Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Bad Word Filter for File Names, Title, Keyword and Caption  (Read 11235 times)

0 Members and 1 Guest are viewing this topic.

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1503
  • aka 'i-imagine'
    • Home Page

Filter Bad Words from User's Filename, Title, etc.

This mod. will filter bad words from the user input when they upload files. Bad words are replaced with an underscore. The code snip is borrowed from db_input.php, Coppermine's bad word list in the language file is also used, as is the case with bad word filtering for comments. This is for HTTP uploads, when the users uploads from their own computer. It has not been tested yet with url/uri uploads.

Modify file upload.php
    Sections
    • File name filtering
    • Text input - Title, Caption, etc filtering

Quote
In file upload.php find this:[/list]
Code: [Select]
$picture_name = replace_forbidden($_FILES['file_upload_array']['name'][$counter]);

Quote
Add below it this:
Code: [Select]
// Filter input for bad words. Replace with underscore
if ($CONFIG['filter_bad_words']) {
        $ercp = array();
        foreach($lang_bad_words as $word) {
            $ercp[] = '/' . ($word[0] == '*' ? '': '\b') . str_replace('*', '', $word) . ($word[(strlen($word)-1)] ==

'*' ? '': '\b') . '/i';
        }
        $picture_name = preg_replace($ercp, '_', $picture_name);
    }
//
Quote
In file upload.php find:
Code: [Select]
$title = addslashes($_POST['title']);

Quote
Add below it this:
Code: [Select]
// Filter input for bad words. Replace with underscore
if ($CONFIG['filter_bad_words']) {
        $ercp = array();
        foreach($lang_bad_words as $word) {
            $ercp[] = '/' . ($word[0] == '*' ? '': '\b') . str_replace('*', '', $word) . ($word[(strlen($word)-1)] ==

'*' ? '': '\b') . '/i';
        }
        $title = preg_replace($ercp, '_', $title);
    }
//

For each additional field that you want filitered.

Quote
In file upload.php
Code: [Select]
        $caption = addslashes($_POST['caption']);
        $keywords = addslashes($_POST['keywords']);
        $user1 = addslashes($_POST['user1']);
        $user2 = addslashes($_POST['user2']);
        $user3 = addslashes($_POST['user3']);
        $user4 = addslashes($_POST['user4']);

Quote
Select the field names
Code: [Select]
$caption - $keywords - $user1 - $user2 - $user2 - $user4 -

Quote
Insert filter code as shown above - Replace $VARIABLE with the field you want filtered
Code: [Select]
        $VARIABLE = preg_replace($ercp, '_', $VARIABLE);

The mod. was hastily applied to my user's gallery after I found a .jpg named "f  _off" in one of their albums. After a gentle reminder to the artist I realized that this would not be the first time and that maybe a mod. would be less painful than a battle over perceived freedoms of expression.

There might be more efficient ways to apply/code this, the author is an amateur and was rushing to apply a working mod.. Comments and change suggestions are very welcome.

And yes, there are more places that users can be "creative" with their wording, but I wanted for visitors to not turn away when seeing the title of a file.
« Last Edit: May 13, 2009, 05:47:41 pm by i-imagine »
Logged
Pages: [1]   Go Up
 

Page created in 0.018 seconds with 22 queries.