Feature #3257 improv encode decode and security

14 years ago · d8ad26bf6a
parent 6b44756797
commit d8ad26bf6a
2 changed files with 8 additions and 6 deletions
--- a/main/document/record_audio.php
+++ b/main/document/record_audio.php
@ -144,7 +144,7 @@ function submitVoice() {
 	//path, url and filename
 	var filename = document.getElementById("audio_title").value+".wav";	
 	var filename = filename.replace(/\s/g, "_");//replace spaces by _
-	//var filename =encodeURIComponent(filename);//TODO:implement encode here and decode into receiver.php	
+	var filename = encodeURIComponent(filename);//TODO:implement a good encode into receiver.php	
 	var filepath="<?php echo urlencode($filepath); ?>";
 	var dir="<?php echo urlencode($dir); ?>";	
 	var urlnanogong="../inc/lib/nanogong/receiver.php?filename="+filename+"&filepath="+filepath+"&dir="+dir;	
--- a/main/inc/lib/nanogong/receiver.php
+++ b/main/inc/lib/nanogong/receiver.php
@ -21,14 +21,16 @@ if (!isset($_GET['filename']) || !isset($_GET['filepath']) || !isset($_GET['dir'
 if (!is_uploaded_file($_FILES['voicefile']['tmp_name'])) exit;

 //clean
-$filename=$_GET['filename'];//TODO: decode when encode the source url 
+$filename=$_GET['filename'];
+$filename=urldecode($filename);//TODO: implement a good for record_audio.php encodeURIComponent
 $filepath=urldecode($_GET['filepath']);
 $dir=urldecode($_GET['dir']);

-$filename=trim($_GET['filename']);
-$filename=Security::remove_XSS($filename);
-$filename=Database::escape_string($filename);
-replace_dangerous_char($filename, $strict = 'loose');// or strict
+$filename = trim($_GET['filename']);
+$filename = Security::remove_XSS($filename);
+$filename = Database::escape_string($filename);
+$filename = replace_dangerous_char($filename, $strict = 'loose');// or strict
+$filename = disable_dangerous_file($filename);

 //
 $documentPath = $filepath.$filename;