CodeIgniter Forums

Full Version: class CI_Upload - Improvement code suggestion
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]phpMaster[/eluser]
Code:
#1
Order Allow, Deny
Allow from All
Deny from 12.123.23.231 45.67.45.67
#2
Order Deny, Allow
Deny from All
Allow from localhost 127.0.0.1 45.67.45.67
This is THE SMART Way to allow/disallow!
Credit to the Apache developers .....


I have taken one small step towards this in my CI_Upload:
Code:
class CI_Upload {
    
    var $max_size        = 0;
    var $max_width        = 0;
    var $max_height        = 0;
    var $allowed_types    = "";
--------------------------------------------

513    function is_allowed_filetype()
    {
        if (count($this->allowed_types) == 0)
        {
            $this->set_error('upload_no_file_types');
            return FALSE;
        }
        
521        foreach ($this->allowed_types as $val)
522        {   if( $val == 'all') return TRUE;
523            $mime = $this->mimes_types(strtolower($val));

The only change is line 522 addition: if( $val == 'all') return TRUE;

Suggestion:
Add 2 new variables, like this:
Code:
var $types_order        = "disallow"; //script alternative: "allow"
var $allowed_types      = ""; //script alternative: "all"/ or types
var $disallowed_types   = "all"; //script alternative: "" or types

So by default all types are disallowed.
But by script we could change this:
Example:
types_order: allow
allowed_types: all
disallowed_types: exe|bin|js



Hope you see this is good.
I setup an upload for myself at my localhost server.
I didnt want to create an array with 100 extensions, to allow myself to upload any file.

/phpMaster

El Forum

[eluser]phpMaster[/eluser]
Any comments are welcome.
Is my suggestion not good enough?

??

El Forum

[eluser]Michael Wales[/eluser]
I think CI errs on the side of security. There are literally tens of thousands of file extensions out there and by simply disallowing only a few (exe, bin, js) you are not necessarily securing yourself.

In a live environment, I would much rather define the ones I will allow.