[svn r13804] Filter files by extensions in documents, work (student publications) and dropbox (linked with FS#1420)

18 years ago · 5ded415095
parent 59c371f7ee
commit 5ded415095
4 changed files with 284 additions and 254 deletions
--- a/main/dropbox/dropbox_functions.inc.php
+++ b/main/dropbox/dropbox_functions.inc.php
@ -800,7 +800,6 @@ function store_add_dropbox()
 	global $dropbox_cnf;
 	global $_user;
 	global $_course;
 	require_once(api_get_path(LIBRARY_PATH) . "/fileUpload.lib.php");
 	// ----------------------------------------------------------
 	// Validating the form data
@ -899,6 +898,12 @@ function store_add_dropbox()
 	$dropbox_filename = replace_dangerous_char( $dropbox_filename);
 	// Transform any .php file in .phps fo security
 	$dropbox_filename = php2phps ( $dropbox_filename);
 	//filter extension
    if(!filter_extension($dropbox_filename))
    {
    	return get_lang('UplUnableToSaveFileFilteredExtension');
    }
 	// set title
 	$dropbox_title = $dropbox_filename;
 	// set author
@ -911,7 +916,7 @@ function store_add_dropbox()
 	if ( $dropbox_overwrite)  // RH: Mailing: adapted
 	{
-		$dropbox_person = new Dropbox_Person( $_user['user_id'], $is_courseAdmin, $is_courseTutor);
+		$dropbox_person = new Dropbox_Person( $_user['user_id'], api_is_course_admin(), api_is_course_tutor());
 		foreach($dropbox_person->sentWork as $w)
 		{
@ -949,7 +954,7 @@ function store_add_dropbox()
 			$userList = GroupManager::get_subscribed_users(substr($rec, strlen('group_') ));
 			foreach ($userList as $usr)
 			{
-				if (! in_array($usr['user_id'], $newWorkRecipients) && $usr['user_id'] != $_user['user_id'])
+				if (! in_array($usr['user_id'], $new_work_recipients) && $usr['user_id'] != $_user['user_id'])
 				{
 					$new_work_recipients[] = $usr['user_id'];
 				}
--- a/main/dropbox/dropbox_submit.php
+++ b/main/dropbox/dropbox_submit.php
@ -88,7 +88,7 @@ if ( isset( $_POST["submitWork"]))
    /**
     * --------------------------------------
-     *      FORM SUBMIT : VALIDATE POSTED DATA
+     * <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>FORM SUBMIT : VALIDATE POSTED DATA
     * --------------------------------------
     */
    // the author or description field is empty
@ -162,7 +162,7 @@ if ( isset( $_POST["submitWork"]))
    /**
     * --------------------------------------
-     *     FORM SUBMIT : UPLOAD NEW FILE
+     * <EFBFBD><EFBFBD><EFBFBD><EFBFBD>FORM SUBMIT : UPLOAD NEW FILE
     * --------------------------------------
     */
    if ( !$error)
@ -193,7 +193,13 @@ if ( isset( $_POST["submitWork"]))
            $dropbox_filename = replace_dangerous_char( $dropbox_filename);
            // Transform any .php file in .phps fo security
            $dropbox_filename = php2phps ( $dropbox_filename);
-
+            if(!filter_extension($dropbox_filename))
            {
            	$error = true;
            	$errormsg = get_lang('UplUnableToSaveFileFilteredExtension');
            }
            else
            {
 	            // set title
 	            $dropbox_title = $dropbox_filename;
@ -293,6 +299,7 @@ if ( isset( $_POST["submitWork"]))
 		            new Dropbox_SentWork( $_user['user_id'], $dropbox_title, $_POST['description'], strip_tags($_POST['authors']), $dropbox_filename, $dropbox_filesize, $newWorkRecipients);
 	        	}
            }
        }
    } //end if(!$error)
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@ -309,6 +309,14 @@ function handle_uploaded_document($_course,$uploaded_file,$base_work_dir,$upload
 	$clean_name = replace_dangerous_char($uploaded_file['name']);
 	//no "dangerous" files
 	$clean_name = disable_dangerous_file($clean_name);
 	if(!filter_extension($clean_name))
 	{
 		Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
 		return false;
 	}
 	else
 	{
 		//extension is good
 		//echo "<br/>clean name = ".$clean_name;
 		//echo "<br/>upload_path = ".$upload_path;
 		//if the upload path differs from / (= root) it will need a slash at the end
@ -456,6 +464,7 @@ function handle_uploaded_document($_course,$uploaded_file,$base_work_dir,$upload
 					break;
 				}
 		}
 	}
 }
 //------------------------------------------------------------------------------
--- a/main/work/work.php
+++ b/main/work/work.php
@ -23,7 +23,7 @@
 * 	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
 * 	@author Roan Embrechts, code refactoring and virtual course support
 * 	@author Frederic Vauthier, directories management
-*  	@version $Id: work.php 13756 2007-11-23 16:30:17Z elixir_inter $
+*  	@version $Id: work.php 13804 2007-11-28 06:08:00Z yannoo $
 *
 * 	@todo refactor more code into functions, use quickforms, coding standards, ...
 */
@ -631,6 +631,14 @@ if($_POST['submitWork'] && $is_course_member && $check)
 		// Transform any .php file in .phps fo security
 		$new_file_name = php2phps($new_file_name);
 		//filter extension
 	    if(!filter_extension($new_file_name))
 	    {
 	    	Display::display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
 	    	$succeed = false;
 	    }
 	    else
 		{
 			if( ! $title )
 			{
@ -682,6 +690,7 @@ if($_POST['submitWork'] && $is_course_member && $check)
 	        api_item_property_update($_course,'work',$Id,get_lang('DocumentAdded'),$user_id);
 			$succeed = true;
 		}
 	}
 	/*
 	 * SPECIAL CASE ! For a work coming from another area (i.e. groups)