CodeIgniter Forums

Full Version: class CI_Upload - Improvement code suggestion
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

Order Allow, Deny
Allow from All
Deny from
Order Deny, Allow
Deny from All
Allow from localhost
This is THE SMART Way to allow/disallow!
Credit to the Apache developers .....

I have taken one small step towards this in my CI_Upload:
class CI_Upload {
    var $max_size        = 0;
    var $max_width        = 0;
    var $max_height        = 0;
    var $allowed_types    = "";

513    function is_allowed_filetype()
        if (count($this->allowed_types) == 0)
            return FALSE;
521        foreach ($this->allowed_types as $val)
522        {   if( $val == 'all') return TRUE;
523            $mime = $this->mimes_types(strtolower($val));

The only change is line 522 addition: if( $val == 'all') return TRUE;

Add 2 new variables, like this:
var $types_order        = "disallow"; //script alternative: "allow"
var $allowed_types      = ""; //script alternative: "all"/ or types
var $disallowed_types   = "all"; //script alternative: "" or types

So by default all types are disallowed.
But by script we could change this:
types_order: allow
allowed_types: all
disallowed_types: exe|bin|js

Hope you see this is good.
I setup an upload for myself at my localhost server.
I didnt want to create an array with 100 extensions, to allow myself to upload any file.


El Forum

Any comments are welcome.
Is my suggestion not good enough?


El Forum

[eluser]Michael Wales[/eluser]
I think CI errs on the side of security. There are literally tens of thousands of file extensions out there and by simply disallowing only a few (exe, bin, js) you are not necessarily securing yourself.

In a live environment, I would much rather define the ones I will allow.