[KevinM]

These code changes use vb's attachment permissions (extensions only) before inserting attachments into the database - so no more .scr files :squareeyed:

If the file extension is not set up in the 'Attachment Manager' 'Extensions and Sizes' section of the control panel then the attachment is ignored.

I have tested it on version 2.1.0. All changes are to 'gateway.php'. There are 6 additions or changes to the script to be made to 'gateway.php'.

Find

PHP Code:

require_once("global.php"); 


CHANGE it to:

PHP Code:

$specialtemplates = array(
    'attachmentcache'
);
require_once("global.php");
$attachtypes = unserialize($datastore['attachmentcache']); 


Find:

PHP Code:

function process_attachments ($date, $postid, $threadid) {
    global $message, $DB_site; 


AFTER it put:

PHP Code:

global $attachtypes; 


Find:

PHP Code:

$attachcount = 0; 


AFTER it put:

PHP Code:

$attaches = 0; 


Find:

PHP Code:

for ($i = 1; $i <= $message['attachments']; $i++) { 


AFTER it put:

PHP Code:

// now we check the file extension against the vb settings to check that it exists, and if it does, check it is enabled.
        $attachment_name2 = strtolower($message['attachment' . $i]['headers']['filename']);
                $extension = file_extension($attachment_name2);
        
    if (!$attachtypes["$extension"] OR !$attachtypes["$extension"]['enabled'])
    {
        // invalid extension
        logging($extension . " extensions are not accepted, as currently set up in the control panel \n");
    }
    else { 


Find:

PHP Code:

fclose($handle);
        unlink($tempfile); 


CHANGE to:

PHP Code:

$attaches++;
        fclose($handle);
        unlink($tempfile);
        } 


Find:

PHP Code:

$DB_site->query("UPDATE " . TABLE_PREFIX . "post 
    SET attach = attach + " . $attachcount . " WHERE postid = $postid");
    $DB_site->query("UPDATE " . TABLE_PREFIX . "thread
    SET attach = attach + " . $attachcount . " WHERE threadid = $threadid");
    logging("Inserted " . $attachcount . " attachment(s).");
} 


CHANGE to:

PHP Code:

$DB_site->query("UPDATE " . TABLE_PREFIX . "post 
    SET attach = attach + " . $attaches . " WHERE postid = $postid");
    $DB_site->query("UPDATE " . TABLE_PREFIX . "thread
    SET attach = attach + " . $attaches . " WHERE threadid = $threadid");
    logging("Inserted " . $attaches . " attachment(s)."); 


And that is it :nervous:

This script doesn't check against the maximum file size or image dimensions permissions, but it would be fairly easy to add on however I'm not sure of how useful this would be, as people posting to newsgroups would be unaware of your boards limits.