Php remove directories not called x?

[joeybab3]

Here is my code which i use to recieve uploaded files.

$filepath = $_SERVER['DOCUMENT_ROOT'] . "file/";
$fileunzippath = $filepath."unzipped/";
$exclude_list = array(".", "..", "...", "index.php", ".php", ".htaccess");
if($_FILES["zip_file"]["name"]) {
	$filename = $_FILES["zip_file"]["name"];
	$source = $_FILES["zip_file"]["tmp_name"];
	$type = $_FILES["zip_file"]["type"];
	
	$name = explode(".", $filename);
	$accepted_types = array('application/zip', 'application/x-zip-compressed', 'multipart/x-zip', 'application/x-compressed');
	foreach($accepted_types as $mime_type) {
		if($mime_type == $type) {
			$okay = true;
			break;
		} 
	}
	
	$continue = strtolower($name[1]) == 'zip' ? true : false;
	if(!$continue) {
		$message = "The file you are trying to upload is not a .zip file. Please try again.";
	}
	$string = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $filename);
    $clean_name = strtr($string, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E','É' => 'E','Ê' => 'E','Ë' => 'E','Ì' => 'I','Í' => 'I','Î' => 'I','Ï' => 'I','Ñ' => 'N','Ò' => 'O','Ó' => 'O','Ô' => 'O','Õ' => 'O','Ö' => 'O','Ø' => 'O','Ù' => 'U','Ú' => 'U','Û' => 'U','Ü' => 'U','Ý' => 'Y','à' => 'a','á' => 'a','â' => 'a','ã' => 'a','ä' => 'a','å' => 'a','ç' => 'c','è' => 'e','é' => 'e','ê' => 'e','ë' => 'e','ì' => 'i','í' => 'i','î' => 'i','ï' => 'i','ñ' => 'n','ò' => 'o','ó' => 'o','ô' => 'o','õ' => 'o','ö' => 'o','ø' => 'o','ù' => 'u','ú' => 'u','û' => 'u','ü' => 'u','ý' => 'y','ÿ' => 'y'));
$clean_name = strtr($clean_name, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));

$clean_name = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $clean_name);
	$target_path = $filepath.$clean_name;  // change this to the correct site path
	if(move_uploaded_file($source, $target_path)) {
		echo "Source: ".$source."<br/>";
		echo "Type: ".$type."<br/>";
		echo "Filename: ".$filename."<br/>";
		
		$zip = new ZipArchive();
		$x = $zip->open($target_path);
		if ($x === true) {
			$zip->extractTo($fileunzippath.$clean_name); // change this to the correct site path
			$zip->close();
			
  $exclude_list;
  $dir_path = $_SERVER['DOCUMENT_ROOT'];
  $dir_path .= "/file/unzipped/";
  $directories = array_diff(scandir($fileunzippath.$clean_name), $exclude_list);
  foreach($directories as $entry) {
    if(is_dir($dir_path.$entry)) {
		if($entry != 'part0' || $entry !='part1')
		{
			 rmdir($entry);
		}
    }
  }
		}
		$message = "Your .zip file was uploaded and unpacked.";
	} else {	
		$message = "There was a problem with the upload. Please try again.";
	}
}

Specifically i want to highlight this part:

$exclude_list;
  $dir_path = $_SERVER['DOCUMENT_ROOT'];
  $dir_path .= "/file/unzipped/";
  $directories = array_diff(scandir($fileunzippath.$clean_name), $exclude_list);
  foreach($directories as $entry) {
    if(is_dir($dir_path.$entry)) {
		if($entry != 'part0' || $entry !='part1')
		{
			 rmdir($entry);
		}
    }
  }

When I upload a zip file containing 2 directories(one called 'part0', and one called 'bad'), they get unzipped correctly and it gives no errors, however the fake directories(not called part0 or part1) I put in there are still there. Any Help?

[Psycho]

Per the manual rmdir()

Attempts to remove the directory named by dirname. The directory must be empty, and the relevant permissions must permit this. A E_WARNING level error will be generated on failure.

Have you turned on error reporting?

[QuickOldCar]

Are you letting users upload and extract zip files?

 

That's something I would never trust.

I'd run them through a virus scanner and also be looking for malicious code if I was to even attempt that.

 

rmdir() is a scary function.

Be sure to have a failsafe directory name...even if will never exist...so never has an empty folder value.

You don't want to lose more than you want to.

[joeybab3]

Per the manual rmdir()

Have you turned on error reporting?

Yes, no errors are returned.

Are you letting users upload and extract zip files?

 

That's something I would never trust.

I'd run them through a virus scanner and also be looking for malicious code if I was to even attempt that.

 

rmdir() is a scary function.

Be sure to have a failsafe directory name...even if will never exist...so never has an empty folder value.

You don't want to lose more than you want to.

It's fine its only on my localhost, im the only one that uses it. Though I may one day release it, first i will have to write a lot of failsafe code.

[mac_gyver]

there's two problems with your logic.

 

1) the - if($entry != 'part0' || $entry !='part1') should be - if($entry != 'part0' && $entry !='part1')  using negative logic requires that you negate the || too. i.e. if($entry == 'part0' || $entry =='part1') {do something if either one} becomes if($entry != 'part0' && $entry !='part1') {do something if NOT either one} OR you could just use (not)in_array - if(!in_array($entry, array('part0','part1')) {do something if NOT either one}

 

2) the rmdir() statement needs the $dir_path in it too, unless the directory being removed is relative to the current script. if php's error_reporting/display_errors are actually on, you should be getting errors from the current code when it tires to remove a directory that it cannot find due to no knowing the path.