⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Upload files need some restrictions



Mohamed Alsemany

Mohamed Alsemany
  • profile picture
  • Member

Posted 21 February 2012 - 23:40 PM

I think The Uploading field function need some restrictions
the user can upload any kind of files so he can easily upload a php shell easily !!

I'm not sure if some one else know that , but I just like to found some extensions restrictions on the next version

my greatings

web-johnny

web-johnny
  • profile picture
  • Administrator
  • 1,166 posts

Posted 22 February 2012 - 00:16 AM

Yes I already know this issue and I have already change the uploader to a brand new one for the next version. You will also be able to choose which files the user will be able to upload.

Of course by default the user will not be able to upload php or other system files.

Mohamed Alsemany

Mohamed Alsemany
  • profile picture
  • Member

Posted 22 February 2012 - 02:55 AM

[color=#333333][font=arial, sans-serif][size=6]Thanks Jonny [/size][/font][/color]
[color=#333333][font=arial, sans-serif][size=6]I appreciate your work[/size][/font][/color]

Eliel

Eliel
  • profile picture
  • Member

Posted 29 February 2012 - 03:33 AM

[quote name='Mohamed Alsemany' timestamp='1329867649' post='566']
I think The Uploading field function need some restrictions
the user can upload any kind of files so he can easily upload a php shell easily !!

I'm not sure if some one else know that , but I just like to found some extensions restrictions on the next version

my greatings
[/quote]

Hey was thinking the same and googled for a solution and found this thread. Not sure if you've figured it out already or not but the current file uploader used (v1.1.8) has a built in restriction based on file extension, albeit not the most secure but it should be of use for the time being.

To achieve this you simply need to add the following to your configuration file:

allowedExtensions: ['jpg', 'jpeg', 'png', 'gif']


The file uploader configuration used is located at: assets/grocery_crud/js/other/fileuploader.config.js

So it should look similar to:

$(function(){
$('.grocery-crud-uploader').each(function(){
var uploader_id = $(this).attr('id');
var unique_id = $(this).attr('rel');
var field_name = $('#hidden_'+unique_id).attr('name');
var upload_url = $('#url_'+unique_id).attr('href');
var delete_url = $('#delete_url_'+unique_id).attr('href');

var uploader = new qq.FileUploader({
element: document.getElementById(uploader_id),
action: upload_url,

// Allowed extensions
allowedExtensions: ['jpg', 'jpeg', 'png', 'gif'],

onComplete: function(id, fileName, responseJSON){
$('#file_'+unique_id).html(responseJSON.file_name);
$('#file_'+unique_id).attr('href',responseJSON.full_url);
$('#hidden_'+unique_id).val(responseJSON.file_name);
$('#'+uploader_id).hide();
$('#success_'+unique_id).fadeIn('slow');
$('#delete_url_'+unique_id).attr('rel',responseJSON.file_name);
},
// etc


If for some reason it still doesn't work you might want to try replacing the fileuploader.js file with: https://raw.github.c...fileuploader.js

For more info on the file uploader: https://github.com/v...s/file-uploader

web-johnny

web-johnny
  • profile picture
  • Administrator
  • 1,166 posts

Posted 29 February 2012 - 07:26 AM

Thank you @Eliel for your post because I think it is a work around for the users till the new version.

Also I want to mention that this task (with both cilent-side[Javascript] and server-side[PHP] validation) is done. Whoever wants to download it, just download the last trunk version to use it from github (You can see how at: http://www.grocerycr...indpost__p__356 ) .
Take a taste of how the config file of grocery CRUD looks right now:


...
$config['grocery_crud_file_upload_allow_file_types'] = 'gif|jpeg|jpg|png|tiff|doc|docx|txt|odt|xls|xlsx|pdf|ppt|pptx|pps|ppsx|mp3|m4a|ogg|wav|mp4|m4v|mov|wmv|avi|mpg|ogv|3gp|3g2';
$config['grocery_crud_file_upload_max_file_size'] = '20MB'; //ex. '10MB' (Mega Bytes), '1067KB' (Kilo Bytes), '5000B' (Bytes)
...


Thanks again

Amit Shah

Amit Shah
  • profile picture
  • Member

Posted 22 May 2013 - 23:26 PM

Well that thing is way to generic for allowing users to configure in the config file. What if for a function i want a user to upload only images and for other, i want the user to upload only pdf files and so on? This will be an issue with the same.

I got a simpler and easier way to incorporate this feature -

a tweak inside the grocery crud library itself

 


in 
class grocery_CRUD extends grocery_CRUD_States {
......
add a new protected variable
protected $allowed_types                        = null;


.........
then add a new function 
    function set_allowed_types($types) {
        $this->allowed_types = $types;
    }

this will allow the user to define @runtime what file types should be allowed and what not.

and in function _initialize_variables()
replace the following code
         $this->config->file_upload_allow_file_types    = $ci->config->item('grocery_crud_file_upload_allow_file_types');
with
        if(is_null($this->allowed_types))
            $this->config->file_upload_allow_file_types    = $ci->config->item('grocery_crud_file_upload_allow_file_types');
        else
            $this->config->file_upload_allow_file_types    =  $this->allowed_types;

This should do it.. it worked out for me very well..

 

I think this should be added up as part of grocery crud library itself so it will be very convinient and felxible for the developers to adopt to this easy workaround.


davidoster

davidoster
  • profile picture
  • Member

Posted 23 May 2013 - 03:46 AM

Well [member=amit shah],

This might be easier for you but it is not the recommended approach.

Why don't you post it under the /forum/8-extra-coding-plugins/

or make a pull request for the development version under https://github.com/scoumbourdis/grocery-crud ?

This way we will all benefit from it!

 

P.S. The only thing that troubles me is if it conflicts with the session variables somehow... [member=web-johnny], will be able to enlight us on this issue.