/[drupal]/contributions/modules/attachment/attachment.module
ViewVC logotype

Diff of /contributions/modules/attachment/attachment.module

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

revision 1.16, Wed Sep 27 18:31:25 2006 UTC revision 1.17, Thu Sep 28 09:59:31 2006 UTC
# Line 1  Line 1 
1  <?php  <?php
2  // $Id: attachment.module,v 1.15 2006/09/14 06:24:47 drewish Exp $  // $Id: attachment.module,v 1.16 2006/09/27 18:31:25 robertDouglass Exp $
3    
4  define(ATTACHMENT_EXTENSION_WHITELIST, variable_get('attachment_text_rename_whitelist', 'jpg jpeg gif png tiff txt html doc xls pdf ppt pps odt mp3 ogg wav wmv mpg'));  define(ATTACHMENT_EXTENSION_WHITELIST, variable_get('attachment_text_rename_whitelist', 'jpg jpeg gif png tiff txt html doc xls pdf ppt pps odt mp3 ogg wav wmv mpg'));
5    
# Line 256  function theme_attachment_form($form) { Line 256  function theme_attachment_form($form) {
256  }  }
257    
258  /**  /**
259     * Munge the filename as needed for security purposes. Protects site from having
260     * attacments executed as scripts.
261     *
262     * @param object $file
263     *   The $file object as obtained by file_check_upload('attachment_file');
264     */
265    function attachment_munge_file(&$file) {
266      $whitelist = array_unique(split(' +', ATTACHMENT_EXTENSION_WHITELIST));
267      $filename_parts = explode('.', $file->filename);
268      $new_filename = array_shift($filename_parts); // Remove file basename.
269      $final_extension = array_pop($filename_parts); // Remove final extension.
270    
271      foreach($filename_parts as $filename_part) {
272        $new_filename .= ".$filename_part";
273        if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
274          $new_filename .= '_';
275        }
276      }
277    
278      $file->filename = "$new_filename.$final_extension";
279      if ($final_extension == 'txt') {
280        $file->filemime = 'text/plain';
281      }
282    }
283    
284    /**
285   * Callback function to add an attachment to a node being edited.   * Callback function to add an attachment to a node being edited.
286   */   */
287  function attachment_add(&$node) {  function attachment_add(&$node) {
# Line 265  function attachment_add(&$node) { Line 291  function attachment_add(&$node) {
291      return $node;      return $node;
292    }    }
293    
294    // Rename possibly executable scripts to prevent accidental execution.    // protect from uploaded files being executed as scripts
295    // Uploaded files are attachments and should be shown in their original    attachment_munge_file($file);
296    // form, rather than run.  
   $rename_extentions = split(' +', ATTACHMENT_EXTENSION_WHITELIST);  
   $extension = substr(strrchr($file->filename, "."), 1);  
   if (!in_array($extension, $rename_extentions)) {  
     $file->filename .= '.txt';  
     $file->filemime = 'text/plain';  
   }  
297    $new_attachment['fid'] = FALSE;    $new_attachment['fid'] = FALSE;
298    $new_attachment['filename'] = $file->filename;    $new_attachment['filename'] = $file->filename;
299    $new_attachment['deleted'] = FALSE;    $new_attachment['deleted'] = FALSE;
Legend:
Removed from v.1.16  
changed lines
  Added in v.1.17
  ViewVC Help
Powered by ViewVC 1.1.2