problem med upload - sikkerhedshul
Hejsa alle herindeJeg har et uploadscript i PHP.
Jeg har dog fundet et rimeligt stort sikkerhedshul der går ud på at man kan åbne en flat file text editor, skrive noget javascript, gemme det som et-eller-andet.png uploade det via php-scriptet og javascript koden bliver udført når man åbner billedet på serveren.
Min kode ser sådan her ud:
----------------------------------------------------------------------
public function uploadAttachments($articleid){
$maxsize = $this->maxsize;
$path = "../Attachments/Articles/" . $articleid;
$allowedext = $this->allowedext;
$seterror = false;
if(count($_FILES) > 0){
foreach ($_FILES["file"]["error"] as $key => $error) {
if ($error == UPLOAD_ERR_OK) {
if(!file_exists($path))
mkdir($path);
$filepath = opendir($path);
$totalsize = 0;
while (false !== ($file = readdir($filepath))) {
if($file != "." && $file != ".."){
$totalsize = $totalsize + filesize($path . "/" . $file);
}
}
closedir($filepath);
if($_FILES["file"]["size"][$key] + $totalsize > $maxsize)
return "error_maxsize";
$name = $_FILES["file"]["name"][$key];
$ext = strtolower(end(explode(".", $name)));
$name = str_replace("." . $ext, "", $name);
$name = main::caturlname($name);
if($ext == "jpeg")
$ext = "jpg";
$totalpath = $path . "/" . $name;
$count = 0;
while(file_exists($totalpath . $name_ext . "." . $ext)){
$count++;
$count++;
$name_ext = " (". $count .")";
$count--;
}
if(in_array($ext, $allowedext)){
$tmp_name = main::clean($_FILES["file"]["tmp_name"][$key]);
move_uploaded_file($tmp_name, main::clean($path . "/" . $name . $name_ext .".". $ext));
} else {
$seterror = true;
}
}
}
if($seterror == true)
return false;
}
return true;
}
-------------------------------------------------------------------------
Mvh. ss
