From 2e7d58b3ac99d26bc63f2fbef66aac365613dfb5 Mon Sep 17 00:00:00 2001
From: Julio <gugli100@gmail.com>
Date: Mon, 4 Jul 2016 14:02:44 +0200
Subject: [PATCH] only clean filename, not all path clean_up_files_in_zip

---
 composer.json                    |  2 +-
 main/inc/lib/fileUpload.lib.php  | 19 ++++++++++++-------
 main/work/upload_corrections.php |  4 ++--
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/composer.json b/composer.json
index a08177d8ba..af615fd5ca 100755
--- a/composer.json
+++ b/composer.json
@@ -121,7 +121,7 @@
         "aferrandini/phpqrcode": "1.0.1",
         "mpdf/mpdf": "6.1.*",
         "barryvdh/elfinder-builds": "2.1.0.3",
-        "jbroadway/urlify": "1.0.3-stable",
+        "jbroadway/urlify": "1.0.7-stable",
         "monolog/monolog": "~1.0",
 
         "ircmaxell/password-compat": "~1.0.4",
diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php
index 1a3b6b5dd1..b1906e3771 100755
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@@ -1099,8 +1099,12 @@ function unzip_uploaded_document(
  */
 function clean_up_files_in_zip($p_event, &$p_header)
 {
-    $res = clean_up_path($p_header['filename']);
-    return $res;
+    $originalFilePath = $p_header['filename'];
+    $originalFileName = basename($p_header['filename']);
+    $modifiedFileName = clean_up_path($originalFileName);
+    $p_header['filename'] = str_replace($originalFileName, $modifiedFileName, $originalFilePath);
+    
+    return 1;
 }
 
 /**
@@ -1108,11 +1112,11 @@ function clean_up_files_in_zip($p_event, &$p_header)
  * by eliminating dangerous file names and cleaning them
  *
  * @param string $path
- * @return int
+ * @return string
  * @see disable_dangerous_file()
  * @see api_replace_dangerous_char()
  */
-function clean_up_path(&$path)
+function clean_up_path($path)
 {
     // Split the path in folders and files
     $path_array = explode('/', $path);
@@ -1126,7 +1130,8 @@ function clean_up_path(&$path)
     // Join the "cleaned" path (modified in-place as passed by reference)
     $path = implode('/', $path_array);
     $res = filter_extension($path);
-    return $res;
+
+    return $path;
 }
 
 /**
@@ -1199,7 +1204,7 @@ function filter_extension(&$filename)
  * @param int $group_id
  * @param int $session_id Session ID, if any
  * @param int $userId creator id
- * 
+ *
  * @return int id if inserted document
  */
 function add_document(
@@ -1545,7 +1550,7 @@ function create_unexisting_directory(
 
             $rs = Database::query($sql);
             if (Database::num_rows($rs) == 0) {
-        
+
                 $document_id = add_document(
                     $_course,
                     $systemFolderName,
diff --git a/main/work/upload_corrections.php b/main/work/upload_corrections.php
index ae77402a4f..61120d7f53 100644
--- a/main/work/upload_corrections.php
+++ b/main/work/upload_corrections.php
@@ -96,7 +96,7 @@ if ($form->validate()) {
 
         /*	Uncompress zip file*/
         // We extract using a callback function that "cleans" the path
-        $zip->extract(
+        $result = $zip->extract(
             PCLZIP_OPT_PATH,
             $destinationDir,
             PCLZIP_CB_PRE_EXTRACT,
@@ -128,7 +128,6 @@ if ($form->validate()) {
 
         $finder = new Finder();
         $finder->files()->in($destinationDir);
-
         $table = Database:: get_course_table(TABLE_STUDENT_PUBLICATION);
 
         /** @var SplFileInfo $file */
@@ -137,6 +136,7 @@ if ($form->validate()) {
             $fileName = substr($fileName, 20, strlen($fileName));
             $pos = strpos($fileName, '-') + 1;
             $fileName = substr($fileName, $pos, strlen($fileName));
+
             if (isset($finalResult[$fileName])) {
                 $workStudentId = $finalResult[$fileName];
                 $workStudent = get_work_data_by_id($workStudentId);