Fix upload file function filter by extension. Fix mib uploader only upload .mib file

pandora_console/include/functions_filemanager.php

@@ -128,19 +128,18 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
             $extension = pathinfo($filename, PATHINFO_EXTENSION);
 
             $umask          = io_safe_output((string) get_parameter('umask'));
-            $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
-            $parse_sec2_query = explode('=', $parse_all_queries[1]);
-            $check_extension = true;
-            if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
-                if ((strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) {
-                    $check_extension = false;
-                } else {
-                    $check_extension = true;
-                }
-            }
-
+            // $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
+            // $parse_sec2_query = explode('=', $parse_all_queries[1]);
+            // $check_extension = true;
+            // if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
+            // if ((strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) {
+            // $check_extension = false;
+            // } else {
+            // $check_extension = true;
+            // }
+            // }
             // (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')
-            if (strpos($real_directory, $default_real_directory) !== 0 || $check_extension === false) {
+            if (strpos($real_directory, $default_real_directory) !== 0) {
                 // Perform security check to determine whether received upload
                 // directory is part of the default path for caller uploader and
                 // user is not trying to access an external path (avoid
@@ -152,12 +151,12 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
                 // Copy file to directory and change name.
                 $nombre_archivo = sprintf('%s/%s', $real_directory, $filename);
                 try {
-                    $mimeContentType = mime_content_type($_FILES['file']['tmp_name']);
-
-                    if (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true) {
+                    $ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
+                    if (empty($filterFilesType) === true || in_array($ext, $filterFilesType) === true) {
                         $result = copy($_FILES['file']['tmp_name'], $nombre_archivo);
                     } else {
-                        $error_message = 'The uploaded file is not allowed. Only gif, png or jpg files can be uploaded.';
+                        $types_allowed = implode(', ', $filterFilesType);
+                        $error_message = 'The uploaded file is not allowed. Only '.$types_allowed.' files can be uploaded.';
                         throw new Exception(__($error_message));
                     }
                 } catch (Exception $ex) {
@@ -199,20 +198,30 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
             $filepath = $_FILES['file']['tmp_name'];
             $real_directory = filemanager_safe_directory($destination_directory);
             $secure = true;
-            if ($parse_sec2_query[1] === 'operation/snmpconsole/snmp_mib_uploader') {
+            try {
+                $ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
+                if (empty($filterFilesType) === true || in_array($ext, $filterFilesType) === true) {
                     // Security control structure.
                     $zip = new \ZipArchive;
                     if ($zip->open($filepath) === true) {
                         for ($i = 0; $i < $zip->numFiles; $i++) {
                             $unzip_filename = $zip->getNameIndex($i);
                             $extension = pathinfo($unzip_filename, PATHINFO_EXTENSION);
-                        if (strtolower($extension) !== 'mib') {
+                            if (in_array(strtolower($extension), $filterFilesType) === false) {
+                                $error_message = 'The uploaded file is not allowed. Only '.$types_allowed.' files can be uploaded.';
                                 $secure = false;
-                            break;
+                                throw new Exception(__($error_message));
                             }
                         }
                     }
                 }
+            } catch (Exception $ex) {
+                db_pandora_audit(
+                    AUDIT_LOG_FILE_MANAGER,
+                    'Error Uploading files: '.$ex->getMessage()
+                );
+                $config['filemanager']['message'] = ui_print_error_message(__('Upload error').': '.$ex->getMessage());
+            }
 
             if (strpos($real_directory, $default_real_directory) !== 0 || $secure === false) {
                 // Perform security check to determine whether received upload

pandora_console/operation/snmpconsole/snmp_mib_uploader.php

@@ -91,7 +91,7 @@ $create_text_file = (bool) get_parameter('create_text_file');
 $default_real_directory = realpath($config['homedir'].'/'.$fallback_directory);
 
 if ($upload_file_or_zip === true) {
-    upload_file($upload_file_or_zip, $default_real_directory, $real_directory);
+    upload_file($upload_file_or_zip, $default_real_directory, $real_directory, ['mib', 'zip']);
 }
 
 if ($create_text_file === true) {