Allowed extensions

diff --git a/plugins/file-upload.php b/plugins/file-upload.php
index 831a343afcfce88b8bfe4e69bcdf13f9e8ad2451..b07cf2bf446decbbdcd1de44f932b66d0c34863b 100644 (file)
--- a/plugins/file-upload.php
+++ b/plugins/file-upload.php
@@ -1,4 +1,5 @@
 <?php
+//! delete
 
 /** Edit fields ending with "_path" by <input type="file"> and link to the uploaded files from select
 * @author Jakub Vrana, http://www.vrana.cz/
@@ -7,15 +8,17 @@
 */
 class AdminerFileUpload {
        /** @access protected */
-       var $uploadPath, $displayPath;
+       var $uploadPath, $displayPath, $extensions;
        
        /**
        * @param string prefix for uploading data (create writable subdirectory for each table containing uploadable fields)
        * @param string prefix for displaying data, null stands for $uploadPath
+       * @param string regular expression with allowed file extensions
        */
-       function AdminerFileUpload($uploadPath = "../static/data/", $displayPath = null) {
+       function AdminerFileUpload($uploadPath = "../static/data/", $displayPath = null, $extensions = "[a-zA-Z0-9]+") {
                $this->uploadPath = $uploadPath;
                $this->displayPath = (isset($displayPath) ? $displayPath : $uploadPath);
+               $this->extensions = $extensions;
        }
        
        function editInput($table, $field, $attrs, $value) {
@@ -28,7 +31,7 @@ class AdminerFileUpload {
                if (ereg('(.*)_path$', $field["field"], $regs)) {
                        $table = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]);
                        $name = "fields-$field[field]";
-                       if ($_FILES[$name]["error"] || !eregi('(\\.([a-z0-9]+))?$', $_FILES[$name]["name"], $regs2)) {
+                       if ($_FILES[$name]["error"] || !ereg("(\\.($this->extensions))?\$", $_FILES[$name]["name"], $regs2)) {
                                return false;
                        }
                        //! unlink old