24
24
* @package GalleryCore
25
25
* @subpackage Classes
26
26
* @author Bharat Mediratta <bharat@menalto.com>
27
* @version $Revision: 15872 $
27
* @version $Revision: 17265 $
30
30
class GalleryPlatform {
33
* List of file extensions that are disallowed for server and/or client security reasons.
35
* @deprecated This list will be made configurable by merging it into the mime-map data.
37
var $_blacklistedFileExtensions = array(
38
'php', 'php2', 'php3', 'php4', 'php5', 'php6', 'cgi', 'inc', 'phps', 'pwml', 'phtml',
39
'html', 'js', 'htm', 'shtml', 'vbs', 'dll', 'jsp' , 'cfm', 'reg', 'shtm', 'phtm', 'exe',
40
'bat', 'sh', 'cmd', 'install', 'pl', 'tcl', 'py', 'com', 'rb', 'asp', 'aspx', 'ascx');
34
44
* @param string $source the source file
35
45
* @param string $dest the destination file
601
611
$fileBase = str_replace('.', '_', $fileBase);
613
$blacklistKey = 'GalleryPlatform::blacklistedFileExtensions';
614
if (GalleryDataCache::containsKey($blacklistKey)) {
615
$blacklistedExtensions = GalleryDataCache::get($blacklistKey);
617
$blacklistedExtensions = array_flip($this->_blacklistedFileExtensions);
618
GalleryDataCache::put($blacklistKey, $blacklistedExtensions);
604
622
* If we don't know exactly what type this file is, we have to assume that it's something
605
623
* malicious. In that case, it might be a server side script of some kind and we don't want
612
630
$gallery->debug('Error: convertExtensionToMime in ' .
613
631
'GalleryPlatform::legalizePathComponent');
615
if (($ret || $tmp == 'application/unknown') && !empty($extension)) {
633
if (!empty($extension) && ($ret || $tmp == 'application/unknown'
634
|| isset($blacklistedExtensions[GalleryUtilities::strToLower($extension)]))) {
616
635
$fileBase = $fileBase . '_' . $extension;
617
636
$extension = null;