diff options
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/download/file.php | 24 | ||||
| -rw-r--r-- | phpBB/includes/functions_download.php | 23 |
2 files changed, 32 insertions, 15 deletions
diff --git a/phpBB/download/file.php b/phpBB/download/file.php index 8108b0dee1..6dfa1d7297 100644 --- a/phpBB/download/file.php +++ b/phpBB/download/file.php @@ -318,26 +318,20 @@ else // disallowed? $extensions = $cache->obtain_attach_extensions($row['forum_id']); - - if ($attachments) + if ($attachment) { - // Remove attachments with disallowed extensions - $new_ary = array(); - foreach ($attachments as $attach) - { - if (isset($extensions['_allowed_'][$attach['extension']])) - { - $new_ary[] = $attach; - } - } - - $attachments = $new_ary; + $ary = array($attachment); + } + else + { + $ary = &$attachments; } - if (($attachments && empty($attachments)) || ($attachment && !isset($extensions['_allowed_'][$attachment['extension']]))) + if (!phpbb_check_attach_extensions($extensions, $ary)) { send_status_line(404, 'Forbidden'); - trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $attachment['extension'])); + $ext = ($attachment) ? $attachment['extension'] : $attachments[0]['extension']; + trigger_error(sprintf($user->lang['EXTENSION_DISABLED_AFTER_POSTING'], $ext)); } } diff --git a/phpBB/includes/functions_download.php b/phpBB/includes/functions_download.php index b01712357d..7d21147ab5 100644 --- a/phpBB/includes/functions_download.php +++ b/phpBB/includes/functions_download.php @@ -613,3 +613,26 @@ function phpbb_increment_downloads($db, $ids) WHERE ' . $db->sql_in_set('attach_id', $ids); $db->sql_query($sql); } + +/** +* Checks every attachment to see if it has an allowed extension +* +* @param array $extensions As generated by phpbb_cache_service::obtain_attach_extensions +* @param array &$attachments An array of attachments to check +* +* @return bool Whether any of the attachments had allowed extensions +*/ +function phpbb_check_attach_extensions($extensions, &$attachments) +{ + $new_ary = array(); + foreach ($attachments as $attach) + { + if (isset($extensions['_allowed_'][$attach['extension']])) + { + $new_ary[] = $attach; + } + } + + $attachments = $new_ary; + return !empty($attachments); +} |