fixed issue allowing non images to be uploaded

api/classes/organizr.class.php

@@ -1962,15 +1962,31 @@ class Organizr
 	public function uploadImage()
 	{
 		$filesCheck = array_filter($_FILES);
-		if (!empty($filesCheck) && $this->approvedFileExtension($_FILES['file']['name'], 'image') && strpos($_FILES['file']['type'], 'image/') !== false) {
-			ini_set('upload_max_filesize', '10M');
-			ini_set('post_max_size', '10M');
-			$tempFile = $_FILES['file']['tmp_name'];
-			$targetPath = $this->root . DIRECTORY_SEPARATOR . 'data' . DIRECTORY_SEPARATOR . 'userTabs' . DIRECTORY_SEPARATOR;
-			$this->makeDir($targetPath);
-			$targetFile = $targetPath . $this->sanitizeUserString($_FILES['file']['name']);
-			$this->setAPIResponse(null, pathinfo($_FILES['file']['name'], PATHINFO_BASENAME) . ' has been uploaded', null);
-			return move_uploaded_file($tempFile, $targetFile);
+		if (!empty($filesCheck)) {
+			if (strpos($_FILES['file']['type'], 'image/') === false) {
+				$this->setResponse(403, 'File Type not approved', $_FILES['file']['type']);
+				return false;
+			}
+			if (!$this->approvedFileType($_FILES['file']['tmp_name'])) {
+				$this->setResponse(403, 'File Type not approved', $_FILES['file']['tmp_name']);
+				return false;
+			}
+			if ($this->approvedFileExtension($_FILES['file']['name'])) {
+				ini_set('upload_max_filesize', '10M');
+				ini_set('post_max_size', '10M');
+				$tempFile = $_FILES['file']['tmp_name'];
+				$targetPath = $this->root . DIRECTORY_SEPARATOR . 'data' . DIRECTORY_SEPARATOR . 'userTabs' . DIRECTORY_SEPARATOR;
+				$this->makeDir($targetPath);
+				$targetFile = $targetPath . $this->sanitizeUserString($_FILES['file']['name']);
+				$this->setAPIResponse(null, pathinfo($_FILES['file']['name'], PATHINFO_BASENAME) . ' has been uploaded', null);
+				return move_uploaded_file($tempFile, $targetFile);
+			} else {
+				$this->setResponse(403, 'File Extension not approved');
+				return false;
+			}
+		} else {
+			$this->setResponse(500, 'No File was uploaded');
+			return false;
 		}
 	}
 

api/functions/organizr-functions.php

@@ -230,6 +230,24 @@ trait OrganizrFunctions
 		}
 	}
 
+	public function approvedFileType($file, $type = 'image')
+	{
+		$finfo = new finfo(FILEINFO_MIME_TYPE);
+		$ext = $finfo->file($file);
+		if ($type == 'image') {
+			switch ($ext) {
+				case 'image/gif':
+				case 'image/png':
+				case 'image/jpeg':
+				case 'image/pjpeg':
+					return true;
+				default:
+					return false;
+			}
+		}
+		return false;
+	}
+
 	public function getImages()
 	{
 		$allIconsPrep = array();
@@ -545,11 +563,11 @@ trait OrganizrFunctions
 		$cacheTime = 604800;
 		$ctx = stream_context_create(array(
 			'http' => array(
-				'timeout' =>5 ,
+				'timeout' => 5,
 				'protocol_version' => 1.1,
 				'header' => 'Connection: close'
 			)
-			));
+		));
 		if ((file_exists($cacheFile) && (time() - $cacheTime) > filemtime($cacheFile)) || !file_exists($cacheFile)) {
 			@copy($url, $cacheFile, $ctx);
 		}

api/pages/settings-image-manager.php

@@ -19,8 +19,12 @@ function get_page_settings_image_manager($Organizr)
       headers:{ "formKey": local("g","formKey") },
       init: function() {
         this.on("complete", function(file) {
-            buildImageManagerView();
-            //$.magnificPopup.close();
+            if(file["status"] === "success"){
+                buildImageManagerView();
+            }else{
+                let response = JSON.parse(file.xhr.responseText);
+            	message("Upload Error", response.response.message,activeInfo.settings.notifications.position,"#FFF","error","5000");
+            }
         });
       }
     });