The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Help with is_uploaded_file
I am trying to make a hack here, which requires inserting something into $_FILES array even though it was not really posted. Of course, is_uploaded_file gives me false and the script does not work. Here it is:
PHP Code:
|
#2
|
|||
|
|||
The point is is_uploaded_file() is to verify that the user really did upload a file. Without it, the user can access arbitrary files on the system. I suggest using some other method of faking a file upload.
|
#3
|
|||
|
|||
Like what? Plus, using preg_replace and preg_match I could check that the file is really remote..
Or can files that are not normally accessible be opened via fopen? |
#4
|
|||
|
|||
Quote:
You can ruin the end users experience if the remote file fails as well. http://blog.unitedheroes.net/archives/p/1630/ http://us2.php.net/manual/en/ref.curl.php The other issues I guess are related to trying to hook into the vB API to create an attachment? I'm not sure with the little code snippet you posted. |
#5
|
|||
|
|||
Yeah, I was trying to hook into vb API to pseudo post an attachment from an URL.
So, there is no safe way to upload a remote file? |
#6
|
|||
|
|||
Quote:
I would take the snippets from the API to post the attachment and do the checks on your end. I don't know enough about all of your code to suggest more ATM, but you are close. |
#7
|
|||
|
|||
Hmm... I don't have much experience on the part of reading and managing files...
What kind of exploits could there be? Or is that curl snippet safe enough? The code I posted is a slight variation of the one you can find in the vBulletin process_image_upload() function, which is used for uploading URL avatars.. However, it has no is_uploaded_file check in there, unlike in attachments. |
#8
|
|||
|
|||
Quote:
I would say the curl snippet is very safe in comparison. But that is subjective of course. Are you pulling images? Does your code ask for a url and fetch the object on demand as opposed to an upload form? |
#9
|
|||
|
|||
No, not necessarily images.
I am trying to enchance the attachment form with an url upload instead of just upload form. So that would be any files that have an acceptable extension (defined in vb admincp) |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|