* T*FileUpload controls with server-side MIME check

2 files changed, 46 insertions, 0 deletions

diff --git a/app/php/components/SafeActiveFileUpload.php b/app/php/components/SafeActiveFileUpload.php
new file mode 100644
index 0000000..9b8e2a8
--- /dev/null
+++ b/app/php/components/SafeActiveFileUpload.php
@@ -0,0 +1,12 @@
+<?php
+
+Prado::using('System.Web.UI.ActiveControls.TActiveFileUpload');
+Prado::using('Application.components.SafeFileUpload');
+
+class SafeActiveFileUpload extends TActiveFileUpload {
+
+    use MimeTypeCheckForFileUpload;
+
+}
+
+?>
diff --git a/app/php/components/SafeFileUpload.php b/app/php/components/SafeFileUpload.php
new file mode 100644
index 0000000..98e120a
--- /dev/null
+++ b/app/php/components/SafeFileUpload.php
@@ -0,0 +1,34 @@
+<?php
+
+class SafeFileUpload extends TFileUpload {
+
+    use MimeTypeCheckForFileUpload;
+
+}
+
+trait MimeTypeCheckForFileUpload {
+
+    protected $_isSecure = TRUE;
+
+    public function getIsSecure() {
+        return $this->_isSecure;
+    }
+
+    public function setIsSecure($bool) {
+        $this->_isSecure = $bool;
+    }
+
+    public function getFileType() {
+        $type = parent::getFileType();
+        if ($this->getIsSecure()) {
+            $fileInfo = new finfo(FILEINFO_MIME_TYPE);
+            return $fileInfo->file($this->getLocalName());
+        }
+        else {
+            return $type;
+        }
+    }
+
+}
+
+?>