Use Rhymix Framework to decide whether a file can be directly downloaded

xpressengine/xe-core#1997

common/framework/filters/filenamefilter.php

@@ -85,4 +85,22 @@ class FilenameFilter
 		// Trim trailing slashes.
 		return rtrim($path, '/');
 	}
+	
+	/**
+	 * Check if a file has an extension that would allow direct download.
+	 * 
+	 * @param string $filename
+	 * @return bool
+	 */
+	public static function isDirectDownload($filename)
+	{
+		if (preg_match('/\.(as[fx]|avi|flac|flv|gif|jpe?g|m4[av]|midi?|mkv|moov|mov|mp[1234]|mpe?g|ogg|png|qt|ram?|rmm?|swf|wav|web[mp]|wm[av])$/i', $filename))
+		{
+			return true;
+		}
+		else
+		{
+			return false;
+		}
+	}
 }

modules/file/file.controller.php

@@ -1055,7 +1055,7 @@ class fileController extends file
 			$file_info = $file_list[$i];
 			$old_file = $file_info->uploaded_filename;
 			// Determine the file path by checking if the file is an image or other kinds
-			if(preg_match("/\.(jpg|jpeg|gif|png|wmv|wma|mpg|mpeg|avi|swf|flv|mp1|mp2|mp3|mp4|asf|wav|asx|mid|midi|asf|mov|moov|qt|rm|ram|ra|rmm|m4v)$/i", $file_info->source_filename))
+			if (Rhymix\Framework\Filters\FilenameFilter::isDirectDownload($file_info->source_filename))
 			{
 				$path = sprintf("./files/attach/images/%s/%s", $target_module_srl, getNumberingPath($target_srl, 3));
 				$new_file = $path . $file_info->source_filename;

modules/importer/ttimport.class.php

@@ -486,7 +486,7 @@ class ttimport
 		$file_obj->download_count = $xmlDoc->attachment->downloads->body;
 		$name = $xmlDoc->attachment->name->body;
 		// Set upload path by checking if the attachement is an image or other kind of file
-		if(preg_match("/\.(jpg|jpeg|gif|png|wmv|wma|mpg|mpeg|avi|swf|flv|mp1|mp2|mp3|mp4|asf|wav|asx|mid|midi|asf|mov|moov|qt|rm|ram|ra|rmm|m4v)$/i", $file_obj->source_filename))
+		if (Rhymix\Framework\Filters\FilenameFilter::isDirectDownload($file_obj->source_filename))
 		{
 			$path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3));
 			$filename = $path.$file_obj->source_filename;

tests/unit/framework/filters/FilenameFilterTest.php

@@ -71,4 +71,25 @@ class FilenameFilterTest extends \Codeception\TestCase\Test
 		$this->assertEquals(\RX_BASEDIR . 'index.php', FilenameFilter::cleanPath('index.php?foo=bar'));
 		$this->assertEquals(\RX_BASEDIR . 'index.php', FilenameFilter::cleanPath('index.php#baz'));
 	}
+	
+	public function testFilenameFilterIsDirectDownload()
+	{
+		$this->assertTrue(FilenameFilter::isDirectDownload('foobar.GIF'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('foobar.jpg'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('foo.bar.jpeg'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('/foo/bar/baz.png'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('picture.webm'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('/audio.MP3'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('/audio.FLac'));
+		$this->assertTrue(FilenameFilter::isDirectDownload('//foo.bar/video.mp4'));
+		
+		$this->assertFalse(FilenameFilter::isDirectDownload('rhymix.docx'));
+		$this->assertFalse(FilenameFilter::isDirectDownload('rhymix.HWP'));
+		$this->assertFalse(FilenameFilter::isDirectDownload('rhymix.jpg.exe'));
+		$this->assertFalse(FilenameFilter::isDirectDownload('/foo/bar/rhymix.gif.php'));
+		$this->assertFalse(FilenameFilter::isDirectDownload('rhymix.php?filename=test.vbs'));
+		$this->assertFalse(FilenameFilter::isDirectDownload(''));
+		$this->assertFalse(FilenameFilter::isDirectDownload('http://www.google.com'));
+		$this->assertFalse(FilenameFilter::isDirectDownload('/'));
+	}
 }