add validate on file extensions

Author: callcenter-magnus

build/MagnusBilling-current.tar.gz

@@ -294,4 +294,20 @@ public static function calculation_price($buyrate, $duration, $initblock, $incre
         $ratecost = $ratecost;
         return $ratecost;
     }
+
+    public static function valid_extension($filename, $allowed = [])
+    {
+        $ext = strtolower(CFileHelper::getExtension($filename));
+
+        if ( ! in_array($ext, $allowed)) {
+            echo json_encode([
+                'success' => false,
+                'errors'  => 'File error',
+            ]);
+            exit;
+        }
+
+        return $ext;
+
+    }
 }

protected/components/Util.php

@@ -436,6 +436,7 @@ public function actionImportLogo()
             } else {
                 $uploadfile = $uploaddir . 'logo_custom.png';
             }
+            $typefile = Util::valid_extension($_FILES["logo"]["name"], ['png']);
 
             move_uploaded_file($_FILES["logo"]["tmp_name"], $uploadfile);
         }
@@ -450,9 +451,9 @@ public function actionImportWallpapers()
     {
         if (isset($_FILES['wallpaper']['tmp_name']) && strlen($_FILES['wallpaper']['tmp_name']) > 3) {
 
-            $uploaddir  = "resources/images/wallpapers/";
-            $data       = explode('.', $_FILES["wallpaper"]["name"]);
-            $typefile   = array_pop($data);
+            $uploaddir = "resources/images/wallpapers/";
+            $typefile  = Util::valid_extension($_FILES["wallpaper"]["name"], ['jpg']);
+
             $uploadfile = $uploaddir . 'Customization.jpg';
             move_uploaded_file($_FILES["wallpaper"]["tmp_name"], $uploadfile);
         }
@@ -480,6 +481,8 @@ public function actionImportLoginBackground()
 
         if (isset($_FILES['loginbackground']['tmp_name']) && strlen($_FILES['loginbackground']['tmp_name']) > 3) {
 
+            $typefile = Util::valid_extension($_FILES["loginbackground"]["name"], ['jpg']);
+
             $uploadfile = 'resources/images/lock-screen-background.jpg';
             try {
                 move_uploaded_file($_FILES["loginbackground"]["tmp_name"], $uploadfile);