yes
but your comment:
"Note also that strisplashes should never be used anywhere in the code,
because strislashes is nor a HTML escape, nor a javascrip escape, nor a
shell or PHP escape function. If stripslashes is used somewhere, this
means there is a bug somewhere else."
well you use it precisely in the main.inc.php :-)
return (is_array($value) ? array_map('stripslashes_deep', $value) :
stripslashes($value));
Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit :
I think i found the bug.
I tried a fix into dev branch. Regis, does it works for you ?
Le 01/06/2012 20:43, Régis Houssin a écrit :
yes but I added this in the function dol_unescape_file
return trim(basename(stripslashes($filename)), ".\x00..\x20");
you tried just making a "return $filename" ?
you which version of php ?
Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit :
Hum, strange.
If i use Capture d'ecran.docx
i get into $_FILES
Capture d'ecran.docx
and not
Capture d'ecran.docx
A cake will be offered to people who can explain this difference !
Well, we must find what is the criteria tha make this difference and use
it to put a if inside the dol_unescape_file to have upload working on
all situation.
Can you send me your php.ini. I will compare with mine.
Le 01/06/2012 11:13, Régis Houssin a écrit :
i use this file name : Capture d'ecran.docx
my function :
trim(basename(stripslashes($filename)), ".\x00..\x20");
common function found around the internet and can clean the file
name in
$ _FILES
print $_FILES : Capture d\'ecran.docx
with my function :
files is record with name : Capture d'ecran.docx
source code in link: Capture+d%27ecran.docx
without my function:
files is record with name : Capture d\'ecran.docx
source code in link : Capture+d%5C%27ecran.docx
the file does not delete when I click on the trash
Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit :
I made a fix into dol_unescapefile file because file uplaod was broken
on linux and windows.
I had to remove the stripslashes. I don't see a reason to have it. May
be there is a diff between mac and linux when uploading a file ?
If you upload a file called
a'b
the $_FILES['userfile']['name']; exit;
a'b
Regis, can you confirm that submitting a file called
a'b
is still
a'b
if you make:
print $_FILES['userfile']['name']; exit;
just after the main.inc.php of a submitted document.php page (you must
make show source of html page to see real content, for example with
htdocs/societe/documents.php) ?
Cordialement,
Cordialement,
Cordialement,