continue;
}
- $orignalName = $this->sanitizeFilename($arFile['original_name']);
- $name = $this->sanitizeFilename($arFile['name']);
+ $orignalName = Tools::sanitizeFilename($arFile['original_name']);
+ $name = Tools::sanitizeFilename($arFile['name']);
if ($name == '') {
if ($bUpload) {
- $name = $this->sanitizeFilename($_FILES['files']['name'][$num]['upload']);
+ $name = Tools::sanitizeFilename($_FILES['files']['name'][$num]['upload']);
} else {
$name = $this->getNextNumberedFile('phork')
. '.' . $arFile['type'];
} else if (isset($arFile['delete']) && $arFile['delete'] == 1) {
$bDelete = true;
} else if ($orignalName != $name) {
- //FIXME: what to do with overwrites?
- $vc->getCommand('mv')
- ->addArgument($orignalName)
- ->addArgument($name)
- ->execute();
- $bChanged = true;
+ if (strpos($name, '/') === false) {
+ //ignore names with a slash in it, would be new directory
+ //FIXME: what to do with overwrites?
+ $vc->getCommand('mv')
+ ->addArgument($orignalName)
+ ->addArgument($name)
+ ->execute();
+ $bChanged = true;
+ } else {
+ $name = $orignalName;
+ }
}
$file = $this->repo->getFileByName($name, false);
$bChanged = true;
} else if ($bUpload) {
move_uploaded_file(
- $_FILES['files']['tmp_name'][$num]['upload'], $file->getPath()
+ $_FILES['files']['tmp_name'][$num]['upload'], $file->getFullPath()
);
$command = $vc->getCommand('add')
->addArgument($file->getFilename())
->execute();
$bChanged = true;
- } else if ($bNew || $file->getContent() != $arFile['content']) {
- file_put_contents($file->getPath(), $arFile['content']);
+ } else if ($bNew || (isset($arFile['content']) && $file->getContent() != $arFile['content'])) {
+ file_put_contents($file->getFullPath(), $arFile['content']);
$command = $vc->getCommand('add')
->addArgument($file->getFilename())
->execute();
return $prefix . $num;
}
-
- /**
- * Removes malicious parts from a file name
- *
- * @param string $file File name from the user
- *
- * @return string Fixed and probably secure filename
- */
- public function sanitizeFilename($file)
- {
- $file = trim($file);
- $file = str_replace(array('\\', '//'), '/', $file);
- $file = str_replace('/../', '/', $file);
- if (substr($file, 0, 3) == '../') {
- $file = substr($file, 3);
- }
- if (substr($file, 0, 1) == '../') {
- $file = substr($file, 1);
- }
-
- return $file;
- }
}
?>