From 6e2d05f854f06533a82385cd8f49bbfb6cfdd74a Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Fri, 15 Apr 2011 14:07:06 +0200 Subject: [PATCH] Adding validation in the work and document tool when uploading a file with size 0 see #3260 --- main/inc/ajax/document.ajax.php | 4 +-- main/inc/lib/document.lib.php | 4 +-- main/inc/lib/fileUpload.lib.php | 37 ++++++++++++++++--- main/work/work.lib.php | 40 +++++++++++++++++++++ main/work/work.php | 63 ++++++++------------------------- 5 files changed, 90 insertions(+), 58 deletions(-) diff --git a/main/inc/ajax/document.ajax.php b/main/inc/ajax/document.ajax.php index 790a32e0f0..257bf8fae9 100644 --- a/main/inc/ajax/document.ajax.php +++ b/main/inc/ajax/document.ajax.php @@ -4,13 +4,13 @@ * Responses to AJAX calls for the document upload */ require_once '../global.inc.php'; -if (api_is_anonymous()){ +if (api_is_anonymous()) { exit; } if(!empty($_FILES)) { require_once api_get_path(LIBRARY_PATH).'document.lib.php'; require_once api_get_path(LIBRARY_PATH).'fileDisplay.lib.php'; - $result = DocumentManager::upload_document($_FILES, $_POST['curdirpath'], '', '', 0, 'overwrite'); + $result = DocumentManager::upload_document($_FILES, $_POST['curdirpath'], '', '', 0, 'overwrite', false, false); $file = $_FILES['file']; $json = array(); $json['name'] = Display::url(api_htmlentities($file['name']), $result['url'], array('target'=>'_blank')); diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php index c68f8a21a0..6690bed5f5 100755 --- a/main/inc/lib/document.lib.php +++ b/main/inc/lib/document.lib.php @@ -1831,12 +1831,12 @@ class DocumentManager { } $max_filled_space = self::get_course_quota(); $course_info = api_get_course_info(); - $course_dir = $course_info['path'].'/document'; + $course_dir = $course_info['path'].'/document'; $sys_course_path = api_get_path(SYS_COURSE_PATH); $base_work_dir = $sys_course_path.$course_dir; if (isset($files['file'])) { - $upload_ok = process_uploaded_file($files['file']); + $upload_ok = process_uploaded_file($files['file'], $show_output); if ($upload_ok) { // File got on the server without problems, now process it diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php index 144dba7d49..e380828ba9 100755 --- a/main/inc/lib/fileUpload.lib.php +++ b/main/inc/lib/fileUpload.lib.php @@ -86,27 +86,54 @@ function get_document_title($name) { * @param array $uploaded_file ($_FILES) * @return true if upload succeeded */ -function process_uploaded_file($uploaded_file) { +function process_uploaded_file($uploaded_file, $show_output = true) { // Checking the error code sent with the file upload. switch ($uploaded_file['error']) { case 1: // The uploaded file exceeds the upload_max_filesize directive in php.ini. - Display::display_error_message(get_lang('UplExceedMaxServerUpload').ini_get('upload_max_filesize')); + if ($show_output) + Display::display_error_message(get_lang('UplExceedMaxServerUpload').ini_get('upload_max_filesize')); return false; case 2: // The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form. // Not used at the moment, but could be handy if we want to limit the size of an upload (e.g. image upload in html editor). - Display::display_error_message(get_lang('UplExceedMaxPostSize'). round($_POST['MAX_FILE_SIZE']/1024) .' KB'); + $max_file_size = intval($_POST['MAX_FILE_SIZE']); + if ($show_output) { + Display::display_error_message(get_lang('UplExceedMaxPostSize'). round($max_file_size/1024) .' KB'); + } return false; case 3: // The uploaded file was only partially uploaded. - Display::display_error_message(get_lang('UplPartialUpload').' '.get_lang('PleaseTryAgain')); + if ($show_output) { + Display::display_error_message(get_lang('UplPartialUpload').' '.get_lang('PleaseTryAgain')); + } return false; case 4: // No file was uploaded. - Display::display_error_message(get_lang('UplNoFileUploaded').' '. get_lang('UplSelectFileFirst')); + if ($show_output) { + Display::display_error_message(get_lang('UplNoFileUploaded').' '. get_lang('UplSelectFileFirst')); + } return false; } + + if (!file_exists($uploaded_file['tmp_name'])) { + // No file was uploaded. + if ($show_output) { + Display::display_error_message(get_lang('UplUploadFailed')); + } + return false; + } + if (file_exists($uploaded_file['tmp_name'])) { + $filesize = filesize($uploaded_file['tmp_name']); + if (empty($filesize)) { + // No file was uploaded. + if ($show_output) { + Display::display_error_message(get_lang('UplUploadFailed')); + } + return false; + } + } + // case 0: default: We assume there is no error, the file uploaded with success. return true; } diff --git a/main/work/work.lib.php b/main/work/work.lib.php index 106b4dda6e..320e8c1227 100755 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -1638,3 +1638,43 @@ function is_work_exist_by_url($url) { return false; } } + + + + +function make_select($name, $values, $checked = '') { + $output = ''; + return $output; +} + +function make_checkbox($name, $checked = '') { + return ''; +} + +function draw_date_picker($prefix, $default = '') { + //$default = 2008-10-01 10:00:00 + if (empty($default)) { + //$default = date('Y-m-d H:i:s'); + $default = api_get_local_time(); + } + $parts = split(' ', $default); + list($d_year, $d_month, $d_day) = split('-', $parts[0]); + list($d_hour, $d_minute) = split(':', $parts[1]); + + $minute = range(10, 59); + array_unshift($minute, '00', '01', '02', '03', '04', '05', '06', '07', '08', '09'); + $date_form = make_select($prefix.'_day', array_combine(range(1, 31), range(1, 31)), $d_day); + $date_form .= make_select($prefix.'_month', array_combine(range(1, 12), api_get_months_long()), $d_month); + $date_form .= make_select($prefix.'_year', array($d_year => $d_year, $d_year + 1 => $d_year + 1), $d_year).'    '; + $date_form .= make_select($prefix.'_hour', array_combine(range(0, 23), range(0, 23)), $d_hour).' : '; + $date_form .= make_select($prefix.'_minute', $minute, $d_minute); + return $date_form; +} + +function get_date_from_select($prefix) { + return $_POST[$prefix.'_year'].'-'.two_digits($_POST[$prefix.'_month']).'-'.two_digits($_POST[$prefix.'_day']).' '.two_digits($_POST[$prefix.'_hour']).':'.two_digits($_POST[$prefix.'_minute']).':00'; +} \ No newline at end of file diff --git a/main/work/work.php b/main/work/work.php index a2d6d1e932..fe18ffe7da 100755 --- a/main/work/work.php +++ b/main/work/work.php @@ -58,7 +58,7 @@ /* INIT SECTION */ -$language_file = array('exercice', 'work', 'document', 'admin' ); +$language_file = array('exercice', 'work', 'document', 'admin'); require_once '../inc/global.inc.php'; @@ -88,10 +88,10 @@ $stok = Security::get_token(); $htmlHeadXtra[] = to_javascript_work(); $htmlHeadXtra[] = ''; @@ -504,11 +504,7 @@ if (!empty($_REQUEST['new_dir'])) { if (api_get_session_id() != 0 && !api_is_allowed_to_session_edit(false, true)) { api_not_allowed(); } - - function get_date_from_select($prefix) { - return $_POST[$prefix.'_year'].'-'.two_digits($_POST[$prefix.'_month']).'-'.two_digits($_POST[$prefix.'_day']).' '.two_digits($_POST[$prefix.'_hour']).':'.two_digits($_POST[$prefix.'_minute']).':00'; - } - + $fexpire = get_date_from_select('expires'); $fend = get_date_from_select('ends'); @@ -875,8 +871,14 @@ if ($ctok == $_POST['sec_token']) { //check the token inserted into the form // Transform any .php file in .phps fo security $new_file_name = php2phps($new_file_name); - //filter extension - if (!filter_extension($new_file_name)) { + + $filesize = filesize($_FILES['file']['tmp_name']); + + if (empty($filesize)) { + Display :: display_error_message(get_lang('UplUploadFailed')); + $succeed = false; + } elseif (!filter_extension($new_file_name)) { + //filter extension Display :: display_error_message(get_lang('UplUnableToSaveFileFilteredExtension')); $succeed = false; } else { @@ -1207,7 +1209,7 @@ if ($is_course_member) { } //require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'; - require_once (api_get_path(LIBRARY_PATH).'fileDisplay.lib.php'); + require_once api_get_path(LIBRARY_PATH).'fileDisplay.lib.php'; $form = new FormValidator('form', 'POST', api_get_self() . "?curdirpath=" . rtrim(Security :: remove_XSS($cur_dir_path),'/') . "&gradebook=".Security::remove_XSS($_GET['gradebook'])."&origin=$origin", '', 'enctype="multipart/form-data"'); @@ -1308,7 +1310,6 @@ if ($is_course_member) { $form->setDefaults($defaults); //$form->addRule('file', '
'.get_lang('ThisFieldIsRequired'), 'required'); $form->display(); - } @@ -1487,40 +1488,4 @@ if (!$display_upload_form && !$display_tool_options) { if ($origin != 'learnpath') { //we are not in the learning path tool Display :: display_footer(); -} - - -/* Some functions */ - -function make_select($name, $values, $checked = '') { - $output = ''; - return $output; -} - -function make_checkbox($name, $checked = '') { - return ''; -} - -function draw_date_picker($prefix, $default = '') { - //$default = 2008-10-01 10:00:00 - if (empty($default)) { - //$default = date('Y-m-d H:i:s'); - $default = api_get_local_time(); - } - $parts = split(' ', $default); - list($d_year, $d_month, $d_day) = split('-', $parts[0]); - list($d_hour, $d_minute) = split(':', $parts[1]); - - $minute = range(10, 59); - array_unshift($minute, '00', '01', '02', '03', '04', '05', '06', '07', '08', '09'); - $date_form = make_select($prefix.'_day', array_combine(range(1, 31), range(1, 31)), $d_day); - $date_form .= make_select($prefix.'_month', array_combine(range(1, 12), api_get_months_long()), $d_month); - $date_form .= make_select($prefix.'_year', array($d_year => $d_year, $d_year + 1 => $d_year + 1), $d_year).'    '; - $date_form .= make_select($prefix.'_hour', array_combine(range(0, 23), range(0, 23)), $d_hour).' : '; - $date_form .= make_select($prefix.'_minute', $minute, $d_minute); - return $date_form; -} +} \ No newline at end of file