strip some tags

[uguu.git] / static / php / includes / Upload.class.php

diff --git a/static/php/includes/Upload.class.php b/static/php/includes/Upload.class.php
index 31bb2d1ab628f581900006111735d6cdb990d6a5..9fb5e0fd5be58943bf71f47690b55e3170d16858 100644 (file)
--- a/static/php/includes/Upload.class.php
+++ b/static/php/includes/Upload.class.php
@@ -28,12 +28,12 @@ class Upload
 {
 
     public static string $FILE_NAME;
-    public static string $FILE_EXTENSION;
+    public static mixed $FILE_EXTENSION;
     public static string $FILE_MIME;
     public static string $SHA1;
     public static string $NEW_NAME;
     public static string $NEW_NAME_FULL;
-    public static string $IP;
+    public static mixed $IP;
 
     public static string $FILE_SIZE;
     public static string $TEMP_FILE;
@@ -45,7 +45,7 @@ class Upload
         $files = self::diverseArray($files);
 
         foreach ($files as $file) {
-            self::$FILE_NAME = $file['name'];
+            self::$FILE_NAME = strip_tags($file['name']);
             self::$FILE_SIZE = $file['size'];
             self::$TEMP_FILE = $file['tmp_name'];
             self::$SHA1 = sha1_file(self::$TEMP_FILE);
@@ -80,7 +80,9 @@ class Upload
 
         if (Settings::$FILTER_MODE) {
             self::checkMimeBlacklist();
-            self::checkExtensionBlacklist();
+            if(!is_null(self::$FILE_EXTENSION)){
+                self::checkExtensionBlacklist();
+            }
         }
 
         if (Settings::$ANTI_DUPE) {
@@ -119,19 +121,37 @@ class Upload
         ];
     }
 
+    public static function getIP()
+    {
+        if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
+            self::$IP = $_SERVER['HTTP_CLIENT_IP'];
+        }
+        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+            self::$IP = $_SERVER['HTTP_X_FORWARDED_FOR'];
+        }
+        if (!isset(self::$IP)) {
+            self::$IP = $_SERVER['REMOTE_ADDR'];
+        }
+    }
+
     public static function fileInfo()
     {
         if (isset($_FILES['files'])) {
             $finfo = finfo_open(FILEINFO_MIME_TYPE);
             self::$FILE_MIME = finfo_file($finfo, self::$TEMP_FILE);
-            $extension = explode('.', self::$FILE_NAME, 2);
-            self::$FILE_EXTENSION = $extension['1'];
             finfo_close($finfo);
 
+            $extension = explode('.', self::$FILE_NAME);
+            if(substr_count(self::$FILE_NAME, '.') > 0) {
+                self::$FILE_EXTENSION = $extension[count($extension)-1];
+            } else {
+                self::$FILE_EXTENSION = null;
+            }
+
             if (Settings::$LOG_IP) {
-                self::$IP = $_SERVER['REMOTE_ADDR'];
+                self::getIP();
             } else {
-                self::$IP = '0';
+                self::$IP = null;
             }
         }
     }
@@ -174,10 +194,12 @@ class Upload
                 self::$NEW_NAME .= Settings::$ID_CHARSET[mt_rand(0, strlen(Settings::$ID_CHARSET))];
             }
 
-            if (isset(self::$FILE_EXTENSION)) {
-                self::$NEW_NAME_FULL = self::$NEW_NAME;
+            self::$NEW_NAME_FULL = self::$NEW_NAME;
+
+            if (!is_null(self::$FILE_EXTENSION)) {
                 self::$NEW_NAME_FULL .= '.' . self::$FILE_EXTENSION;
             }
+
         } while (Database::dbCheckNameExists() > 0);
     }
 }
\ No newline at end of file