Login

05-05-2009, 09:30 AM

[eluser]Unknown[/eluser]
Hi adamp1,

You are correct in your assumption. I reported this bug awhile back but there seems to be no fix.

http://codeigniter.com/bug_tracker/bug/7291/

I have the fix completed in a hacked out Upload.php library class which I will post at the end of this post.

The problem is 2 fold:

Issue 1) The extra image check:

If your file upload is an image then an extra image check will be performed.
So in the code you will see the following:

Code:
if (in_array($val, $image_types))

$image_types is a set list of image file extensions. So basically what the code above is trying to say is: If My FILE_EXTENSION Is An IMAGE_FILE_EXTENSION then do an extra check.

The problem is that $val IS NOT YOUR UPLOADED FILE_EXTENSION. $val is defined a below:

Code:
foreach ($this->allowed_types as $val)

So $val is an allowed type. What is an allowed type? An allowed type is a member of the list of files you are allowing users to upload.

So basically if you are ALLOWING users to load images then an image check WILL ALWAYS OCCUR even if your user is uploading another filetype.

The code below:

Code:
if (in_array($val, $image_types))

Should be changed to:

Code:
if (in_array($ext, $image_types))

Where $ext is your file extension, NOTE: NOT $this->file_ext since $this->file_ext includes a dot at the beginning of the file extension.

Issue 2) Random file types fail the filetype test:

This problem occured when I realized that a PDF file I was trying to upload wasn't working. I kept getting the error message below:

The filetype you are attempting to upload is not allowed.

The problem was because the mime type for the TOTALLY LEGITIMATE PDF file was uploading was application/octet which can stand for any program really. Of course application/octet is not in the list of allowed PDF mime types - AND IT SHOULDN'T

However we still have a problem and the problem is that the test for filetypes is TOO STRICT. My PDF file is legitimate and I can't help that its of mime type application/octet.

My fix is to test to see if the file extension is allowed - if it is then let me through. Otherwise you will have situations where legitimate files are being rejected because they were set with a generic mime type.

To fix for all your upload problems replace the function is_allowed_filetype in Upload.php with the code below.

The hacked sections are enclosed in the comments:
//kofic - hacking - start
//kofic - hacking - end

Code:
/**

     * Verify that the filetype is allowed

     *

     * @access    public

     * @return    bool

     *

     * Hacked by CI user: kofic

     */    

    function is_allowed_filetype()

    {

        if (count($this->allowed_types) == 0 OR ! is_array($this->allowed_types))

        {

            $this->set_error('upload_no_file_types');

            return FALSE;

        }

        //kofic - hacking - start

        $ext_found = 0;

        $ext = $this->file_ext;

        $ext = str_replace(".","",$ext);

        //kofic - hacking - end

        $image_types = array('gif', 'jpg', 'jpeg', 'png', 'jpe');

        foreach ($this->allowed_types as $val)

        {

            //kofic - hacking - start

            if ( strtolower($val) == strtolower($ext) ){$ext_found = 1;}

            //kofic - hacking - end

            $mime = $this->mimes_types(strtolower($val));

            //kofic - hacking - start

            // Images get some additional checks

            //kofic - commenting original code - start

            //if (in_array($val, $image_types))

            //kofic - commenting original code - end

            if (in_array($ext, $image_types))

            //kofic - hacking - end

            {

                if (getimagesize($this->file_temp) === FALSE)

                {

                    return FALSE;

                }

            }

            if (is_array($mime))

            {

                if (in_array($this->file_type, $mime, TRUE))

                {

                    return TRUE;

                }

            }

            else

            {

                if ($mime == $this->file_type)

                {

                    return TRUE;

                }    

            }        

        }

        //kofic - hacking - start

        if ( $ext_found ){ return TRUE; }

        //kofic - hacking - end

        return FALSE;

    }