg" => array( 1, 'mp3.gif' , 'MPEG Audio' ,0) ,
"image/jpeg" => array( 1, 'jpeg.gif' , 'JPEG Image' ,1) ,
"application/x-zip-compressed" => array( 1, 'zip.gif' , 'ZIP File' ,0 ) ,
"application/octet-stream" => array( 1, 'quicktime.gif' , 'OCTET Stream' ,0 ) ,
"text/plain" => array( 1, 'text.gif' , 'Text File' ,0 ) ,
"image/pjpeg" => array( 1, 'jpeg.gif' , 'JPEG Image' ,1) ,
"application/x-shockwave-flash"=> array( 0, 'quicktime.gif' , 'Flash' ,0) ,
"application/x-rar-compressed" => array( 1, 'zip.gif' , 'RAR File' ,0) ,
);
?>
On the other hand, I also noticed that with IE I can upload even .exe files.
I 've tried to spot the problem but as my knowledge of PHP is limited, I failed. Any help please?
Thanks in advance,
Antonis Kyprianou
Firstly, change your code to use the $_FILES superglobal as $HTTP_POST_FILES is now deprecated. More info here [uk.php.net] Secondly, try accessing the following part of the array when you upload:
$_FILES['FILE_UPLOAD']['error'];
This might give you a clue as to the problem.
dc
Yes I 've realized that I should use $_FILES instead of $HTTP_POST_FILES.
I 'll also try to access $_FILES['FILE_UPLOAD']['error'].
My dificulty is that I do not face the problem myself. How can I debug? What I face is that with IE I can upload any kind of file (even exe's that are not in the mime_types array).
If you have some more hints, please let me know
Thanks again,
Antonis
