I have checked the forum and can't find anything that coincides with what my issue is. Even as I was typing the title I'd read the articles.
This can get a bit complicated so I'm going to break it down as easily as I can. Thanks to anyone who wants to take this on....
My goal is to be able to securely upload files and rename potentially dangerous files with a useless extension. What is happening is EVERY upload that passes as good is getting the $suffix added to it, even though this is the method that holds my conditional statement:
$nameparts = pathinfo($nospaces);
$extension = isset($nameparts['extension']) ? $nameparts['extension'] : '';
if (!$this->typeCheckingOn && !empty($this->suffix)){
if (in_array($extension, $this->notTrusted) || empty($extention)){
$this->newName = $nospaces . $this->suffix;
}
protected function moveFile($file)
{
$result = $file['name']. ' was uploaded successfully';
if (!is_null($this->newName)){
$result .= ', and was renamed ' . $this->newName;
}
}
But here is the complete breakdown of the code that matters (except for what it is I'm missing)
protected $permittedTypes = array(
'image/jpeg',
'image/pjpeg',
'image/gif',
'image/png',
'image/webp',
);
protected $newName;
protected $typeCheckingOn = true;
protected $notTrusted = array ('bin', 'cgi','exe','js','pl','php', 'py', 'sh');
protected $suffix = '.upload';
and the public methods:
public function allowAllTypes($suffix = null)
{
$this->typeCheckingOn = false;
if(!is_null($suffix)) {
if (strpos($suffix, '.') === 0 || $suffix == '') {
$this->suffix = $suffix;
}else {
$this->suffix = ".$suffix";
}
}
}
public function upload()
{
$uploaded = current($_FILES);
if($this->checkFile($uploaded)){
$this->moveFile($uploaded);
}
}
public function getMessages()
{
return $this->messages;
}
protected function checkFile($file)
{
if ($file['error'] !=0){
$this->getErrorMessage($file);
return false;
}
if (!$this->checkSize($file)){
return false;
}
if ($this->typeCheckingOn){
if (!$this->checkType($file)){
return false;
}
}
$this->checkName($file);
return true;
}
protected function checkType($file)
{
if (in_array($file['type'], $this->permittedTypes)){
return true ;
} else{
$this->messages[] = $file['name'] . ' is not a permitted type of file.';
return false;
}
}
protected function checkName($file)
{
$this->newName = NULL;
$nospaces = str_replace(' ', '_', $file['name']);
if ($nospaces != $file['name']){
$this->newName = $nospaces;
}
$nameparts = pathinfo($nospaces);
$extension = isset($nameparts['extension']) ? $nameparts['extension'] : '';
if (!$this->typeCheckingOn && !empty($this->suffix)){
if (in_array($extension, $this->notTrusted) || empty($extention)){
$this->newName = $nospaces . $this->suffix;
}
}
}
protected function moveFile($file)
{
$result = $file['name']. ' was uploaded successfully';
if (!is_null($this->newName)){
$result .= ', and was renamed ' . $this->newName;
}
$result .= '.';
$this->messages[] = $result;
}
}
Like I said, al the files that pass the other checks will upload. It can recognize the wrong file and and stop it if it's in the list, BUT IT RENAMES EVERY GOOD FILE with the $suffix.
The conditional looks good and states IF there is a pathinfo['extension'] AND typeChecking is off and the suffix is not empty, AND IF SO, THEN IF that suffix is in the non-trusted list OR empty - is the only time it should add the extension.
BUT IT ADDS THE SUFFIX ON EVERY GOOD UPLOAD.
Can someone please help guide me on what I may be doing wrong? I hope I've explained my issue w/out being confusing. I'll try to answer every question best I can.
Thanks to anyone taking the time to help.
Cheers!
empty($extention) <- extension is spelled differently