class CI_Upload - Improvement code suggestion

class CI_Upload - Improvement code suggestion - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: class CI_Upload - Improvement code suggestion (/showthread.php?tid=3101)

class CI_Upload - Improvement code suggestion - El Forum - 09-10-2007

[eluser]phpMaster[/eluser]

Code:
#1

Order Allow, Deny

Allow from All

Deny from 12.123.23.231 45.67.45.67

#2

Order Deny, Allow

Deny from All

Allow from localhost 127.0.0.1 45.67.45.67

This is THE SMART Way to allow/disallow!
Credit to the Apache developers .....

I have taken one small step towards this in my CI_Upload:

Code:
class CI_Upload {

    var $max_size        = 0;

    var $max_width        = 0;

    var $max_height        = 0;

    var $allowed_types    = "";

--------------------------------------------

513    function is_allowed_filetype()

    {

        if (count($this->allowed_types) == 0)

        {

            $this->set_error('upload_no_file_types');

            return FALSE;

        }

521        foreach ($this->allowed_types as $val)

522        {   if( $val == 'all') return TRUE;

523            $mime = $this->mimes_types(strtolower($val));

The only change is line 522 addition: if( $val == 'all') return TRUE;

Suggestion:
Add 2 new variables, like this:

Code:
var $types_order        = "disallow"; //script alternative: "allow"

var $allowed_types      = ""; //script alternative: "all"/ or types

var $disallowed_types   = "all"; //script alternative: "" or types

So by default all types are disallowed.
But by script we could change this:
Example:
types_order: allow
allowed_types: all
disallowed_types: exe|bin|js

Hope you see this is good.
I setup an upload for myself at my localhost server.
I didnt want to create an array with 100 extensions, to allow myself to upload any file.

/phpMaster

class CI_Upload - Improvement code suggestion - El Forum - 09-13-2007

[eluser]phpMaster[/eluser]
Any comments are welcome.
Is my suggestion not good enough?

??

class CI_Upload - Improvement code suggestion - El Forum - 09-13-2007

[eluser]Michael Wales[/eluser]
I think CI errs on the side of security. There are literally tens of thousands of file extensions out there and by simply disallowing only a few (exe, bin, js) you are not necessarily securing yourself.

In a live environment, I would much rather define the ones I will allow.