protected function isValid($strFile)
{
$strFolder = \Input::get('pid', true);
// Check the path
if (\Validator::isInsecurePath($strFile)) {
throw new AccessDeniedException('Invalid file name "' . $strFile . '" (hacking attempt).');
} elseif (\Validator::isInsecurePath($strFolder)) {
throw new AccessDeniedException('Invalid folder name "' . $strFolder . '" (hacking attempt).');
}
// Check for valid file types
if (!empty($this->arrValidFileTypes) && is_file(TL_ROOT . '/' . $strFile)) {
$fileinfo = preg_replace('/.*\\.(.*)$/ui', '$1', $strFile);
if (!in_array(strtolower($fileinfo), $this->arrValidFileTypes)) {
throw new AccessDeniedException('File "' . $strFile . '" is not an allowed file type.');
}
}
// Check whether the file is within the files directory
if (!preg_match('/^' . preg_quote(\Config::get('uploadPath'), '/') . '/i', $strFile)) {
throw new AccessDeniedException('File or folder "' . $strFile . '" is not within the files directory.');
}
// Check whether the parent folder is within the files directory
if ($strFolder && !preg_match('/^' . preg_quote(\Config::get('uploadPath'), '/') . '/i', $strFolder)) {
throw new AccessDeniedException('Parent folder "' . $strFolder . '" is not within the files directory.');
}
// Do not allow file operations on root folders
if (\Input::get('act') == 'edit' || \Input::get('act') == 'paste' || \Input::get('act') == 'delete') {
$this->import('BackendUser', 'User');
if (!$this->User->isAdmin && in_array($strFile, $this->User->filemounts)) {
throw new AccessDeniedException('Attempt to edit, copy, move or delete the root folder "' . $strFile . '".');
}
}
return true;
}