Refs #5103. Upload any file type: *, *.* or */*

Refs #5103. Upload any file type: , .* or /
af589236 · Carsten Rose · 2632c4a2 · af589236 · af589236 · af589236
Commit af589236 authored Mar 29, 2019 by Carsten Rose
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -3676,16 +3676,16 @@ See also `downloadButton`_ to offer a download of an uploaded file.
  * *accept* = `<mime type>,image/*,video/*,audio/*,.doc,.docx,.pdf`

    * List of mime types (also known as 'media types'): http://www.iana.org/assignments/media-types/media-types.xhtml
-    * If none is specified, 'application/pdf' is set. This forces that always (!) one type is specified.
-    * To allow any type, specify ``*`` or ``*.*``
+    * If none mime type is specified, 'application/pdf' is set. This forces that always (!) one type is specified.
+    * To allow any type, specify ``*`` or ``*/*`` or ``*.*``.
    * One or more media types might be specified, separated by ','.
    * Different browser respect the given definitions in different ways. Typically the 'file choose' dialog offer:

      * the specified mime type (some browers only show 'custom', if more than one mime type is given),
-      * the option 'All files' (the user is always free to **try** to upload other filetypes) - but the server won't accept them,
+      * the option 'All files' (the user is always free to **try** to upload other file types) - but the server won't accept them,
      * the 'file choose' dialog only offers files of the selected (in the dialog) type.

-    * If for a specific filetype is no mime type available, the definition of file extension(s) is possible. This is **less
+    * If for a specific file type is no mime type available, the definition of file extension(s) is possible. This is **less
      secure**, cause there is no *content* check on the server after the upload.

  * *maxFileSize* = `<size>` - max filesize in bytes (no unit), kilobytes (k/K) or megabytes (m/M) for an uploaded file.

--- a/extension/Source/core/AbstractBuildForm.php
+++ b/extension/Source/core/AbstractBuildForm.php
@@ -697,7 +697,7 @@ abstract class AbstractBuildForm {
                    $storeUse = str_replace(STORE_TABLE_DEFAULT, '', $storeUse); // Remove STORE_DEFAULT
                }
                // Retrieve value via FSRVD
-                $sanitizeClass=($mode == FORM_UPDATE) ? SANITIZE_ALLOW_ALL : $formElement[FE_CHECK_TYPE];
+                $sanitizeClass = ($mode == FORM_UPDATE) ? SANITIZE_ALLOW_ALL : $formElement[FE_CHECK_TYPE];
                $value = $this->store->getVar($name, $storeUse, $sanitizeClass, $foundInStore);
            }

@@ -3033,7 +3033,7 @@ abstract class AbstractBuildForm {
            $formElement[FE_FILE_MIME_TYPE_ACCEPT] = 'image/*';
        }

-        if ($formElement[FE_FILE_MIME_TYPE_ACCEPT] == '*' || $formElement[FE_FILE_MIME_TYPE_ACCEPT] == '*.*') {
+        if ($formElement[FE_FILE_MIME_TYPE_ACCEPT] == '*' || $formElement[FE_FILE_MIME_TYPE_ACCEPT] == '*.*' || $formElement[FE_FILE_MIME_TYPE_ACCEPT] == '*/*') {
            $formElement[FE_FILE_MIME_TYPE_ACCEPT] = '';
        }

@@ -3047,14 +3047,16 @@ abstract class AbstractBuildForm {
        $arr[CLIENT_PAGE_ID] = 'fake';
        $arr[EXISTING_PATH_FILE_NAME] = $value;
        $arr[FE_FILE_MIME_TYPE_ACCEPT] = $formElement[FE_FILE_MIME_TYPE_ACCEPT];
+
        // Check Safari Bug #5578: in case Safari (Mac OS X or iOS) loads an 'upload element' with more than one file type, fall back to 'no preselection'.
+        // Still do the file type check on the server side!
        if (strpos($formElement[FE_FILE_MIME_TYPE_ACCEPT], ',') !== false) {
            $ua = $this->store->getVar('HTTP_USER_AGENT', STORE_CLIENT, SANITIZE_ALLOW_ALNUMX);
            // Look for " Version/11.0 Mobile/15A5370a Safari/" or  " Version/9.0.2 Safari/"
            $rc = preg_match('; Version/.*Safari/;', $ua, $matches);
            // But not like " Version/4.0 Chrome/52.0.2743.98 Safari/"
            if ($rc == 1 && false === strpos($matches[0], ' Chrome/')) {
-                $formElement[FE_FILE_MIME_TYPE_ACCEPT] = '';
+                $formElement[FE_FILE_MIME_TYPE_ACCEPT] = ''; // This only fakes the upload dialog. But the server file type check is still active due to $arr[FE_FILE_MIME_TYPE_ACCEPT]
            }
        }


--- a/extension/Source/core/File.php
+++ b/extension/Source/core/File.php
@@ -138,10 +138,8 @@ class File {
        $this->checkMaxFileSize($statusUpload['size']);

        $accept = $this->store->getVar(FE_FILE_MIME_TYPE_ACCEPT, STORE_SIP);
-        if (!($accept == '' || $accept == '*.*' || $accept == '*')) {
-            if (!HelperFile::checkFileType($statusUpload['tmp_name'], $statusUpload['name'], $accept)) {
-                throw new UserFormException('Filetype not allowed. Allowed: ' . $accept, ERROR_UPLOAD_FILE_TYPE);
-            }
+        if ($accept != '' && !HelperFile::checkFileType($statusUpload['tmp_name'], $statusUpload['name'], $accept)) {
+            throw new UserFormException('Filetype not allowed. Allowed: ' . $accept, ERROR_UPLOAD_FILE_TYPE);
        }

        // rename uploaded file: ?.cached