mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-07 18:51:41 +09:00
Kijin Sung
parent
6d081b9fec
commit
60d390f52e
5 changed files with 79 additions and 23 deletions
|
|
@ -3,8 +3,60 @@
|
|||
|
||||
class UploadFileFilter
|
||||
{
|
||||
public function check($file)
|
||||
/**
|
||||
* Generic checker
|
||||
*
|
||||
* @param string $file
|
||||
* @param string $filename
|
||||
* @return bool
|
||||
*/
|
||||
public static function check($file, $filename = null)
|
||||
{
|
||||
// Return error if the file is not uploaded.
|
||||
if (!$file || !file_exists($file) || !is_uploaded_file($file))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// Return error if the file size is zero.
|
||||
if (!filesize($file))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// Get the extension.
|
||||
$ext = $filename ? strtolower(substr(strrchr($filename, '.'), 1)) : '';
|
||||
|
||||
// Check SVG files.
|
||||
if ($ext === 'svg' && !self::_checkSVG($file))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// Return true if everything is OK.
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check SVG file for XSS or SSRF vulnerabilities (#1088, #1089)
|
||||
*
|
||||
* @param string $file
|
||||
* @return bool
|
||||
*/
|
||||
protected static function _checkSVG($file)
|
||||
{
|
||||
$content = file_get_contents($file);
|
||||
|
||||
if (preg_match('/xlink:href\s*=\s*"(?!data:)/i', $content))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (preg_match('/<script/i', $content))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue