From: Jakub Vrana <jakub@vrana.cz>
Date: Mon, 10 Oct 2011 06:28:18 +0000 (-0700)
Subject: Allowed extensions
X-Git-Tag: v3.3.4~32
X-Git-Url: https://git.joonet.de/?a=commitdiff_plain;h=468644e2d8af59beb928da07341e0ac733642c20;p=adminer.git

Allowed extensions
---

diff --git a/plugins/file-upload.php b/plugins/file-upload.php
index 831a343a..b07cf2bf 100644
--- a/plugins/file-upload.php
+++ b/plugins/file-upload.php
@@ -1,4 +1,5 @@
 <?php
+//! delete
 
 /** Edit fields ending with "_path" by <input type="file"> and link to the uploaded files from select
 * @author Jakub Vrana, http://www.vrana.cz/
@@ -7,15 +8,17 @@
 */
 class AdminerFileUpload {
 	/** @access protected */
-	var $uploadPath, $displayPath;
+	var $uploadPath, $displayPath, $extensions;
 	
 	/**
 	* @param string prefix for uploading data (create writable subdirectory for each table containing uploadable fields)
 	* @param string prefix for displaying data, null stands for $uploadPath
+	* @param string regular expression with allowed file extensions
 	*/
-	function AdminerFileUpload($uploadPath = "../static/data/", $displayPath = null) {
+	function AdminerFileUpload($uploadPath = "../static/data/", $displayPath = null, $extensions = "[a-zA-Z0-9]+") {
 		$this->uploadPath = $uploadPath;
 		$this->displayPath = (isset($displayPath) ? $displayPath : $uploadPath);
+		$this->extensions = $extensions;
 	}
 	
 	function editInput($table, $field, $attrs, $value) {
@@ -28,7 +31,7 @@ class AdminerFileUpload {
 		if (ereg('(.*)_path$', $field["field"], $regs)) {
 			$table = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]);
 			$name = "fields-$field[field]";
-			if ($_FILES[$name]["error"] || !eregi('(\\.([a-z0-9]+))?$', $_FILES[$name]["name"], $regs2)) {
+			if ($_FILES[$name]["error"] || !ereg("(\\.($this->extensions))?\$", $_FILES[$name]["name"], $regs2)) {
 				return false;
 			}
 			//! unlink old