From 5809e1bd5e344e36b42974024fcdebde741830a8 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Tue, 19 Jul 2016 09:43:01 +0200
Subject: [PATCH] Fix clean_up_files_in_zip function

---
 main/inc/lib/api.lib.php        | 36 ---------------------------------
 main/inc/lib/fileUpload.lib.php | 27 ++++++++++++++++---------
 2 files changed, 17 insertions(+), 46 deletions(-)

diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php
index ff3e4b4ff7..81c4069ec1 100644
--- a/main/inc/lib/api.lib.php
+++ b/main/inc/lib/api.lib.php
@@ -5698,42 +5698,6 @@ function api_is_element_in_the_session($tool, $element_id, $session_id = null) {
 function api_replace_dangerous_char($filename)
 {
     return URLify::filter($filename, 250, '', true);
-
-    /*
-    // Safe replacements for some non-letter characters.
-    static $search  = array(',', "\0", ' ', "\t", "\n", "\r", "\x0B", '/', "\\", '"', "'", '?', '*', '>', '<', '|', ':', '$', '(', ')', '^', '[', ']', '#', '+', '&', '%');
-    static $replace = array('_', '', '_', '_', '_', '_', '_', '-', '-', '-', '_', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-');
-
-    // Encoding detection.
-    $encoding = api_detect_encoding($filename);
-    // Converting html-entities into encoded characters.
-    $filename = api_html_entity_decode($filename, ENT_QUOTES, $encoding);
-    // Transliteration to ASCII letters, they are not dangerous for filesystems.
-    $filename = api_transliterate($filename, 'x', $encoding);
-
-    // Trimming leading/trailing whitespace.
-    $filename = trim($filename);
-    // Trimming any leading/trailing dots.
-    $filename = trim($filename, '.');
-    $filename = trim($filename);
-
-    // Replacing remaining dangerous non-letter characters.
-    $filename = str_replace($search, $replace, $filename);
-    if ($strict == 'strict') {
-        //$filename = str_replace('-', '_', $filename); // See task #1848.
-        //$filename = preg_replace('/[^0-9A-Za-z_.\-]/', '', $filename);
-        //Removing "_" character see BT#3628
-        $filename = preg_replace('/[^0-9A-Za-z.\-_]/', '', $filename);
-    }
-
-    // Length is to be limited, so the file name to be acceptable by some operating systems.
-    $extension = (string)strrchr($filename, '.');
-    $extension_len = strlen($extension);
-    if ($extension_len > 0 && $extension_len < 250) {
-        $filename = substr($filename, 0, -$extension_len);
-        return substr($filename, 0, 250 - $extension_len).$extension;
-    }
-    return substr($filename, 0, 250);*/
 }
 
 /**
diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php
index 631973956d..50c4731af9 100755
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@@ -42,7 +42,8 @@ function htaccess2txt($filename) {
  * @see php2phps()
  * @see htaccess2txt()
  */
-function disable_dangerous_file($filename) {
+function disable_dangerous_file($filename)
+{
     return htaccess2txt(php2phps($filename));
 }
 
@@ -1121,14 +1122,17 @@ function unzip_uploaded_document(
  * This function is a callback function that is used while extracting a zipfile
  * http://www.phpconcept.net/pclzip/man/en/index.php?options-pclzip_cb_pre_extract
  *
- * @param object $p_event
- * @param object $p_header
+ * @param array $p_event
+ * @param array $p_header
  * @return int (If the function returns 1, then the extraction is resumed, if 0 the path was skipped)
  */
 function clean_up_files_in_zip($p_event, &$p_header)
 {
-    $res = clean_up_path($p_header['filename']);
-    return $res;
+    $originalStoredFileName = $p_header['stored_filename'];
+    $modifiedStoredFileName = clean_up_path($originalStoredFileName);
+    $p_header['filename'] = str_replace($originalStoredFileName, $modifiedStoredFileName, $p_header['filename']);
+
+    return 1;
 }
 
 /**
@@ -1136,15 +1140,17 @@ function clean_up_files_in_zip($p_event, &$p_header)
  * by eliminating dangerous file names and cleaning them
  *
  * @param string $path
- * @return $path
+ *
+ * @return string
+ *
  * @see disable_dangerous_file()
  * @see api_replace_dangerous_char()
  */
-function clean_up_path(&$path)
+function clean_up_path($path)
 {
     // Split the path in folders and files
     $path_array = explode('/', $path);
-    // Clean up every foler and filename in the path
+    // Clean up every folder and filename in the path
     foreach ($path_array as $key => & $val) {
         // We don't want to lose the dots in ././folder/file (cfr. zipfile)
         if ($val != '.') {
@@ -1153,8 +1159,9 @@ function clean_up_path(&$path)
     }
     // Join the "cleaned" path (modified in-place as passed by reference)
     $path = implode('/', $path_array);
-    $res = filter_extension($path);
-    return $res;
+    filter_extension($path);
+
+    return $path;
 }
 
 /**