Skip to content

Commit

Permalink
Fixed issue: Security problems with uploaded files in administration
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-schmitz
c-schmitz committed Mar 9, 2013
1 parent 9d2ec42 commit 48af18e
Showing 1 changed file with 12 additions and 16 deletions.
28 changes: 12 additions & 16 deletions application/controllers/admin/surveyadmin.php
View file
Expand Up @@ -882,29 +882,25 @@ public function copy()
// Start traitment and messagebox
$aData['bFailed'] = false; // Put a var for continue

$aPathInfo = pathinfo($_FILES['the_file']['name']);
if (isset($aPathInfo['extension']))
{
$sExtension = $aPathInfo['extension'];
}
else
{
$sExtension = "";
}

if ($action == 'importsurvey')
{

$the_full_file_path = Yii::app()->getConfig('tempdir') . DIRECTORY_SEPARATOR . randomChars(20);
if (!@move_uploaded_file($_FILES['the_file']['tmp_name'], $the_full_file_path))
$sFullFilepath = Yii::app()->getConfig('tempdir') . DIRECTORY_SEPARATOR . randomChars(20).'.'.$sExtension;
if (!@move_uploaded_file($_FILES['the_file']['tmp_name'], $sFullFilepath))
{
$aData['sErrorMessage'] = sprintf($clang->gT("An error occurred uploading your file. This may be caused by incorrect permissions in your %s folder."), Yii::app()->getConfig('tempdir'));
$aData['bFailed'] = true;
}
else
{
$sFullFilepath = $the_full_file_path;
$aPathInfo = pathinfo($sFullFilepath);
if (isset($aPathInfo['extension']))
{
$sExtension = $aPathInfo['extension'];
}
else
{
$sExtension = "";
}
}

if (!$aData['bFailed'] && (strtolower($sExtension) != 'csv' && strtolower($sExtension) != 'lss' && strtolower($sExtension) != 'txt' && strtolower($sExtension) != 'lsa'))
{
$aData['sErrorMessage'] = sprintf($clang->gT("Import failed. You specified an invalid file type '%s'."), $sExtension);
Expand Down

0 comments on commit 48af18e

Please sign in to comment.