shop.balmet.com

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

upload.php (2572B)

      1 <?php
      2 class ControllerToolUpload extends Controller {
      3 	public function index() {
      4 		$this->load->language('tool/upload');
      5 
      6 		$json = array();
      7 
      8 		if (!empty($this->request->files['file']['name']) && is_file($this->request->files['file']['tmp_name'])) {
      9 			// Sanitize the filename
     10 			$filename = basename(preg_replace('/[^a-zA-Z0-9\.\-\s+]/', '', html_entity_decode($this->request->files['file']['name'], ENT_QUOTES, 'UTF-8')));
     11 
     12 			// Validate the filename length
     13 			if ((utf8_strlen($filename) < 3) || (utf8_strlen($filename) > 64)) {
     14 				$json['error'] = $this->language->get('error_filename');
     15 			}
     16 
     17 			// Allowed file extension types
     18 			$allowed = array();
     19 
     20 			$extension_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_ext_allowed'));
     21 
     22 			$filetypes = explode("\n", $extension_allowed);
     23 
     24 			foreach ($filetypes as $filetype) {
     25 				$allowed[] = trim($filetype);
     26 			}
     27 
     28 			if (!in_array(strtolower(substr(strrchr($filename, '.'), 1)), $allowed)) {
     29 				$json['error'] = $this->language->get('error_filetype');
     30 			}
     31 
     32 			// Allowed file mime types
     33 			$allowed = array();
     34 
     35 			$mime_allowed = preg_replace('~\r?\n~', "\n", $this->config->get('config_file_mime_allowed'));
     36 
     37 			$filetypes = explode("\n", $mime_allowed);
     38 
     39 			foreach ($filetypes as $filetype) {
     40 				$allowed[] = trim($filetype);
     41 			}
     42 
     43 			if (!in_array($this->request->files['file']['type'], $allowed)) {
     44 				$json['error'] = $this->language->get('error_filetype');
     45 			}
     46 
     47 			// Check to see if any PHP files are trying to be uploaded
     48 			$content = file_get_contents($this->request->files['file']['tmp_name']);
     49 
     50 			if (preg_match('/\<\?php/i', $content)) {
     51 				$json['error'] = $this->language->get('error_filetype');
     52 			}
     53 
     54 			// Return any upload error
     55 			if ($this->request->files['file']['error'] != UPLOAD_ERR_OK) {
     56 				$json['error'] = $this->language->get('error_upload_' . $this->request->files['file']['error']);
     57 			}
     58 		} else {
     59 			$json['error'] = $this->language->get('error_upload');
     60 		}
     61 
     62 		if (!$json) {
     63 			$file = $filename . '.' . token(32);
     64 
     65 			move_uploaded_file($this->request->files['file']['tmp_name'], DIR_UPLOAD . $file);
     66 
     67 			// Hide the uploaded file name so people can not link to it directly.
     68 			$this->load->model('tool/upload');
     69 
     70 			$json['code'] = $this->model_tool_upload->addUpload($filename, $file);
     71 
     72 			$json['success'] = $this->language->get('text_upload');
     73 		}
     74 
     75 		$this->response->addHeader('Content-Type: application/json');
     76 		$this->response->setOutput(json_encode($json));
     77 	}
     78 }