Re: [Dolibarr-dev] Pb with file upload

[Régis Houssin]

yes

but your comment:

"Note also that strisplashes should never be used anywhere in the code,
because strislashes is nor a HTML escape, nor a javascrip escape, nor a
shell or PHP escape function. If stripslashes is used somewhere, this
means there is a bug somewhere else."

well you use it precisely in the main.inc.php :-)

return (is_array($value) ? array_map('stripslashes_deep', $value) :
stripslashes($value));




Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit :
> I think i found the bug.
> I tried a fix into dev branch. Regis, does it works for you ?
> 
> 
> Le 01/06/2012 20:43, Régis Houssin a écrit :
>> yes but I added this in the function dol_unescape_file
>>
>> return trim(basename(stripslashes($filename)), ".\x00..\x20");
>>
>> you tried just making a "return $filename" ?
>>
>> you which version of php ?
>>
>>
>>
>>
>> Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit :
>>> Hum, strange.
>>> If i use  Capture d'ecran.docx
>>> i get into $_FILES
>>> Capture d'ecran.docx
>>>
>>> and not
>>> Capture d'ecran.docx
>>>
>>> A cake will be offered to people who can explain this difference !
>>> Well, we must find what is the criteria tha make this difference and use
>>> it to put a if inside the dol_unescape_file to have upload working on
>>> all situation.
>>>
>>> Can you send me your php.ini. I will compare with mine.
>>>
>>>
>>>
>>> Le 01/06/2012 11:13, Régis Houssin a écrit :
>>>> i use this file name : Capture d'ecran.docx
>>>> my function :
>>>>
>>>> trim(basename(stripslashes($filename)), ".\x00..\x20");
>>>>
>>>> common function found around the internet and can clean the file
>>>> name in
>>>> $ _FILES
>>>>
>>>>
>>>> print $_FILES : Capture d\'ecran.docx
>>>>
>>>>
>>>> with my function :
>>>> files is record with name : Capture d'ecran.docx
>>>> source code in link: Capture+d%27ecran.docx
>>>>
>>>> without my function:
>>>> files is record with name : Capture d\'ecran.docx
>>>> source code in link : Capture+d%5C%27ecran.docx
>>>> the file does not delete when I click on the trash
>>>>
>>>>
>>>>
>>>> Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit :
>>>>> I made a fix into dol_unescapefile file because file uplaod was broken
>>>>> on linux and windows.
>>>>> I had to remove the stripslashes. I don't see a reason to have it. May
>>>>> be there is a diff between mac and linux when uploading a file ?
>>>>>
>>>>> If you upload a file called
>>>>> a'b
>>>>> the $_FILES['userfile']['name']; exit;
>>>>> a'b
>>>>>
>>>>> Regis, can you confirm that submitting a file called
>>>>> a'b
>>>>> is still
>>>>> a'b
>>>>> if you make:
>>>>>
>>>>> print $_FILES['userfile']['name']; exit;
>>>>>
>>>>> just after the main.inc.php of a submitted document.php page (you must
>>>>> make show source of html page to see real content, for example with
>>>>> htdocs/societe/documents.php) ?
>>>>>
>>>>>
>>>> Cordialement,
>> Cordialement,
> 

Cordialement,
-- 
Régis Houssin
---------------------------------------------------------
Cap-Networks
Cidex 1130
34, route de Gigny
71240 MARNAY
FRANCE
VoIP: +33 1 83 62 40 03
GSM: +33 6 33 02 07 97
Web: http://www.cap-networks.com/
Email: address@hidden

Dolibarr developer: address@hidden
Web Portal: http://www.dolibarr.fr/
SaaS offers: http://www.dolibox.fr/
Shop: http://www.dolistore.com/
Development platform: https://doliforge.org/
---------------------------------------------------------