@jcanning wrote:
I was not able to find a method inside OJS to block specific files types from being uploaded. OJS has the ability to upload any file type to an article and we kept getting hacked as they were able to upload a .phtml file to the article and then use this file to overwrite the index.php file. I came up with the below solution to stop .phtml files from being uploaded. You can modify this to block any file type or more than one.
From the following file, the lines in red were added to block the .phtml file from being upload. This same script can be used in the future to block other file types if required.
/public_html/lib/pkp/classes/file/FileManager.inc.php
Find the section below and add the lines in red in the same spots or copy and replace the whole function:
/** * Upload a file. * @param $fileName string the name of the file used in the POST form * @param $dest string the path where the file is to be saved * @return boolean returns true if successful */ function uploadFile($fileName, $destFileName) { $destDir = dirname($destFileName); // Get the file extension $name = $_FILES[$fileName]['name']; $ext = end((explode(".",$name))); if (!$this‐>fileExists($destDir, 'dir')) { // Try to create the destination directory $this‐>mkdirtree($destDir); } if (!isset($_FILES[$fileName])) return false; // block phtml files if ($ext == 'phtml') return false; // to block more than one file type use if ($ext == 'phtml' || $ext == 'php') return false; if (move_uploaded_file($_FILES[$fileName]['tmp_name'], $destFileName)) return $this‐>setMode($destFileName, FILE_MODE_MASK); return false; }I also secured the root public_html to only allow read and execute as there was no need to all writes to the root of this folder.
I hope someone else finds this useful.
Posts: 2
Participants: 2