A few weeks ago I asked if it was possible to specify attachment types that are allowed instead of those that are denied. IMHO too many MIME types to keep up with and figure out which ones could be malicious so instead I want to specify the attachment types allowed and deny all others. The code snippet shown below is what I did to make it work that way.
I'm certain jagerman and others can do it more eloquently but it works. In the admin area all you do is enter the extension of the files that you will allow. The wildcards no longer matter so your entries would look like the following:
wav
jpeg
jpg
gif
I made the code changes in the TempAttachment.pm file. I also modified the error message the user sees should they upload a file type not allowed.
# for (@{$CFG->{attachment_filters}}) {
# (my $re = quotemeta) =~ s/\\\*/.*/g;
# $re =~ s/\\\?/./g;
# if ($attachment->{tempatt_filename} =~ /^$re$/i) {
# $self->{attachment_error} = GForum::language('ATTACHMENT_FILTERED', $_);
# return;
# }
# }
# }
if ($CFG->{attachment_filters}) {
my $match = 0;
foreach (@{$CFG->{attachment_filters}}) {
if ($attachment->{tempatt_filename} =~ /\.$_$/i) {
$match = 1;
last;
}
}
unless($match) {
$self->{attachment_error} = GForum::language('ATTACHMENT_FILTERED','');
return;
}
}
I'm certain jagerman and others can do it more eloquently but it works. In the admin area all you do is enter the extension of the files that you will allow. The wildcards no longer matter so your entries would look like the following:
wav
jpeg
jpg
gif
I made the code changes in the TempAttachment.pm file. I also modified the error message the user sees should they upload a file type not allowed.
Code:
# if ($CFG->{attachment_filters}) { # for (@{$CFG->{attachment_filters}}) {
# (my $re = quotemeta) =~ s/\\\*/.*/g;
# $re =~ s/\\\?/./g;
# if ($attachment->{tempatt_filename} =~ /^$re$/i) {
# $self->{attachment_error} = GForum::language('ATTACHMENT_FILTERED', $_);
# return;
# }
# }
# }
if ($CFG->{attachment_filters}) {
my $match = 0;
foreach (@{$CFG->{attachment_filters}}) {
if ($attachment->{tempatt_filename} =~ /\.$_$/i) {
$match = 1;
last;
}
}
unless($match) {
$self->{attachment_error} = GForum::language('ATTACHMENT_FILTERED','');
return;
}
}