• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Non Allowed File Types Modification

#1
[eluser]Unknown[/eluser]
Hey Everyone,

I'm new here, so I hope I didn't post this incorrectly, I was looking for a way to simply share this idea/feature and the Wiki doesn't appear to be used much.

I did a search around to see if there was a simple way to use Codeigniters Upload library to allow for all file types *except* specified file types. To put it in other words, to disallow certain file types.

Well, surprisingly, this isn't possible in the current release of Codeigniter so I came up with a fairly simple modification which allows me to set what I call a 'non_allowed_types' section in the config for file uploads.

Hopefully this will be useful to someone else. I'm working on a system which allows for uploads of virtually all file types except high-risk files such as executables and php code (as an example).

I do realise that you could do just one big list of allowed file types, but for my system, that is literally every file type bar a few.

Here is an example of how it is used in my code ($directory is a pre-specified path):
Code:
$config['upload_path'] = $directory;
$config['allowed_types'] = '*'; // Allow all file types initially
$config['non_allowed_types'] = 'exe|php'; // Disallow specified file types
$config['overwrite'] = true;
$this->upload->initialize($config);

Attached is the final modified Upload.php file (as a .zip file for obvious reasons), but I'll give a quick rundown of how I did this. Everything below is done within the Upload.php file.

First off, everywhere 'allowed_types' exists, I duplicated this and renamed it to 'non_allowed_types' as I wanted the functionality to work in exactly the same manner from the config file.
Eg, inside the defaults array in the initialise function (things like this are done in a couple of spots throughout the file):
Code:
allowed_types'  => "",
'non_allowed_types' => "",

The core of this method comes inside of the do_upload function, I replaced:
Code:
// Is the file type allowed to be uploaded?
if (!$this->is_allowed_filetype())
{
    $this->set_error('upload_invalid_filetype');
    return FALSE;
}

With:
Code:
// Is the file type allowed to be uploaded?
if (!$this->is_allowed_filetype() || $this->is_non_allowed_filetype())
{
$this->set_error('upload_invalid_filetype');
return FALSE;
}

So we are doing a check to see if the file type is either not in the allowed list, or is in the non-allowed list.

I then took the 'set_allowed_types' function and duplicated it, renaming it to 'set_non_allowed_types', just renaming the 'allowed_types' variable within it to 'non_allowed_types'.

The final step was to duplicate the 'is_allowed_filetype' method, renaming it to 'is_non_allowed_filetype' and renaming the 'allowed_types' variable within it to 'non_allowed_file_types' as I did above.

And there you have it, a simple to use non_allowed_types config ability for file uploading which sits nicely into the existing Codeigniter source.

I hope this helps at least one other person!

#2
[eluser]CroNiX[/eluser]
I'd be very cautious with this approach. I realize that it's easier code-wise for your purposes. What if a new 'type' that can contain harmful code comes out and you don't know about it and don't add it to your blacklist (you'll always have to be maintaining this)? Generally, it's a lot more secure to whitelist what you do want to allow rather than everything you don't, because there is no possible way for you to blacklist everything that can be harmful and new ones come out all of the time that you might not be aware of.

#3
[eluser]Unknown[/eluser]
I guess my (somewhat silly, I'll elaborate below) reply to this would be, 'What if a new file type came out?', I'd have to update my whitelist.

The system I am creating is being used by all different industries, files could be uploaded ranging from <1kb text files, through to >1GB CAD files, from standard notepad to specialised software. There are simply too many file types I need to account for in that regard and it is just not possible.

But I agree with you, for most systems, white listing is definitely the way to go.

I'm the exception I guess, where it is harder to whitelist than it is to blacklist.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.