[ Index ] |
PHP Cross Reference of Joomla 4.2.2 documentation |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * @package Joomla.Administrator 5 * @subpackage com_templates 6 * 7 * @copyright (C) 2017 Open Source Matters, Inc. <https://www.joomla.org> 8 * @license GNU General Public License version 2 or later; see LICENSE.txt 9 */ 10 11 namespace Joomla\Component\Templates\Administrator\Helper; 12 13 use Joomla\CMS\Component\ComponentHelper; 14 use Joomla\CMS\Factory; 15 use Joomla\CMS\Filesystem\File; 16 use Joomla\CMS\Language\Text; 17 18 // phpcs:disable PSR1.Files.SideEffects 19 \defined('_JEXEC') or die; 20 // phpcs:enable PSR1.Files.SideEffects 21 22 /** 23 * Template Helper class. 24 * 25 * @since 3.2 26 */ 27 abstract class TemplateHelper 28 { 29 /** 30 * Checks if the file is an image 31 * 32 * @param string $fileName The filename 33 * 34 * @return boolean 35 * 36 * @since 3.2 37 */ 38 public static function getTypeIcon($fileName) 39 { 40 // Get file extension 41 return strtolower(substr($fileName, strrpos($fileName, '.') + 1)); 42 } 43 44 /** 45 * Checks if the file can be uploaded 46 * 47 * @param array $file File information 48 * @param string $err An error message to be returned 49 * 50 * @return boolean 51 * 52 * @since 3.2 53 */ 54 public static function canUpload($file, $err = '') 55 { 56 $params = ComponentHelper::getParams('com_templates'); 57 58 if (empty($file['name'])) { 59 $app = Factory::getApplication(); 60 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_UPLOAD_INPUT'), 'error'); 61 62 return false; 63 } 64 65 // Media file names should never have executable extensions buried in them. 66 $executable = array( 67 'exe', 'phtml','java', 'perl', 'py', 'asp','dll', 'go', 'jar', 68 'ade', 'adp', 'bat', 'chm', 'cmd', 'com', 'cpl', 'hta', 'ins', 'isp', 69 'jse', 'lib', 'mde', 'msc', 'msp', 'mst', 'pif', 'scr', 'sct', 'shb', 70 'sys', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh' 71 ); 72 $explodedFileName = explode('.', $file['name']); 73 74 if (count($explodedFileName) > 2) { 75 foreach ($executable as $extensionName) { 76 if (in_array($extensionName, $explodedFileName)) { 77 $app = Factory::getApplication(); 78 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_EXECUTABLE'), 'error'); 79 80 return false; 81 } 82 } 83 } 84 85 if ($file['name'] !== File::makeSafe($file['name']) || preg_match('/\s/', File::makeSafe($file['name']))) { 86 $app = Factory::getApplication(); 87 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_WARNFILENAME'), 'error'); 88 89 return false; 90 } 91 92 $format = strtolower(File::getExt($file['name'])); 93 94 $imageTypes = explode(',', $params->get('image_formats')); 95 $sourceTypes = explode(',', $params->get('source_formats')); 96 $fontTypes = explode(',', $params->get('font_formats')); 97 $archiveTypes = explode(',', $params->get('compressed_formats')); 98 99 $allowable = array_merge($imageTypes, $sourceTypes, $fontTypes, $archiveTypes); 100 101 if ($format == '' || $format == false || (!in_array($format, $allowable))) { 102 $app = Factory::getApplication(); 103 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_WARNFILETYPE'), 'error'); 104 105 return false; 106 } 107 108 if (in_array($format, $archiveTypes)) { 109 $zip = new \ZipArchive(); 110 111 if ($zip->open($file['tmp_name']) === true) { 112 for ($i = 0; $i < $zip->numFiles; $i++) { 113 $entry = $zip->getNameIndex($i); 114 $endString = substr($entry, -1); 115 116 if ($endString != DIRECTORY_SEPARATOR) { 117 $explodeArray = explode('.', $entry); 118 $ext = end($explodeArray); 119 120 if (!in_array($ext, $allowable)) { 121 $app = Factory::getApplication(); 122 $app->enqueueMessage(Text::_('COM_TEMPLATES_FILE_UNSUPPORTED_ARCHIVE'), 'error'); 123 124 return false; 125 } 126 } 127 } 128 } else { 129 $app = Factory::getApplication(); 130 $app->enqueueMessage(Text::_('COM_TEMPLATES_FILE_ARCHIVE_OPEN_FAIL'), 'error'); 131 132 return false; 133 } 134 } 135 136 // Max upload size set to 10 MB for Template Manager 137 $maxSize = (int) ($params->get('upload_limit') * 1024 * 1024); 138 139 if ($maxSize > 0 && (int) $file['size'] > $maxSize) { 140 $app = Factory::getApplication(); 141 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_WARNFILETOOLARGE'), 'error'); 142 143 return false; 144 } 145 146 $xss_check = file_get_contents($file['tmp_name'], false, null, -1, 256); 147 $html_tags = array( 148 'abbr', 'acronym', 'address', 'applet', 'area', 'audioscope', 'base', 'basefont', 'bdo', 'bgsound', 'big', 'blackface', 'blink', 'blockquote', 149 'body', 'bq', 'br', 'button', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'comment', 'custom', 'dd', 'del', 'dfn', 'dir', 'div', 150 'dl', 'dt', 'em', 'embed', 'fieldset', 'fn', 'font', 'form', 'frame', 'frameset', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'hr', 'html', 151 'iframe', 'ilayer', 'img', 'input', 'ins', 'isindex', 'keygen', 'kbd', 'label', 'layer', 'legend', 'li', 'limittext', 'link', 'listing', 152 'map', 'marquee', 'menu', 'meta', 'multicol', 'nobr', 'noembed', 'noframes', 'noscript', 'nosmartquotes', 'object', 'ol', 'optgroup', 'option', 153 'param', 'plaintext', 'pre', 'rt', 'ruby', 's', 'samp', 'script', 'select', 'server', 'shadow', 'sidebar', 'small', 'spacer', 'span', 'strike', 154 'strong', 'style', 'sub', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'title', 'tr', 'tt', 'ul', 'var', 'wbr', 'xml', 155 'xmp', '!DOCTYPE', '!--' 156 ); 157 158 foreach ($html_tags as $tag) { 159 // A tag is '<tagname ', so we need to add < and a space or '<tagname>' 160 if (stristr($xss_check, '<' . $tag . ' ') || stristr($xss_check, '<' . $tag . '>')) { 161 $app = Factory::getApplication(); 162 $app->enqueueMessage(Text::_('COM_TEMPLATES_ERROR_WARNIEXSS'), 'error'); 163 164 return false; 165 } 166 } 167 168 return true; 169 } 170 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Wed Sep 7 05:41:13 2022 | Chilli.vc Blog - For Webmaster,Blog-Writer,System Admin and Domainer |