How can i remove or accept special characters from filename on uploading

Question

i have this code in a file called uploader.php. I call this file from another file to upload images, this works fine. Exept in the photogallery i can't see the thumbnails (they are blank if i upload images containing e.g () and [] characters. I want to remove characters like this on upload or allow them to be viwed.

$maindir = "../alla_bilder/images/";
$maindir_th = "../alla_bilder/images/thumbs/";
$uploaddir = "images/";
$uploaddir_th = "images/thumbs/";
$allowed = array('jpg','jpeg','gif','png');
$max_size = 5048 * 1024;
while (list ($key, $val) = each ($_FILES))
{
if ($_FILES[$key]['size'] <= $max_size) 
{
  $file_ext  = pathinfo($_FILES[$key]['name'],PATHINFO_EXTENSION);
  $file_name = basename($_FILES[$key]['name'],'.'.$file_ext);
  if (in_array(strtolower($file_ext),$allowed)) 
  {
     $name = $_FILES[$key]['name'];
     $x = 1;
     while (file_exists($uploaddir.'/'.$name)) 
     {
        $name = $file_name.'['.$x.'].'.$file_ext;
        $x++;
     }
     if (move_uploaded_file($_FILES[$key]['tmp_name'],$uploaddir.'/'.$name))
     {
        chmod($uploaddir.'/'.$name, 0644);
     }
     else
     {
        die(error_get_last());
     }
  }
  else
  {
     die("Invalid file type");
  }
}
else
{
  die("File size too big");
}
copy($uploaddir.'/'.$name, $maindir.'/'.$name);

  $images = glob("images/thumbs/*.*");  
  foreach($images as $image)  
  {  
       $output .= '<div class="col-md-2" align="center" ><img src="' . $image .'" width="200px" height="140px" style="border:1px solid #ccc;" /></div>';  
  }  


    $modwidth = 200;
    $modheight = 140;

    list($width, $height) = getimagesize($uploaddir.'/'.$name);               
    $ratio_orig = $width/$height;                 
    if ($width/$height > $ratio_orig)
    {         
    $width = $height*$ratio_orig;         
    } else {         
    $height = $width/$ratio_orig;         
    }          
    $tn = imagecreatetruecolor($modwidth, $modheight);
    //$image = imagecreatefromjpeg($uploaddir.'/'.$name);
    $image = imagecreatefromstring(file_get_contents($uploaddir.'/'.$name));
    imagecopyresampled($tn, $image, 0, 0, 0, 0, $modwidth, $modheight, $width, $height);
    imagejpeg($tn, $uploaddir_th.'/'.$name); 
    imagejpeg($tn, $maindir_th.'/'.$name); 

}

//Code to view the thumbnails:

$directory = 'images/';
$thumbsdir = 'images/thumbs';
$allowed_types = array('jpg', 'JPG', 'JPEG', 'jpeg', 'gif', 'PNG', 'png');
$fileNames = $files = $file_parts = array();
$ext = '';
/* $title = ''; */
$i = 0;

$toMatch = "{$directory}*.{".implode(',', $allowed_types).'}';
$fileNames = glob($toMatch, GLOB_NOSORT | GLOB_BRACE);  

foreach($fileNames as $file) {
    $f = explode('/', $file);
    $fileName = end($f);
    $files[$fileName] = filemtime($file);
}

arsort($files);

foreach(array_keys($files) as $file)
{
    $file_parts = explode('.',$file);
    $ext = strtolower(array_pop($file_parts));

    /* $title = implode('.',$file_parts);
    $title = htmlspecialchars($title); */

    echo '
    <div class="pic " style="background:url('.$thumbsdir.'/'.$file.') no-repeat 50% 50%;">
    <a href="'.$directory.'/'.$file.'" title="'.$title.'">'.$title.'</a>
    </div>';

    $i++;
}

Hello, i'm gessing this is some kind of security risk?, Can you explain how to fix it please? — Patrik Idén, Nov 08 '18 at 10:43
It is not sufficient to filter only by extension. I can easily rename my `.php` file to something else, but it still is a php script. If you web server is not properly configured, you have a remote code execution, because it will run your script whenever you open that "image". First: Don't rely on the extension Second: Generate a random name for the uploaded file, so attacker cannot guess the file name. — hellow, Nov 08 '18 at 11:35
Thank you. How can i change this code to generate a random name? — Patrik Idén, Nov 08 '18 at 11:38
https://stackoverflow.com/questions/19083175/generate-random-string-in-php-for-file-name And of course the linked duplicate — hellow, Nov 08 '18 at 12:10
Well i did this:$name = rand(0,9999999). '.' .$file_ext; if (move_uploaded_file($_FILES[$key]['tmp_name'],$uploaddir.'/'.$name)) and i also have .htacces with this: php_flag engine off SetHandler application/x-httpd-php — Patrik Idén, Nov 08 '18 at 13:45

How can i remove or accept special characters from filename on uploading

0 Answers0