Jump to content

Php remove directories not called x?


joeybab3

Recommended Posts

Here is my code which i use to recieve uploaded files.

$filepath = $_SERVER['DOCUMENT_ROOT'] . "file/";
$fileunzippath = $filepath."unzipped/";
$exclude_list = array(".", "..", "...", "index.php", ".php", ".htaccess");
if($_FILES["zip_file"]["name"]) {
	$filename = $_FILES["zip_file"]["name"];
	$source = $_FILES["zip_file"]["tmp_name"];
	$type = $_FILES["zip_file"]["type"];
	
	$name = explode(".", $filename);
	$accepted_types = array('application/zip', 'application/x-zip-compressed', 'multipart/x-zip', 'application/x-compressed');
	foreach($accepted_types as $mime_type) {
		if($mime_type == $type) {
			$okay = true;
			break;
		} 
	}
	
	$continue = strtolower($name[1]) == 'zip' ? true : false;
	if(!$continue) {
		$message = "The file you are trying to upload is not a .zip file. Please try again.";
	}
	$string = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $filename);
    $clean_name = strtr($string, array('Š' => 'S','Ž' => 'Z','š' => 's','ž' => 'z','Ÿ' => 'Y','À' => 'A','Á' => 'A','Â' => 'A','Ã' => 'A','Ä' => 'A','Å' => 'A','Ç' => 'C','È' => 'E','É' => 'E','Ê' => 'E','Ë' => 'E','Ì' => 'I','Í' => 'I','Î' => 'I','Ï' => 'I','Ñ' => 'N','Ò' => 'O','Ó' => 'O','Ô' => 'O','Õ' => 'O','Ö' => 'O','Ø' => 'O','Ù' => 'U','Ú' => 'U','Û' => 'U','Ü' => 'U','Ý' => 'Y','à' => 'a','á' => 'a','â' => 'a','ã' => 'a','ä' => 'a','å' => 'a','ç' => 'c','è' => 'e','é' => 'e','ê' => 'e','ë' => 'e','ì' => 'i','í' => 'i','î' => 'i','ï' => 'i','ñ' => 'n','ò' => 'o','ó' => 'o','ô' => 'o','õ' => 'o','ö' => 'o','ø' => 'o','ù' => 'u','ú' => 'u','û' => 'u','ü' => 'u','ý' => 'y','ÿ' => 'y'));
$clean_name = strtr($clean_name, array('Þ' => 'TH', 'þ' => 'th', 'Ð' => 'DH', 'ð' => 'dh', 'ß' => 'ss', 'Œ' => 'OE', 'œ' => 'oe', 'Æ' => 'AE', 'æ' => 'ae', 'µ' => 'u'));

$clean_name = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), $clean_name);
	$target_path = $filepath.$clean_name;  // change this to the correct site path
	if(move_uploaded_file($source, $target_path)) {
		echo "Source: ".$source."<br/>";
		echo "Type: ".$type."<br/>";
		echo "Filename: ".$filename."<br/>";
		
		$zip = new ZipArchive();
		$x = $zip->open($target_path);
		if ($x === true) {
			$zip->extractTo($fileunzippath.$clean_name); // change this to the correct site path
			$zip->close();
			
  $exclude_list;
  $dir_path = $_SERVER['DOCUMENT_ROOT'];
  $dir_path .= "/file/unzipped/";
  $directories = array_diff(scandir($fileunzippath.$clean_name), $exclude_list);
  foreach($directories as $entry) {
    if(is_dir($dir_path.$entry)) {
		if($entry != 'part0' || $entry !='part1')
		{
			 rmdir($entry);
		}
    }
  }
		}
		$message = "Your .zip file was uploaded and unpacked.";
	} else {	
		$message = "There was a problem with the upload. Please try again.";
	}
}

Specifically i want to highlight this part:

$exclude_list;
  $dir_path = $_SERVER['DOCUMENT_ROOT'];
  $dir_path .= "/file/unzipped/";
  $directories = array_diff(scandir($fileunzippath.$clean_name), $exclude_list);
  foreach($directories as $entry) {
    if(is_dir($dir_path.$entry)) {
		if($entry != 'part0' || $entry !='part1')
		{
			 rmdir($entry);
		}
    }
  }

When I upload a zip file containing 2 directories(one called 'part0', and one called 'bad'), they get unzipped correctly and it gives no errors, however the fake directories(not called part0 or part1) I put in there are still there. Any Help?

Link to comment
Share on other sites

Are you letting users upload and extract zip files?

 

That's something I would never trust.

I'd run them through a virus scanner and also be looking for malicious code if I was to even attempt that.

 

rmdir() is a scary function.

Be sure to have a failsafe directory name...even if will never exist...so never has an empty folder value.

You don't want to lose more than you want to.

Link to comment
Share on other sites

Per the manual rmdir()

Have you turned on error reporting?

Yes, no errors are returned.

Are you letting users upload and extract zip files?

 

That's something I would never trust.

I'd run them through a virus scanner and also be looking for malicious code if I was to even attempt that.

 

rmdir() is a scary function.

Be sure to have a failsafe directory name...even if will never exist...so never has an empty folder value.

You don't want to lose more than you want to.

It's fine its only on my localhost, im the only one that uses it. Though I may one day release it, first i will have to write a lot of failsafe code.

Link to comment
Share on other sites

there's two problems with your logic.

 

1) the - if($entry != 'part0' || $entry !='part1') should be - if($entry != 'part0' && $entry !='part1')  using negative logic requires that you negate the || too. i.e. if($entry == 'part0' || $entry =='part1') {do something if either one} becomes if($entry != 'part0' && $entry !='part1') {do something if NOT either one} OR you could just use (not)in_array - if(!in_array($entry, array('part0','part1')) {do something if NOT either one}

 

2) the rmdir() statement needs the $dir_path in it too, unless the directory being removed is relative to the current script. if php's error_reporting/display_errors are actually on, you should be getting errors from the current code when it tires to remove a directory that it cannot find due to no knowing the path.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.