Merge pull request #35 from jclariviere/whitelist

Add a whitelist mode, should work?
2018-03-16 16:21:05 +01:00 · 2018-03-16 16:21:05 +01:00 · 4e4aef01ce
parent a0a021be60 7bc98e8852
commit 4e4aef01ce
2 changed files with 26 additions and 18 deletions
--- a/includes/config.template.php
+++ b/includes/config.template.php
@ -15,7 +15,11 @@ define("CONFIG_MAX_RETENTION_TIME", "60");
 define("CONFIG_MAX_RETENTION_TEXT", "1 hour");
 //Length of the random chain appended to the filename
 define("CONFIG_RANDOM_LENGTH", "12");
-//This is the list of blocked extensions, you can remove extensions or add to this list as you like
-define ("CONFIG_BLOCKED_EXTENSIONS", serialize(array("exe", "scr", "rar", "zip", "com", "vbs", "bat", "cmd", "html", "htm", "msi", "php", "php5")));
+//Operate on a BLACKLIST or a WHITELIST when blocking file extensions
+define("CONFIG_EXTENSION_BLOCKING_MODE", "BLACKLIST");
+//This is the list of blocked extensions in BLACKLIST mode (default mode), you can remove extensions or add to this list as you like
+define("CONFIG_BLOCKED_EXTENSIONS", serialize(array("exe", "scr", "rar", "zip", "com", "vbs", "bat", "cmd", "html", "htm", "msi", "php", "php5")));
+//This is the list of allowed extensions in WHITELIST mode, you can remove extensions or add to this list as you like
+define("CONFIG_ALLOWED_EXTENSIONS", serialize(array("txt", "pdf")));
 //https://wiki.gentoo.org/wiki/Handbook to set this string correctly, or just ignore it
 define("VERYLO_NG_STRING_THATDOESNTREALLYD_O_ANYTHING", "ok");
--- a/includes/core.php
+++ b/includes/core.php
@ -9,14 +9,7 @@ function save_file ($file, $name, $arg, $type){
        case 'random':
            $ext = pathinfo($file.$name, PATHINFO_EXTENSION);
            $ext = strtolower($ext);
-            if(in_array($ext, unserialize(CONFIG_BLOCKED_EXTENSIONS))){
-              if($type==='normal'){
-                include_once(CONFIG_ROOT_PATH.'error_meow.php');
-                exit(0);
-              }else{
-                exit('File type not allowed.');
-              }
-            }
+            verify_extension($ext, $type);
            $file_name = gen_name('random', $ext);
            while(file_exists(CONFIG_FILES_PATH.$file_name)){
              $file_name = gen_name('random', $ext);
@ -28,14 +21,7 @@ function save_file ($file, $name, $arg, $type){
                $file_name = gen_name('custom_original', $name);
                $ext = pathinfo($file_name, PATHINFO_EXTENSION);
                $ext = strtolower($ext);
-                if(in_array($ext, unserialize(CONFIG_BLOCKED_EXTENSIONS))){
-                 if($type==='normal'){
-                   include_once(CONFIG_ROOT_PATH.'error_meow.php');
-                   exit(0);
-                 }else{
-                   exit('File type not allowed.');
-                 }
-                }
+                verify_extension($ext, $type);
            while(file_exists(CONFIG_FILES_PATH.$file_name)){
                $file_name = gen_name('custom_original', $name);
            }
@ -76,3 +62,21 @@ function gen_name($arg, $in){
            break;
    }
 }
+
+//Verify that the extension is allowed
+function verify_extension($ext, $type){
+    if(CONFIG_EXTENSION_BLOCKING_MODE === "WHITELIST") {
+        $allowed = in_array($ext, unserialize(CONFIG_ALLOWED_EXTENSIONS));
+    }else{
+        $allowed = !in_array($ext, unserialize(CONFIG_BLOCKED_EXTENSIONS));
+    }
+
+    if(!$allowed){
+        if($type==='normal'){
+            include_once(CONFIG_ROOT_PATH.'error_meow.php');
+            exit(0);
+        }else{
+            exit('File type not allowed.');
+        }
+    }
+}