WordPress.org
Get WordPress

Plugin Directory

Changeset 3134865


Ignore:
Timestamp:
08/13/2024 11:16:46 AM (20 months ago)
Author:
spreadsheetconverter
Message:

version 10.1.5 with a fix to prevent upload of disallowed file types

Location:
import-spreadsheets-from-microsoft-excel/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • import-spreadsheets-from-microsoft-excel/trunk/changelog.txt

    r2987931 r3134865  
    11== Changelog ==
     2
     3= 10.1.5 =
     4
     5* Fixed security vulnerability with zip containing disallowed file types
    26
    37= 10.1.4 =

  • import-spreadsheets-from-microsoft-excel/trunk/import-spreadsheets-from-microsoft-excel.php

    r2987931 r3134865  
    55Plugin URI: https://www.spreadsheetconverter.com/support/online-help/help-wordpress-plugin-to-import-spreadsheets-from-microsoft-excel
    66Description: Import Spreadsheets from Microsoft Excel
    7 Version: 10.1.4
     7Version: 10.1.5
    88Author: SpreadsheetConverter
    99Author URI: http://www.spreadsheetconverter.com
     
    1616 *
    1717
    18 Copyright (C) 2019-2020  SpreadsheetConverter, http://www.spreadsheetconverter.com
     18Copyright (C) 2019-2024  SpreadsheetConverter, http://www.spreadsheetconverter.com
    1919This program is free software: you can redistribute it and/or modify
    2020it under the terms of the GNU General Public License as published by
     
    446446// Setup the array of supported file types. In this case, it's just PDF.
    447447$supported_types = array( 'application/zip' );
     448$allowed_file_extenstions = array( 'htm', 'html', 'appcache', 'js', 'css', 'png', 'jpg', 'jpeg','gif','svg', 'bmp', 'woff', 'woff2', 'ttf', 'eot');
    448449
    449450// Get the file type of the upload
     
    488489
    489490            $zip = new ZipArchive();
    490             $x = $zip->open($target_path);                         
     491            $x = $zip->open($target_path);
     492            $disallowed_files = array();                         
    491493           
    492494            if ( $x === true ) {
     
    497499                    while ( ($zip_entry = zip_read($zipall)) ):
    498500                        $pathall = zip_entry_name($zip_entry);
     501                        $extension = pathinfo($pathall, PATHINFO_EXTENSION);
     502                        if(!empty($extension) && !in_array(strtolower($extension), $allowed_file_extenstions)){
     503                            $disallowed_files[] = $extension;
     504                        }
    499505                    endwhile;
    500506                }
     
    505511                    { 
    506512                       $pathall = $zip->getNameIndex( $i );
     513                       $extension = pathinfo($pathall, PATHINFO_EXTENSION);
     514                       if(!empty($extension) && !in_array(strtolower($extension), $allowed_file_extenstions)){
     515                        $disallowed_files[] = $extension;
     516                       }
    507517                    }
    508518                }
     
    519529
    520530                }
     531               
     532                if(count($disallowed_files) > 0){
     533                    ims_fme_ssc_errorLog('The zip contains disallowed file types:' . implode(", ", array_unique($disallowed_files)));
     534                    set_transient( 'ims-fme-ssc-admin-notice-disallowed-file-error', implode(", ", array_unique($disallowed_files)), 5 );                                                   
     535                   
     536                    remove_action( 'save_post', 'ims_fme_ssc_save_custom_meta_data' );                               
     537                    wp_update_post( array('ID' => intval( $id ), 'post_status' => 'draft') );
     538                    add_action( 'save_post', 'ims_fme_ssc_save_custom_meta_data' );
     539               
     540                    $zip->close();
     541                    unlink($target_path);   
     542
     543                    return;               
     544                }
     545
    521546                // change this to the correct site path
    522547                $zip->extractTo( $pub_dir.'/');
     
    538563                $zip->close();
    539564                unlink($target_path);
    540             }   
     565            }
    541566                   
    542567    if ( file_exists( $path ) ){
     
    679704    <?php
    680705        delete_transient( 'ims-fme-ssc-admin-notice-zip-error' );
     706
     707    } elseif( get_transient( 'ims-fme-ssc-admin-notice-disallowed-file-error' ) ) { ?>
     708        <div class="updated" style="color:red"><p>The zip contains disallowed file types: <?php echo get_transient( 'ims-fme-ssc-admin-notice-disallowed-file-error' ); ?> </p></div>
     709    <?php
     710        delete_transient( 'ims-fme-ssc-admin-notice-disallowed-file-error' );
    681711   
    682712    }/*elseif( get_transient( 'ims-fme-ssc-admin-notice-plug-special-char' ) ) { ?>

  • import-spreadsheets-from-microsoft-excel/trunk/readme.txt

    r2987931 r3134865  
    55Tags: excel, spreadsheet, xls, xlsx, embed, import, upload, form, calculator, viewer, chart, graph
    66Requires at least: 4.5
    7 Tested up to: 6.1.1
     7Tested up to: 6.6.1
    88Requires PHP: 5.2.4
    9 Stable tag: 10.1.4
     9Stable tag: 10.1.5
    1010
    1111Import live, calculating spreadsheets from Microsoft Excel to WordPress. The uploaded online spreadsheet is live, and looks and feels like in Excel.
     
    357357== Changelog ==
    358358
     359= 10.1.5 =
     360
     361* Fixed security vulnerability with zip containing disallowed file types
     362
    359363= 10.1.4 =
    360364
Note: See TracChangeset for help on using the changeset viewer.