Welcome Guest, Not a member yet? Register   Sign In
class CI_Upload - Improvement code suggestion

Order Allow, Deny
Allow from All
Deny from
Order Deny, Allow
Deny from All
Allow from localhost
This is THE SMART Way to allow/disallow!
Credit to the Apache developers .....

I have taken one small step towards this in my CI_Upload:
class CI_Upload {
    var $max_size        = 0;
    var $max_width        = 0;
    var $max_height        = 0;
    var $allowed_types    = "";

513    function is_allowed_filetype()
        if (count($this->allowed_types) == 0)
            return FALSE;
521        foreach ($this->allowed_types as $val)
522        {   if( $val == 'all') return TRUE;
523            $mime = $this->mimes_types(strtolower($val));

The only change is line 522 addition: if( $val == 'all') return TRUE;

Add 2 new variables, like this:
var $types_order        = "disallow"; //script alternative: "allow"
var $allowed_types      = ""; //script alternative: "all"/ or types
var $disallowed_types   = "all"; //script alternative: "" or types

So by default all types are disallowed.
But by script we could change this:
types_order: allow
allowed_types: all
disallowed_types: exe|bin|js

Hope you see this is good.
I setup an upload for myself at my localhost server.
I didnt want to create an array with 100 extensions, to allow myself to upload any file.


Any comments are welcome.
Is my suggestion not good enough?


[eluser]Michael Wales[/eluser]
I think CI errs on the side of security. There are literally tens of thousands of file extensions out there and by simply disallowing only a few (exe, bin, js) you are not necessarily securing yourself.

In a live environment, I would much rather define the ones I will allow.

Theme © iAndrew 2016 - Forum software by © MyBB