| 225,12 → 225,14 |
|---|
| } |
| |
| if (!OIDplus::authUtils()->isAdminLoggedIn()) { |
| $fname = basename($_FILES['userfile']['name']); |
| |
| // 1. If something is on the blacklist, we always block it, even if it is on the whitelist, too |
| $banned = explode(',', OIDplus::config()->getValue('attachments_block_extensions', '')); |
| foreach ($banned as $ext) { |
| $ext = trim($ext); |
| if ($ext == '') continue; |
| if (strtolower(substr(basename($_FILES['userfile']['name']), -strlen($ext)-1)) == strtolower('.'.$ext)) { |
| if (strtolower(substr($fname, -strlen($ext)-1)) == strtolower('.'.$ext)) { |
| throw new OIDplusException(_L('The file extension "%1" is banned by the administrator (it can be uploaded by the administrator though)',$ext)); |
| } |
| } |
| 241,7 → 243,7 |
|---|
| foreach ($allowed as $ext) { |
| $ext = trim($ext); |
| if ($ext == '') continue; |
| if (strtolower(substr(basename($_FILES['userfile']['name']), -strlen($ext)-1)) == strtolower('.'.$ext)) { |
| if (strtolower(substr($fname, -strlen($ext)-1)) == strtolower('.'.$ext)) { |
| $is_whitelisted = true; |
| break; |
| } |
| 250,6 → 252,8 |
|---|
| // 3. For everything that is neither whitelisted, nor blacklisted, the admin can decide if these grey zone is allowed or blocked |
| if (!$is_whitelisted) { |
| if (!OIDplus::config()->getValue('attachments_allow_grey_extensions', '1')) { |
| $tmp = explode('.', $fname); |
| $ext = array_pop($tmp); |
| throw new OIDplusException(_L('The file extension "%1" is not on the whitelist (it can be uploaded by the administrator though)',$ext)); |
| } |
| } |