Commit 9823f9d2e4e9e24ef58e0b3cb37abe3099bcae3c
1 parent
85e77ffb
Exists in
master
and in
7 other branches
aprimoramento das validações nas ferramentas de upload
Showing
9 changed files
with
132 additions
and
9 deletions
Show diff stats
classesphp/funcoes_gerais.php
| @@ -3021,4 +3021,22 @@ function pegaProjecaoDefault($tipo=""){ | @@ -3021,4 +3021,22 @@ function pegaProjecaoDefault($tipo=""){ | ||
| 3021 | return $i3GeoProjDefault[$tipo]; | 3021 | return $i3GeoProjDefault[$tipo]; |
| 3022 | } | 3022 | } |
| 3023 | } | 3023 | } |
| 3024 | +/** | ||
| 3025 | + * Verifica se uma string existe em um arquivo | ||
| 3026 | + */ | ||
| 3027 | +function fileContemString($arq,$s){ | ||
| 3028 | + if(!file_exists($arq)){ | ||
| 3029 | + return false; | ||
| 3030 | + } | ||
| 3031 | + $handle = fopen($arq, 'r'); | ||
| 3032 | + $valid = false; // init as false | ||
| 3033 | + while (($buffer = fgets($handle)) !== false) { | ||
| 3034 | + if (strpos($buffer, $s) !== false) { | ||
| 3035 | + $valid = TRUE; | ||
| 3036 | + break; // Once you find the string, you should break out the loop. | ||
| 3037 | + } | ||
| 3038 | + } | ||
| 3039 | + fclose($handle); | ||
| 3040 | + return $valid; | ||
| 3041 | +} | ||
| 3024 | ?> | 3042 | ?> |
ferramentas/aplicarsld/upload.php
| @@ -22,7 +22,7 @@ $tema = $_GET["tema"]; | @@ -22,7 +22,7 @@ $tema = $_GET["tema"]; | ||
| 22 | <body bgcolor="white" style="background-color:white;text-align:left;"> | 22 | <body bgcolor="white" style="background-color:white;text-align:left;"> |
| 23 | <p> | 23 | <p> |
| 24 | <?php | 24 | <?php |
| 25 | -if (isset($_FILES['i3GEOaplicarsld']['name'])) | 25 | +if (isset($_FILES['i3GEOaplicarsld']['name']) && strlen(basename($_FILES['i3GEOaplicarsld']['name'])) < 200 ) |
| 26 | { | 26 | { |
| 27 | //$ndir = dirname($filen); | 27 | //$ndir = dirname($filen); |
| 28 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 28 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| @@ -31,11 +31,23 @@ if (isset($_FILES['i3GEOaplicarsld']['name'])) | @@ -31,11 +31,23 @@ if (isset($_FILES['i3GEOaplicarsld']['name'])) | ||
| 31 | $dirmap = dirname($map_file); | 31 | $dirmap = dirname($map_file); |
| 32 | //verifica nomes | 32 | //verifica nomes |
| 33 | $ArquivoDest = $_FILES['i3GEOaplicarsld']['name']; | 33 | $ArquivoDest = $_FILES['i3GEOaplicarsld']['name']; |
| 34 | + | ||
| 35 | + $ArquivoDest = strip_tags($ArquivoDest); | ||
| 36 | + $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); | ||
| 37 | + | ||
| 38 | + $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); | ||
| 39 | + | ||
| 34 | $ArquivoDest = str_replace(".sld","",$ArquivoDest).".sld"; | 40 | $ArquivoDest = str_replace(".sld","",$ArquivoDest).".sld"; |
| 35 | verificaNome($ArquivoDest); | 41 | verificaNome($ArquivoDest); |
| 36 | 42 | ||
| 37 | //sobe arquivo | 43 | //sobe arquivo |
| 38 | $Arquivo = $_FILES['i3GEOaplicarsld']['tmp_name']; | 44 | $Arquivo = $_FILES['i3GEOaplicarsld']['tmp_name']; |
| 45 | + | ||
| 46 | + $checkphp = fileContemString($_FILES['i3GEOaplicarsld']['tmp_name'],"<?"); | ||
| 47 | + if($checkphp == true){ | ||
| 48 | + exit; | ||
| 49 | + } | ||
| 50 | + | ||
| 39 | $status = move_uploaded_file($Arquivo,$dirmap."/".$ArquivoDest); | 51 | $status = move_uploaded_file($Arquivo,$dirmap."/".$ArquivoDest); |
| 40 | 52 | ||
| 41 | if($status != 1) | 53 | if($status != 1) |
ferramentas/carregamapa/upload.php
| @@ -21,12 +21,15 @@ require_once (dirname(__FILE__)."/../../ms_configura.php"); | @@ -21,12 +21,15 @@ require_once (dirname(__FILE__)."/../../ms_configura.php"); | ||
| 21 | <body bgcolor="white" style="background-color:white"> | 21 | <body bgcolor="white" style="background-color:white"> |
| 22 | <p> | 22 | <p> |
| 23 | <?php | 23 | <?php |
| 24 | -if (isset($_FILES['i3GEOcarregamapafilemap']['name'])) | 24 | +if (isset($_FILES['i3GEOcarregamapafilemap']['name']) && strlen(basename($_FILES['i3GEOcarregamapafilemap']['name'])) < 200) |
| 25 | { | 25 | { |
| 26 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; | 26 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; |
| 27 | $dirmap = $dir_tmp; | 27 | $dirmap = $dir_tmp; |
| 28 | $Arquivo = $_FILES['i3GEOcarregamapafilemap']['name']; | 28 | $Arquivo = $_FILES['i3GEOcarregamapafilemap']['name']; |
| 29 | - $Arquivo = str_replace(".map","",$Arquivo)."_up.map"; | 29 | + $Arquivo = str_replace(".map","",$Arquivo) . md5(uniqid(rand(), true)) . "_up.map"; |
| 30 | + | ||
| 31 | + $Arquivo = strip_tags($Arquivo); | ||
| 32 | + $Arquivo = htmlspecialchars($Arquivo, ENT_QUOTES); | ||
| 30 | 33 | ||
| 31 | verificaNome($Arquivo); | 34 | verificaNome($Arquivo); |
| 32 | /* | 35 | /* |
| @@ -36,6 +39,12 @@ if (isset($_FILES['i3GEOcarregamapafilemap']['name'])) | @@ -36,6 +39,12 @@ if (isset($_FILES['i3GEOcarregamapafilemap']['name'])) | ||
| 36 | if($statusNome != 1) | 39 | if($statusNome != 1) |
| 37 | {echo "<p class='paragrafo' >Arquivo inválido.!";paraAguarde();exit;} | 40 | {echo "<p class='paragrafo' >Arquivo inválido.!";paraAguarde();exit;} |
| 38 | */ | 41 | */ |
| 42 | + | ||
| 43 | + $checkphp = fileContemString($_FILES['i3GEOcarregamapafilemap']['tmp_name'],"<?"); | ||
| 44 | + if($checkphp == true){ | ||
| 45 | + exit; | ||
| 46 | + } | ||
| 47 | + | ||
| 39 | $nome = basename($Arquivo); | 48 | $nome = basename($Arquivo); |
| 40 | $arqtemp = $dirmap."/".$Arquivo; | 49 | $arqtemp = $dirmap."/".$Arquivo; |
| 41 | $status = move_uploaded_file($_FILES['i3GEOcarregamapafilemap']['tmp_name'],$dirmap."/".$Arquivo); | 50 | $status = move_uploaded_file($_FILES['i3GEOcarregamapafilemap']['tmp_name'],$dirmap."/".$Arquivo); |
ferramentas/importarwmc/upload.php
| @@ -22,14 +22,25 @@ error_reporting(0); | @@ -22,14 +22,25 @@ error_reporting(0); | ||
| 22 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 22 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| 23 | $dirmap = dirname($map_file); | 23 | $dirmap = dirname($map_file); |
| 24 | $arquivo = ""; | 24 | $arquivo = ""; |
| 25 | -if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"])) | 25 | +if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"]) && strlen(basename($_FILES['i3GEOimportarwmc']['name'])) < 200) |
| 26 | { | 26 | { |
| 27 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; | 27 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; |
| 28 | //verifica nomes | 28 | //verifica nomes |
| 29 | $ArquivoDest = $_FILES['i3GEOimportarwmc']['name']; | 29 | $ArquivoDest = $_FILES['i3GEOimportarwmc']['name']; |
| 30 | + $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); | ||
| 30 | $ArquivoDest = str_replace(".xml","",$ArquivoDest).".xml"; | 31 | $ArquivoDest = str_replace(".xml","",$ArquivoDest).".xml"; |
| 32 | + | ||
| 33 | + $ArquivoDest = strip_tags($ArquivoDest); | ||
| 34 | + $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); | ||
| 35 | + | ||
| 31 | verificaNome($ArquivoDest); | 36 | verificaNome($ArquivoDest); |
| 32 | //sobe arquivo | 37 | //sobe arquivo |
| 38 | + | ||
| 39 | + $checkphp = fileContemString($_FILES['i3GEOimportarwmc']['tmp_name'],"<?"); | ||
| 40 | + if($checkphp == true){ | ||
| 41 | + exit; | ||
| 42 | + } | ||
| 43 | + | ||
| 33 | $Arquivo = $_FILES['i3GEOimportarwmc']['tmp_name']; | 44 | $Arquivo = $_FILES['i3GEOimportarwmc']['tmp_name']; |
| 34 | $status = move_uploaded_file($Arquivo,$dirmap."/".$ArquivoDest); | 45 | $status = move_uploaded_file($Arquivo,$dirmap."/".$ArquivoDest); |
| 35 | $arquivo = $dirmap."/".$_FILES['i3GEOimportarwmc']['name']; | 46 | $arquivo = $dirmap."/".$_FILES['i3GEOimportarwmc']['name']; |
ferramentas/upload/upload.php
| @@ -54,12 +54,36 @@ if (isset($_FILES['i3GEOuploadshp']['name'])) | @@ -54,12 +54,36 @@ if (isset($_FILES['i3GEOuploadshp']['name'])) | ||
| 54 | verificaNome($_FILES['i3GEOuploadshp']['name']); | 54 | verificaNome($_FILES['i3GEOuploadshp']['name']); |
| 55 | verificaNome($_FILES['i3GEOuploadshx']['name']); | 55 | verificaNome($_FILES['i3GEOuploadshx']['name']); |
| 56 | verificaNome($_FILES['i3GEOuploaddbf']['name']); | 56 | verificaNome($_FILES['i3GEOuploaddbf']['name']); |
| 57 | + | ||
| 57 | if($_FILES['i3GEOuploadprj']['name'] != ""){ | 58 | if($_FILES['i3GEOuploadprj']['name'] != ""){ |
| 58 | verificaNome($_FILES['i3GEOuploadprj']['name']); | 59 | verificaNome($_FILES['i3GEOuploadprj']['name']); |
| 59 | } | 60 | } |
| 61 | + | ||
| 62 | + $checkphp = fileContemString($_FILES['i3GEOuploadprj']['tmp_name'],"<?"); | ||
| 63 | + if($checkphp == true){ | ||
| 64 | + exit; | ||
| 65 | + } | ||
| 66 | + $checkphp = fileContemString($_FILES['i3GEOuploadshx']['tmp_name'],"<?"); | ||
| 67 | + if($checkphp == true){ | ||
| 68 | + exit; | ||
| 69 | + } | ||
| 70 | + $checkphp = fileContemString($_FILES['i3GEOuploaddbf']['tmp_name'],"<?"); | ||
| 71 | + if($checkphp == true){ | ||
| 72 | + exit; | ||
| 73 | + } | ||
| 74 | + $checkphp = fileContemString($_FILES['i3GEOuploadshp']['tmp_name'],"<?"); | ||
| 75 | + if($checkphp == true){ | ||
| 76 | + exit; | ||
| 77 | + } | ||
| 78 | + | ||
| 79 | + | ||
| 60 | //remove acentos | 80 | //remove acentos |
| 61 | $nomePrefixo = str_replace(" ","_",removeAcentos(str_replace(".shp","",$_FILES['i3GEOuploadshp']['name']))); | 81 | $nomePrefixo = str_replace(" ","_",removeAcentos(str_replace(".shp","",$_FILES['i3GEOuploadshp']['name']))); |
| 62 | - //$nomePrefixo = $nomePrefixo."_".(nomeRandomico(4)); | 82 | + |
| 83 | + $nomePrefixo = strip_tags($nomePrefixo); | ||
| 84 | + $nomePrefixo = htmlspecialchars($nomePrefixo, ENT_QUOTES); | ||
| 85 | + | ||
| 86 | + $nomePrefixo = $nomePrefixo . md5(uniqid(rand(), true)); | ||
| 63 | 87 | ||
| 64 | //sobe arquivo | 88 | //sobe arquivo |
| 65 | $Arquivo = $_FILES['i3GEOuploadshp']['tmp_name']; | 89 | $Arquivo = $_FILES['i3GEOuploadshp']['tmp_name']; |
| @@ -189,6 +213,9 @@ function paraAguarde(){ | @@ -189,6 +213,9 @@ function paraAguarde(){ | ||
| 189 | echo "<script>try{window.scrollTo(0,10000);window.parent.i3GEOF.upload.aguarde.visibility='hidden';}catch(e){};</script>"; | 213 | echo "<script>try{window.scrollTo(0,10000);window.parent.i3GEOF.upload.aguarde.visibility='hidden';}catch(e){};</script>"; |
| 190 | } | 214 | } |
| 191 | function verificaNome($nome){ | 215 | function verificaNome($nome){ |
| 216 | + if(strlen(basename($nome)) > 200){ | ||
| 217 | + exit; | ||
| 218 | + } | ||
| 192 | $nome = strtolower($nome); | 219 | $nome = strtolower($nome); |
| 193 | $lista = explode(".",$nome); | 220 | $lista = explode(".",$nome); |
| 194 | $extensao = $lista[count($lista) - 1]; | 221 | $extensao = $lista[count($lista) - 1]; |
ferramentas/uploaddbf/upload.php
| @@ -20,8 +20,13 @@ if (ob_get_level() == 0) ob_start(); | @@ -20,8 +20,13 @@ if (ob_get_level() == 0) ob_start(); | ||
| 20 | <body bgcolor="white" style="background-color:white;text-align:left;"> | 20 | <body bgcolor="white" style="background-color:white;text-align:left;"> |
| 21 | <p> | 21 | <p> |
| 22 | <?php | 22 | <?php |
| 23 | -if (isset($_FILES['i3GEOuploaddbffile']['name'])) | 23 | +if (isset($_FILES['i3GEOuploaddbffile']['name']) && strlen(basename($_FILES['i3GEOuploaddbffile']['name'])) < 200 ) |
| 24 | { | 24 | { |
| 25 | + $checkphp = fileContemString($_FILES['i3GEOuploaddbffile']['tmp_name'],"<?"); | ||
| 26 | + if($checkphp == true){ | ||
| 27 | + exit; | ||
| 28 | + } | ||
| 29 | + | ||
| 25 | //$ndir = dirname($filen); | 30 | //$ndir = dirname($filen); |
| 26 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 31 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| 27 | $mapa = ms_newMapObj($map_file); | 32 | $mapa = ms_newMapObj($map_file); |
| @@ -32,12 +37,19 @@ if (isset($_FILES['i3GEOuploaddbffile']['name'])) | @@ -32,12 +37,19 @@ if (isset($_FILES['i3GEOuploaddbffile']['name'])) | ||
| 32 | $dirmap = dirname($map_file); | 37 | $dirmap = dirname($map_file); |
| 33 | //verifica nomes | 38 | //verifica nomes |
| 34 | $ArquivoDest = $_FILES['i3GEOuploaddbffile']['name']; | 39 | $ArquivoDest = $_FILES['i3GEOuploaddbffile']['name']; |
| 40 | + | ||
| 41 | + $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); | ||
| 42 | + | ||
| 35 | if($i3GEOuploaddbftipoarquivo != "dbf"){ | 43 | if($i3GEOuploaddbftipoarquivo != "dbf"){ |
| 36 | $ArquivoDest = str_replace(".csv","",$ArquivoDest).".csv"; | 44 | $ArquivoDest = str_replace(".csv","",$ArquivoDest).".csv"; |
| 37 | } | 45 | } |
| 38 | else{ | 46 | else{ |
| 39 | $ArquivoDest = str_replace(".dbf","",$ArquivoDest).".dbf"; | 47 | $ArquivoDest = str_replace(".dbf","",$ArquivoDest).".dbf"; |
| 40 | } | 48 | } |
| 49 | + | ||
| 50 | + $ArquivoDest = strip_tags($ArquivoDest); | ||
| 51 | + $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); | ||
| 52 | + | ||
| 41 | verificaNome($ArquivoDest); | 53 | verificaNome($ArquivoDest); |
| 42 | verificaNome($_FILES['i3GEOuploaddbffile']['name']); | 54 | verificaNome($_FILES['i3GEOuploaddbffile']['name']); |
| 43 | //sobe arquivo | 55 | //sobe arquivo |
ferramentas/uploadgpx/upload.php
| @@ -21,8 +21,12 @@ if (ob_get_level() == 0) ob_start(); | @@ -21,8 +21,12 @@ if (ob_get_level() == 0) ob_start(); | ||
| 21 | <body bgcolor="white" style="background-color:white;text-align:left;"> | 21 | <body bgcolor="white" style="background-color:white;text-align:left;"> |
| 22 | <p> | 22 | <p> |
| 23 | <?php | 23 | <?php |
| 24 | -if (isset($_FILES['i3GEOuploadgpx']['name'])) | 24 | +if (isset($_FILES['i3GEOuploadgpx']['name']) && strlen(basename($_FILES['i3GEOuploadgpx']['name'])) < 200 ) |
| 25 | { | 25 | { |
| 26 | + $checkphp = fileContemString($_FILES['i3GEOuploadgpx']['tmp_name'],"<?"); | ||
| 27 | + if($checkphp == true){ | ||
| 28 | + exit; | ||
| 29 | + } | ||
| 26 | //$ndir = dirname($filen); | 30 | //$ndir = dirname($filen); |
| 27 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 31 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| 28 | $mapa = ms_newMapObj($map_file); | 32 | $mapa = ms_newMapObj($map_file); |
| @@ -33,7 +37,12 @@ if (isset($_FILES['i3GEOuploadgpx']['name'])) | @@ -33,7 +37,12 @@ if (isset($_FILES['i3GEOuploadgpx']['name'])) | ||
| 33 | $dirmap = dirname($map_file); | 37 | $dirmap = dirname($map_file); |
| 34 | //verifica nomes | 38 | //verifica nomes |
| 35 | $ArquivoDest = $_FILES['i3GEOuploadgpx']['name']; | 39 | $ArquivoDest = $_FILES['i3GEOuploadgpx']['name']; |
| 40 | + $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); | ||
| 36 | $ArquivoDest = str_replace(".gpx","",$ArquivoDest).".gpx"; | 41 | $ArquivoDest = str_replace(".gpx","",$ArquivoDest).".gpx"; |
| 42 | + | ||
| 43 | + $ArquivoDest = strip_tags($ArquivoDest); | ||
| 44 | + $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); | ||
| 45 | + | ||
| 37 | verificaNome($ArquivoDest); | 46 | verificaNome($ArquivoDest); |
| 38 | 47 | ||
| 39 | //sobe arquivo | 48 | //sobe arquivo |
ferramentas/uploadkml/upload.php
| @@ -23,8 +23,12 @@ if (ob_get_level() == 0) ob_start(); | @@ -23,8 +23,12 @@ if (ob_get_level() == 0) ob_start(); | ||
| 23 | <body bgcolor="white" style="background-color:white;text-align:left;"> | 23 | <body bgcolor="white" style="background-color:white;text-align:left;"> |
| 24 | <p> | 24 | <p> |
| 25 | <?php | 25 | <?php |
| 26 | -if (isset($_FILES['i3GEOuploadkml']['name'])) | 26 | +if (isset($_FILES['i3GEOuploadkml']['name']) && strlen(basename($_FILES['i3GEOuploadkml']['name'])) < 200 ) |
| 27 | { | 27 | { |
| 28 | + $checkphp = fileContemString($_FILES['i3GEOuploadkml']['tmp_name'],"<?"); | ||
| 29 | + if($checkphp == true){ | ||
| 30 | + exit; | ||
| 31 | + } | ||
| 28 | //$ndir = dirname($filen); | 32 | //$ndir = dirname($filen); |
| 29 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 33 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| 30 | $mapa = ms_newMapObj($map_file); | 34 | $mapa = ms_newMapObj($map_file); |
| @@ -35,7 +39,12 @@ if (isset($_FILES['i3GEOuploadkml']['name'])) | @@ -35,7 +39,12 @@ if (isset($_FILES['i3GEOuploadkml']['name'])) | ||
| 35 | $dirmap = dirname($map_file); | 39 | $dirmap = dirname($map_file); |
| 36 | //verifica nomes | 40 | //verifica nomes |
| 37 | $ArquivoDest = $_FILES['i3GEOuploadkml']['name']; | 41 | $ArquivoDest = $_FILES['i3GEOuploadkml']['name']; |
| 42 | + $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); | ||
| 38 | $ArquivoDest = str_replace(".kml","",$ArquivoDest).".kml"; | 43 | $ArquivoDest = str_replace(".kml","",$ArquivoDest).".kml"; |
| 44 | + | ||
| 45 | + $ArquivoDest = strip_tags($ArquivoDest); | ||
| 46 | + $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); | ||
| 47 | + | ||
| 39 | verificaNome($ArquivoDest); | 48 | verificaNome($ArquivoDest); |
| 40 | 49 | ||
| 41 | //sobe arquivo | 50 | //sobe arquivo |
ferramentas/uploadsimbolo/upload.php
| @@ -18,7 +18,13 @@ if (ob_get_level() == 0) ob_start(); | @@ -18,7 +18,13 @@ if (ob_get_level() == 0) ob_start(); | ||
| 18 | <body bgcolor="white" style="background-color:white;text-align:left;"> | 18 | <body bgcolor="white" style="background-color:white;text-align:left;"> |
| 19 | <p> | 19 | <p> |
| 20 | <?php | 20 | <?php |
| 21 | -if (isset($_FILES['i3GEOuploadsimboloarq']['name'])){ | 21 | +if (isset($_FILES['i3GEOuploadsimboloarq']['name']) && strlen(basename($_FILES['i3GEOuploadsimboloarq']['name'])) < 200){ |
| 22 | + | ||
| 23 | + $checkphp = fileContemString($_FILES['i3GEOuploadkml']['tmp_name'],"<?"); | ||
| 24 | + if($checkphp == true){ | ||
| 25 | + exit; | ||
| 26 | + } | ||
| 27 | + | ||
| 22 | require_once (dirname(__FILE__)."/../../ms_configura.php"); | 28 | require_once (dirname(__FILE__)."/../../ms_configura.php"); |
| 23 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; | 29 | echo "<p class='paragrafo' >Carregando o arquivo...</p>"; |
| 24 | ob_flush(); | 30 | ob_flush(); |
| @@ -43,11 +49,21 @@ if (isset($_FILES['i3GEOuploadsimboloarq']['name'])){ | @@ -43,11 +49,21 @@ if (isset($_FILES['i3GEOuploadsimboloarq']['name'])){ | ||
| 43 | 49 | ||
| 44 | $nome = str_replace(".png","",$nome).".png"; | 50 | $nome = str_replace(".png","",$nome).".png"; |
| 45 | 51 | ||
| 52 | + $nome = strip_tags($nome); | ||
| 53 | + $nome = htmlspecialchars($nome, ENT_QUOTES); | ||
| 54 | + | ||
| 55 | + $nome = $nome . md5(uniqid(rand(), true)); | ||
| 56 | + | ||
| 46 | verificaNome($nome); | 57 | verificaNome($nome); |
| 47 | //sobe arquivo | 58 | //sobe arquivo |
| 48 | $Arquivo = $_FILES['i3GEOuploadsimboloarq']['tmp_name']; | 59 | $Arquivo = $_FILES['i3GEOuploadsimboloarq']['tmp_name']; |
| 49 | $destino = $dirDestino."/".$nome; | 60 | $destino = $dirDestino."/".$nome; |
| 50 | 61 | ||
| 62 | + $check = getimagesize($Arquivo); | ||
| 63 | + if($check === false) { | ||
| 64 | + exit; | ||
| 65 | + } | ||
| 66 | + | ||
| 51 | if(file_exists($destino)) | 67 | if(file_exists($destino)) |
| 52 | {echo "<p class='paragrafo' >Já existe um arquivo com o nome ".$destino;paraAguarde();exit;} | 68 | {echo "<p class='paragrafo' >Já existe um arquivo com o nome ".$destino;paraAguarde();exit;} |
| 53 | $status = move_uploaded_file($Arquivo,$destino); | 69 | $status = move_uploaded_file($Arquivo,$destino); |