From 4ec7c686c37e079260eb8988e340e933cab5257f Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Wed, 23 Aug 2023 15:59:10 -0400
Subject: [PATCH] Updated the checkFileUpload fucntion to use SHA256 instead of
 MD5 for file reference and check file ext before checking size, also adding
 some error returns

---
 functions.php | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/functions.php b/functions.php
index dfbf5aa0..1607338f 100644
--- a/functions.php
+++ b/functions.php
@@ -620,23 +620,27 @@ function checkFileUpload($file, $allowed_extensions) {
     $extension = strtolower(end($extarr));
 
     // Check a file is actually attached/uploaded
-    if ($tmp == '') {
-        return false;
-    }
-
-    // Check the size is under 500 MB
-    if ($size > 500 * 1024 * 1024) {
-        return false;
+    if ($tmp === '') {
+        return "No file was uploaded.";
     }
 
     // Check the extension is allowed
-    if (in_array($extension, $allowed_extensions) === false){
-        return false;
+    if (!in_array($extension, $allowed_extensions)) {
+        return "File extension not allowed.";
     }
 
-    // Sanitize & return name
-    return md5(time() . $name) . '.' . $extension;
+    // Check the size is under 500 MB
+    $maxSizeBytes = 500 * 1024 * 1024; // 500 MB
+    if ($size > $maxSizeBytes) {
+        return "File size exceeds the limit.";
+    }
 
+    // Perform additional content-based validation here, if needed
+
+    // Generate a secure filename using SHA-256
+    $secureFilename = hash('sha256', time() . $name) . '.' . $extension;
+
+    return $secureFilename;
 }
 
 function sanitizeInput($input) {