Prevent upload file php/phtml ojs (ojs 3 tested)

/lib/pkp/classes/file/FileManager.inc.php


Find the section below and add the lines in red in the same spots or copy and replace the whole function:


function uploadFile($fileName, $destFileName) {

$destDir = dirname($destFileName);

if (!$this->fileExists($destDir, 'dir')) {

// Try to create the destination directory

$this->mkdirtree($destDir);

}

if (!isset($_FILES[$fileName])) return false;

if (move_uploaded_file($_FILES[$fileName]['tmp_name'], $destFileName))

return $this->setMode($destFileName, FILE_MODE_MASK);

return false;

}


ubah menjadi

function uploadFile($fileName, $destFileName) {

$destDir = dirname($destFileName);

if (!$this->fileExists($destDir, 'dir')) {

// Try to create the destination directory

$this->mkdirtree($destDir);

}

if (!isset($_FILES[$fileName])) return false;

$name = $_FILES[$fileName]['name'];

        $ext = end((explode(".",$name)));

        // block phtml files

        if ($ext == 'phtml' || $ext == 'php' ) return false;

        

if (move_uploaded_file($_FILES[$fileName]['tmp_name'], $destFileName))

return $this->setMode($destFileName, FILE_MODE_MASK);

return false;

}

No comments:
Write Comments