summaryrefslogtreecommitdiff
path: root/lib/themeuploader.php
diff options
context:
space:
mode:
authorBrion Vibber <brion@pobox.com>2010-09-02 12:11:45 -0700
committerBrion Vibber <brion@pobox.com>2010-09-02 12:11:45 -0700
commit11f7fce3bb59af46dd76c1e219f8df04de9e03af (patch)
tree4f6b6a3bf80bed96a33a597b1b300a421b9ee68e /lib/themeuploader.php
parent4cbbfdab84c3cd58880902dbc560b14b4c66a0e8 (diff)
Fixes for custom theme upload:
* skip more files (.xcf image sources, .html docs) * skip files before rejecting them for funky filenames! * allow period in filenames (eg foo-1.4.ttf) but blacklist some unsafe extensions-within-extensions
Diffstat (limited to 'lib/themeuploader.php')
-rw-r--r--lib/themeuploader.php34
1 files changed, 22 insertions, 12 deletions
diff --git a/lib/themeuploader.php b/lib/themeuploader.php
index 370965db0..abf0658d3 100644
--- a/lib/themeuploader.php
+++ b/lib/themeuploader.php
@@ -128,8 +128,16 @@ class ThemeUploader
continue;
}
- // Check the directory structure...
+ // Is this a safe or skippable file?
$path = pathinfo($name);
+ if ($this->skippable($path['filename'], $path['extension'])) {
+ // Documentation and such... booooring
+ continue;
+ } else {
+ $this->validateFile($path['filename'], $path['extension']);
+ }
+
+ // Check the directory structure...
$dirs = explode('/', $path['dirname']);
$baseDir = array_shift($dirs);
if ($commonBaseDir === false) {
@@ -144,14 +152,6 @@ class ThemeUploader
$this->validateFileOrFolder($dir);
}
- // Is this a safe or skippable file?
- if ($this->skippable($path['filename'], $path['extension'])) {
- // Documentation and such... booooring
- continue;
- } else {
- $this->validateFile($path['filename'], $path['extension']);
- }
-
$fullPath = $dirs;
$fullPath[] = $path['basename'];
$localFile = implode('/', $fullPath);
@@ -180,9 +180,12 @@ class ThemeUploader
}
}
+ /**
+ * @fixme Probably most unrecognized files should just be skipped...
+ */
protected function skippable($filename, $ext)
{
- $skip = array('txt', 'rtf', 'doc', 'docx', 'odt');
+ $skip = array('txt', 'html', 'rtf', 'doc', 'docx', 'odt', 'xcf');
if (strtolower($filename) == 'readme') {
return true;
}
@@ -201,17 +204,24 @@ class ThemeUploader
protected function validateFileOrFolder($name)
{
- if (!preg_match('/^[a-z0-9_-]+$/i', $name)) {
+ if (!preg_match('/^[a-z0-9_\.-]+$/i', $name)) {
$msg = _("Theme contains invalid file or folder name. " .
"Stick with ASCII letters, digits, underscore, and minus sign.");
throw new ClientException($msg);
}
+ if (preg_match('/\.(php|cgi|asp|aspx|js|vb)\w/i', $name)) {
+ $msg = _("Theme contains unsafe file extension names; may be unsafe.");
+ throw new ClientException($msg);
+ }
return true;
}
protected function validateExtension($ext)
{
- $allowed = array('css', 'png', 'gif', 'jpg', 'jpeg');
+ $allowed = array('css', // CSS may need validation
+ 'png', 'gif', 'jpg', 'jpeg',
+ 'svg', // SVG images/fonts may need validation
+ 'ttf', 'eot', 'woff');
if (!in_array(strtolower($ext), $allowed)) {
$msg = sprintf(_("Theme contains file of type '.%s', " .
"which is not allowed."),