Upload any file - what's a framework really for?

[eluser]Digitalman65[/eluser]
My very first attempt at a CI application is what I would consider a pretty simple matter, a simple form that allows me to pick a file off my local system and upload to my web server (and place it into a specific folder - ie. upload, etc.). I ran into the "allowed_types" configuration option for the Upload class and immediately assumed that not setting the option would allow any file type to be uploaded. Boy was I wrong. Found supporting messages in the forum too. Also looked at the class file and see why it does what it does.

My question is: why does it do what it does? To what end? Security? Okay, I'll buy that. Security is good for those who want/need it. But what happens to those who need to allow all types of files to be uploaded?

There seems to be only two choices: 1. Create some giant list of allowed types (not a good solution at all since it doesn't allow for ANY type - ever hear of a .MMM file? ..that's Magix Music Maker) 2. Don't use the Upload class. So if I don't like #1, then #2 it is, but then what's the point in using a framework such as CI and having an Upload class if that framework is going to put limits on me in undesirable ways. I choose #2, write my own handler for file uploads of any type of file and I have gained nothing by using CI.

It seems to me that the framework is there to help me not hinder me. Allowing me, the developer, to make the decision to have high security(allowed file types) or low security(all file types) is the best solution all around. Let the developer make that decision, don't impose it.

I cringe at the thought of modifying the CI code to suite my needs or writing my own Upload class, but it seems I'm facing this decision now and it's my very first CI app. Hopefully, I won't find any other oddities like this in other areas of CI. I also hope the CI development team reads this and makes a decision to change the Upload class and put the decisions in my hands.

[eluser]thurting[/eluser]
Damn dude. If you 'cringe at the thought of modifying the CI code to suite [your] needs or writing [your] own Upload class', then maybe you should rethink your foray into web development. CI isn't meant to be an out of the box solution to build any website you can imagine. It is meant to be a base for you to work off of. If you want to extend the core, fire up your text editor and write some code. If you run into problems, come here for help. But don't get all whiny because it doesn't fit your needs exactly. After all, you downloaded it for FREE.

[eluser]Seppo[/eluser]
There are many easy way to fix that... the simplest way would be to extend upload class and override the method that check for valid type and if it is '*' the allowed types, then return true., otherwise call the parent method

[eluser]CanadianBeef[/eluser]
OP: That was actually an intelligent design choice on behalf of CI developers. It's called following the principle of least privilege and not enough software does this, which is why there are so many security holes in software.

Uploading a file is a pretty trivial task...you need to only call two functions...and one is optional and for security purposes only.

If your relying on a framework to handle file uploading...your not understanding the purpose of a framework.

[eluser]ecsyle31[/eluser]
Codeigniter is probably not for you then.

[eluser]Colin Williams[/eluser]
This is a dead-easy implementation.

application/libraries/MY_Upload.php

Code:

class MY_Upload {

        // --------------------------------------------------------------------
    
    /**
     * Verify that the filetype is allowed
     *
     * @access    public
     * @return    bool
     */    
    function is_allowed_filetype()
    {
        if (count($this->allowed_types) == 0 || ! is_array($this->allowed_types))
        {
            // Return TRUE instead of failing. I would recommend a more concrete way of allowing all file types
            return TRUE;
        }
                
        foreach ($this->allowed_types as $val)
        {
            $mime = $this->mimes_types(strtolower($val));
        
            if (is_array($mime))
            {
                if (in_array($this->file_type, $mime, TRUE))
                {
                    return TRUE;
                }
            }
            else
            {
                if ($mime == $this->file_type)
                {
                    return TRUE;
                }    
            }        
        }
        
        return FALSE;
    }
}

[eluser]xwero[/eluser]
why not get all the mimetypes from mimes.php file as a medium security level?

Code:

function all_mimes_types()
{
   if (count($this->mimes) == 0)
   {
    if (@require_once(APPPATH.'config/mimes'.EXT))
    {
         $this->mimes = $mimes;
         unset($mimes);
    }
   }

   return implode('|',array_keys($this->mimes));
}

If you add most/all known mimes to the mimes.php file only outlandish mime types are not allowed.

Sidenote : anyone knows why $mimes is made a global in the mimes_types of the upload library? The $mimes variable from the file gets unset a few lines further.

[eluser]Digitalman65[/eluser]
[quote author="thurting" date="1219050619"]Damn dude. If you 'cringe at the thought of modifying the CI code to suite [your] needs or writing [your] own Upload class', then maybe you should rethink your foray into web development. CI isn't meant to be an out of the box solution to build any website you can imagine. It is meant to be a base for you to work off of. If you want to extend the core, fire up your text editor and write some code. If you run into problems, come here for help. But don't get all whiny because it doesn't fit your needs exactly. After all, you downloaded it for FREE.[/quote]

I've been a Java web developer for, well, forever. I've been developing PHP for almost as long. My cringing is at modifying a piece of code that gets updated. If I modify it, and then upgrade it, my changes go bye bye. Not a good solution in my book. I'd rather effect change through the proper channels, the authors of the framework.

The point I was making was that the Upload class is provided by the framework but imposes certain restrictions the prevents me from using it, rendering it useless to me for my specific task. I doubt the authors intended that. If so, then that's bad, IMHO. I would have never have authored the Upload class in that way. My point was to give the user (us developers) the choice/power/what-have-you and don't impose restrictions. Make the Upload class useful for all, not just the majority. Seeing other posts in the forum, I'm not alone. Others, in this albeit small group, needs the functionality I've mentioned.

I enjoy free. I hope to give back in some way to help keep it free.

[eluser]Digitalman65[/eluser]
Wow! Thanks to all who replied. I didn't mean to sound political or to appear to stand on a soap box. I was trying to make a point, and I see it was received and some very good responses were given. I'm going to take the extend approach. Seems to me the be the best way to solve the problem (and any future similar issues that might arise).

[eluser]Colin Williams[/eluser]

My cringing is at modifying a piece of code that gets updated. If I modify it, and then upgrade it, my changes go bye bye

Have you looked in the User Guide at how to extend and override core classes? When you override methods properly, you aren't terribly dependent on the core. And if you were to upgrade the core (which, let's face it is just a "what if" conversation as of now), updating your overrides is probably going to be the least of your work, if required at all.