Fix clean_up_files_in_zip function

10 years ago · 5809e1bd5e
parent 415ca7c7aa
commit 5809e1bd5e
2 changed files with 17 additions and 46 deletions
--- a/main/inc/lib/api.lib.php
+++ b/main/inc/lib/api.lib.php
@ -5698,42 +5698,6 @@ function api_is_element_in_the_session($tool, $element_id, $session_id = null) {
 function api_replace_dangerous_char($filename)
 {
    return URLify::filter($filename, 250, '', true);
-
-    /*
-    // Safe replacements for some non-letter characters.
-    static $search  = array(',', "\0", ' ', "\t", "\n", "\r", "\x0B", '/', "\\", '"', "'", '?', '*', '>', '<', '|', ':', '$', '(', ')', '^', '[', ']', '#', '+', '&', '%');
-    static $replace = array('_', '', '_', '_', '_', '_', '_', '-', '-', '-', '_', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-');
-
-    // Encoding detection.
-    $encoding = api_detect_encoding($filename);
-    // Converting html-entities into encoded characters.
-    $filename = api_html_entity_decode($filename, ENT_QUOTES, $encoding);
-    // Transliteration to ASCII letters, they are not dangerous for filesystems.
-    $filename = api_transliterate($filename, 'x', $encoding);
-
-    // Trimming leading/trailing whitespace.
-    $filename = trim($filename);
-    // Trimming any leading/trailing dots.
-    $filename = trim($filename, '.');
-    $filename = trim($filename);
-
-    // Replacing remaining dangerous non-letter characters.
-    $filename = str_replace($search, $replace, $filename);
-    if ($strict == 'strict') {
-        //$filename = str_replace('-', '_', $filename); // See task #1848.
-        //$filename = preg_replace('/[^0-9A-Za-z_.\-]/', '', $filename);
-        //Removing "_" character see BT#3628
-        $filename = preg_replace('/[^0-9A-Za-z.\-_]/', '', $filename);
-    }
-
-    // Length is to be limited, so the file name to be acceptable by some operating systems.
-    $extension = (string)strrchr($filename, '.');
-    $extension_len = strlen($extension);
-    if ($extension_len > 0 && $extension_len < 250) {
-        $filename = substr($filename, 0, -$extension_len);
-        return substr($filename, 0, 250 - $extension_len).$extension;
-    }
-    return substr($filename, 0, 250);*/
 }

 /**
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@ -42,7 +42,8 @@ function htaccess2txt($filename) {
 * @see php2phps()
 * @see htaccess2txt()
 */
-function disable_dangerous_file($filename) {
+function disable_dangerous_file($filename)
+{
    return htaccess2txt(php2phps($filename));
 }

@ -1121,14 +1122,17 @@ function unzip_uploaded_document(
 * This function is a callback function that is used while extracting a zipfile
 * http://www.phpconcept.net/pclzip/man/en/index.php?options-pclzip_cb_pre_extract
 *
- * @param object $p_event
- * @param object $p_header
+ * @param array $p_event
+ * @param array $p_header
 * @return int (If the function returns 1, then the extraction is resumed, if 0 the path was skipped)
 */
 function clean_up_files_in_zip($p_event, &$p_header)
 {
-    $res = clean_up_path($p_header['filename']);
-    return $res;
+    $originalStoredFileName = $p_header['stored_filename'];
+    $modifiedStoredFileName = clean_up_path($originalStoredFileName);
+    $p_header['filename'] = str_replace($originalStoredFileName, $modifiedStoredFileName, $p_header['filename']);
+
+    return 1;
 }

 /**
@ -1136,15 +1140,17 @@ function clean_up_files_in_zip($p_event, &$p_header)
 * by eliminating dangerous file names and cleaning them
 *
 * @param string $path
- * @return $path
+ *
+ * @return string
+ *
 * @see disable_dangerous_file()
 * @see api_replace_dangerous_char()
 */
-function clean_up_path(&$path)
+function clean_up_path($path)
 {
    // Split the path in folders and files
    $path_array = explode('/', $path);
-    // Clean up every foler and filename in the path
+    // Clean up every folder and filename in the path
    foreach ($path_array as $key => & $val) {
        // We don't want to lose the dots in ././folder/file (cfr. zipfile)
        if ($val != '.') {
@ -1153,8 +1159,9 @@ function clean_up_path(&$path)
    }
    // Join the "cleaned" path (modified in-place as passed by reference)
    $path = implode('/', $path_array);
-    $res = filter_extension($path);
-    return $res;
+    filter_extension($path);
+
+    return $path;
 }

 /**