• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Flash Upload - Sessions & File Type - My Two Cents

#1
[eluser]Unknown[/eluser]
I am using JQuery Uploadify for flash based uploads and have spent what seems like an age getting it all to work. There are two key issues as discussed elsewhere on these boards :

http://ellislab.com/forums/viewthread/97399

http://ellislab.com/forums/viewthread/145693/

http://ellislab.com/forums/viewthread/77044/

Both issues apply to many flavors of JS/Flash based uploaders.

Issue 1 - File Type

When flash sends the file it is always sent with the application/octet-stream mime type. Some people have suggested adding this application/octet-stream to the mime config for all the desired allowed types. This seems like a floor to me because it is undermining the benefit of the filetype check in the upload class. It means any exe or php could be uploaded and the script would think it was OK.

This is what I did in MY_Upload.php ( file attached ) :
if (count($this->allowed_types) == 0 OR ! is_array($this->allowed_types))
{
$this->set_error('upload_no_file_types');
return FALSE;
}

// Is it really though??
if ( $this->file_type == 'application/octet-stream' )
{
if ( function_exists('finfo_file') )
{

$finfo = finfo_open(FILEINFO_MIME_TYPE);
$php_mime = finfo_file($finfo, $this->file_temp);

}
elseif ( function_exists('mime_content_type') )
{

$php_mime = mime_content_type( $this->file_temp );

}

if ( $php_mime )
{
$this->file_type = $php_mime;
}
}

... so if the filetype is application/octet-stream this does a double check using either finfo_open() or mime_content_type().

Issue 2 - Sessions

I quickly discovered that if you posted the file to a page which was protected by a login system the session wasn’t properly updated and you’d get booted out. This is because ( I think ) Flash dosen’t send the appropriate cookie like a browser. This technique has been discussed elsewhere, I’ve just updated it a bit :

In MY_Session.php ( file attached ) :
class MY_Session extends CI_Session
{
/**
* Fetch the current session data if it exists
*
* @access public
* @return string
*/
function get_cookie_data()
{
$session = $this->CI->input->cookie($this->sess_cookie_name);

if($session === FALSE)
{
return '';
}

return $session;
}

/**
* Create string for Javascript containing cookie data
*
* @access public
* @return string
*/
function get_js_session()
{
$session = $output = $this->get_cookie_data();

if ( $session != '' )
{
$output = '"' . md5($this->sess_cookie_name) . '" : "' . base64_encode($session). '"';
}

return $output;
}

/**
* Fetch the current session data if it exists
*
* @access public
* @return bool
*/
function sess_read()
{
// Get encoded session data from $_POST
$session = $this->CI->input->post( md5($this->sess_cookie_name) );

if ( $session !== FALSE )
{
$session = base64_decode($session);

log_message('debug', 'Session cookie data sent through POST [ ' . $session . ' ] ');
}
else
{
// Fetch the cookie
$session = $this->CI->input->cookie($this->sess_cookie_name);
}

// No cookie? Goodbye cruel world!...
if ($session === FALSE)
{
log_message('debug', 'A session cookie was not found.');
return FALSE;
}

function get_js_session()

What this does is to create a string like “654654” : “asdDFvCXvzxcv” to add to the JavaScript function in my case it looks like this :
$("#uploadify").uploadify({
'scriptData' : {<?=$this->session->get_js_session();?>},
'uploader' : BASE_URL + 'assets/office/default/js/swf/uploadify.swf',

(...)

I have used md5()on the cookie name in case you have a form field somewhere with the same name as your cookie. I got into a bit of a mess with special characters ( like plus + signs etc) and found that base64_encode seemed to solve it.

I have disabled the User Agent Match part because when the files are sent the user agent with be ‘Shockwave Flash’ ( or whatever ). I am told that the security benefit of the user agent check is very small - it can be faked very easily - so it’s removal is no big deal.

I don’t claim that this is a cast iron solution, just my current workaround - if anyone spots any issues with it or have any further suggestions please let me know.

Many thanks.
File Attachments
CI_Uploadify.zip (File Size: 3KB - Downloads: 134)

#2
[eluser]Peri[/eluser]
Ky Salim2

Could You file attach again ?
tks


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.