Skip to content

Commit

Permalink
Merge branch 'master' into develop
Browse files Browse the repository at this point in the history
  • Loading branch information
c-schmitz committed Jan 6, 2021
2 parents b5fd7b8 + 68ce18e commit 4b569fc
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 7 deletions.
3 changes: 2 additions & 1 deletion application/config/config-defaults.php
Expand Up @@ -85,7 +85,8 @@
$config['customassetversionnumber'] = 1; // Used to generate the path of tmp assets (see: LSYii_AssetManager::generatePath() )

// Please be very careful if you want to allow SVG files - there are several XSS dangerous security issues
$config['allowedthemeuploads'] = 'gif,ico,jpg,png,css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // File types allowed to be uploaded in the themes section.
$config['allowedthemeimageformats'] = 'gif,ico,jpg,png'; // Image file types allowed to be uploaded in the themes section.
$config['allowedthemeuploads'] = 'css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // Other file types allowed to be uploaded in the themes section.
$config['allowedfileuploads'] = [
//Documents
'xls', 'doc', 'xlsx', 'docx', 'odt', 'ods', 'pdf',
Expand Down
2 changes: 1 addition & 1 deletion application/controllers/admin/themes.php
Expand Up @@ -435,7 +435,7 @@ public function uploadfile()
$templatename = returnGlobal('templatename');
$oEditedTemplate = Template::getInstance($templatename);
$screenname = returnGlobal('screenname');
$allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads');
$allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats');
$filename = sanitize_filename($_FILES['upload_file']['name'], false, false, false); // Don't force lowercase or alphanumeric
$dirfilepath = $oEditedTemplate->filesPath;

Expand Down
8 changes: 5 additions & 3 deletions application/core/LSYii_ImageValidator.php
Expand Up @@ -27,11 +27,13 @@ public static function validateImage($file)
{
if (is_array($file)) {
$path = $file['tmp_name'];
$extension = pathinfo($file['name'], PATHINFO_EXTENSION);
$type = $file['type'];
} elseif (is_string($file)) {
$parts = explode('.', $file);
$path = $file;
$type = 'image/' . $parts[count($parts) - 1];
$extension = pathinfo($file, PATHINFO_EXTENSION);
$type = 'image/' . $extension;
} else {
return [
// No translation ? send $file ?
Expand Down Expand Up @@ -61,13 +63,13 @@ public static function validateImage($file)
);

if (!empty($checkImage)
&& in_array($extension,explode(",",Yii::app()->getConfig('allowedthemeimageformats')))
&& in_array($checkImage, $allowedImageFormats)
&& in_array(strtolower($type), $allowedImageFormats)) {
$result['uploadresult'] = '';
$result['check'] = true;
} else {
$result['uploadresult'] =
gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
$result['uploadresult'] = gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
$result['check'] = false;
}
return $result;
Expand Down
2 changes: 1 addition & 1 deletion application/helpers/admin/template_helper.php
Expand Up @@ -129,7 +129,7 @@ function is_template_editable($templatename)
*/
function templateExtractFilter($p_event, &$p_header)
{
$aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads'));
$aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'));
$aAllowExtensions[] = 'twig';
$info = pathinfo($p_header['filename']);

Expand Down
2 changes: 1 addition & 1 deletion application/views/admin/themes/templateeditorbar_view.php
Expand Up @@ -28,7 +28,7 @@ function copyprompt(text, defvalue, copydirectory, action)
if(filename==""){
return false; // False click
}
var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads'); ?>,';
var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'); ?>,';
var lastdotpos=-1;
var ext='';
if ((lastdotpos=filename.lastIndexOf('.')) < 0)
Expand Down

0 comments on commit 4b569fc

Please sign in to comment.