the code base is not compromised
Definitely good news – sorry, I misread your earlier post.
we want to limit what files can be uploaded
OK, gotcha. In OJS 3.x there is a plugin for this called the “Allowed Uploads” plugin; once you get there I’d recommend installing it. (You’ll still need to ensure that your
files_dir is outside the web root or otherwise protected – just using the Allowed Uploads plugin isn’t enough to run a secure OJS install.)
For OJS 2.x, it’s been a little while since I worked with this, so your mileage may vary – but I think the operative check on file uploads is in
lib/pkp/classes/file/FileManager.inc.php in the
parseFileExtension function. It checks for
.php files but not
.phtml, which is sometimes configured to execute server-side. You can extend that function to add additional checks, or change the current behavior when a check fails (currently it adds a
.txt to the end of the filename when the check is triggered).
I just need to understand your first suggestion regarding the Full Package. Are you saying that from 2.3.6 we can upgrade simply by preserving the config, public and files_dir against a full install of the latest package with no impact from a DB perspective?
Yes – but after you upgrade the code and point it at your old database etc., you’ll have to run the upgrade script (also described in the “Full Package” documentation) to upgrade the database. Of course, take a good backup of everything before you do this.
Public Knowledge Project Team