From 9810154301f920209e42da585ae404dfdc3fcfd3 Mon Sep 17 00:00:00 2001 From: Ivan Tcholakov Date: Sat, 27 Jun 2009 01:36:37 +0200 Subject: [PATCH] [svn r21640] FS#2867 - The FCKEditor, the simple file manager, uploading functionality: Implementing an additional check, based on the Dokeos system's security list (white or black) of file extensions. Disabling uploading html-files until some kind of "purification" is implemented. --- .../fckeditor/editor/filemanager/connectors/php/config.php | 4 +--- .../lib/fckeditor/editor/filemanager/connectors/php/io.php | 4 ++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php b/main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php index 9a01c48b8c..59fb264f34 100644 --- a/main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php +++ b/main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php @@ -133,7 +133,7 @@ $Config['ChmodOnFolderCreate'] = $permissions_for_new_directories ; // Files -$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'html', 'htm', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xhtml', 'xls', 'xml', 'zip') ; +$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; $Config['DeniedExtensions']['File'] = array('php', 'php3', 'php4', 'php5', 'php6', 'phps', 'phtml', 'asp', 'aspx', 'ascx', 'jsp', 'cfm', 'cfc', 'pl', 'bat', 'exe', 'dll', 'reg', 'cgi') ; $Config['FileTypesPath']['File'] = $Config['UserFilesPath'] ; $Config['FileTypesAbsolutePath']['File'] = $Config['UserFilesAbsolutePath'] ; @@ -189,6 +189,4 @@ $Config['FileTypesAbsolutePath']['Video/flv'] = $Config['UserFilesAbsolutePath'] $Config['QuickUploadPath']['Video/flv'] = $Config['UserFilesPath'] . 'video/flv/' ; $Config['QuickUploadAbsolutePath']['Video/flv'] = $Config['UserFilesAbsolutePath'] . 'video/flv/' ; -// TODO: Dokeos system's balck and white lists have to be taken into account here. - ?> diff --git a/main/inc/lib/fckeditor/editor/filemanager/connectors/php/io.php b/main/inc/lib/fckeditor/editor/filemanager/connectors/php/io.php index c7ecef9032..194f9879c3 100644 --- a/main/inc/lib/fckeditor/editor/filemanager/connectors/php/io.php +++ b/main/inc/lib/fckeditor/editor/filemanager/connectors/php/io.php @@ -223,6 +223,10 @@ function IsAllowedExt( $sExtension, $resourceType ) if ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) return false ; + // Adding a check using the Dokeos system's white or black list. + if ( !filter_extension( $sExtension ) ) + return false ; + return true ; }