git.cweiske.de / phorkie.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
customizable top bar
[phorkie.git] / src / phorkie / Repository / Post.php
diff --git a/src/phorkie/Repository/Post.php b/src/phorkie/Repository/Post.php
index a982c7fd04a6bade3fe217657b3342576b965f3a..fa356ee3cb0fcfa5ac266fc2898fa69e52f8d462 100644 (file)
--- a/src/phorkie/Repository/Post.php
+++ b/src/phorkie/Repository/Post.php
@@ -39,12 +39,12 @@ class Repository_Post
                 continue;
             }
 
-            $orignalName = $this->sanitizeFilename($arFile['original_name']);
-            $name        = $this->sanitizeFilename($arFile['name']);
+            $orignalName = Tools::sanitizeFilename($arFile['original_name']);
+            $name        = Tools::sanitizeFilename($arFile['name']);
 
             if ($name == '') {
                 if ($bUpload) {
-                    $name = $this->sanitizeFilename($_FILES['files']['name'][$num]['upload']);
+                    $name = Tools::sanitizeFilename($_FILES['files']['name'][$num]['upload']);
                 } else {
                     $name = $this->getNextNumberedFile('phork')
                         . '.' . $arFile['type'];
@@ -67,12 +67,17 @@ class Repository_Post
             } else if (isset($arFile['delete']) && $arFile['delete'] == 1) {
                 $bDelete = true;
             } else if ($orignalName != $name) {
-                //FIXME: what to do with overwrites?
-                $vc->getCommand('mv')
-                    ->addArgument($orignalName)
-                    ->addArgument($name)
-                    ->execute();
-                $bChanged = true;
+                if (strpos($name, '/') === false) {
+                    //ignore names with a slash in it, would be new directory
+                    //FIXME: what to do with overwrites?
+                    $vc->getCommand('mv')
+                        ->addArgument($orignalName)
+                        ->addArgument($name)
+                        ->execute();
+                    $bChanged = true;
+                } else {
+                    $name = $orignalName;
+                }
             }
 
             $file = $this->repo->getFileByName($name, false);
@@ -83,14 +88,14 @@ class Repository_Post
                 $bChanged = true;
             } else if ($bUpload) {
                 move_uploaded_file(
-                    $_FILES['files']['tmp_name'][$num]['upload'], $file->getPath()
+                    $_FILES['files']['tmp_name'][$num]['upload'], $file->getFullPath()
                 );
                 $command = $vc->getCommand('add')
                     ->addArgument($file->getFilename())
                     ->execute();
                 $bChanged = true;
-            } else if ($bNew || $file->getContent() != $arFile['content']) {
-                file_put_contents($file->getPath(), $arFile['content']);
+            } else if ($bNew || (isset($arFile['content']) && $file->getContent() != $arFile['content'])) {
+                file_put_contents($file->getFullPath(), $arFile['content']);
                 $command = $vc->getCommand('add')
                     ->addArgument($file->getFilename())
                     ->execute();
@@ -140,28 +145,6 @@ class Repository_Post
 
         return $prefix . $num;
     }
-
-    /**
-     * Removes malicious parts from a file name
-     *
-     * @param string $file File name from the user
-     *
-     * @return string Fixed and probably secure filename
-     */
-    public function sanitizeFilename($file)
-    {
-        $file = trim($file);
-        $file = str_replace(array('\\', '//'), '/', $file);
-        $file = str_replace('/../', '/', $file);
-        if (substr($file, 0, 3) == '../') {
-            $file = substr($file, 3);
-        }
-        if (substr($file, 0, 1) == '../') {
-            $file = substr($file, 1);
-        }
-
-        return $file;
-    }
 }
 
 ?>
Self-hosted pastebin software written in PHP. Pastes are editable, may have multiple files and are stored in git repositories.