[media] Special characters issue #7386
Conversation
|
The test suite seems to be failing when running make checkstatic however on my VM the command runs without errors. |
pierre-p-s
added
the
"Help! I don't understand Travis!"
pierre-p-s
added
State: Blocked
|
Blocked by #7390 |
|
After discussion with Rida: Remove encoding when inserting into SQL table, line 186 of fileUpload use unsafe insert and fix issues in the database |
ridz1208
added
the
State: Needs work
|
@ridz1208 Let me know if this is a better fix please. |
modules/media/ajax/FileUpload.php
Outdated
| @@ -130,6 +130,7 @@ function uploadFile() | |||
| checkDateTaken($dateTaken); | |||
|
|
|||
| $fileName = preg_replace('/\s/', '_', $_FILES["file"]["name"]); | |||
| $fileName = str_replace("%22", "\"", $fileName); | |||
There was a problem hiding this comment.
does this mean you are accepting quotes in the name of the file ? also its a bit clearer if you use '"' in the second argument
There was a problem hiding this comment.
Well I wanted to include the double quotes because right now we can add a file with it in the name. However we need this check fo it to work. Otherwise I could also send an error through swal refusing the quotes, but in that case what else are we not allowing?
There was a problem hiding this comment.
%22 is URI encoding, your $filename is never coming from the URI... I'm not clear on why its being "decoded" (and BTW decoding should be done with urldecode() https://www.php.net/manual/en/function.urldecode.php not manually like this)
There was a problem hiding this comment.
I changed it to urldecode but I cant find where the fileName is being encoded...
pierre-p-s
removed
State: Blocked
|
This PR still needs a script to change the file names in the sql table as well as in /data/uploads |
pierre-p-s
added
the
State: Needs work
pierre-p-s
removed
the
State: Needs work
Co-authored-by: Rida Abou-Haidar <[email protected]>
jesscall
added
the
Passed manual tests
|
Looks good! |
| ); | ||
|
|
||
| // update name in file system | ||
| shell_exec("mv " . escapeshellarg($media_path . $fileNameURLencoded) . " " . escapeshellarg($media_path . $fileName)); |
There was a problem hiding this comment.
Why isn't this just using rename?
There was a problem hiding this comment.
I missed it while reviewing the document_repository PR, but can you change it in that script too?
There was a problem hiding this comment.
I changed it to rename and I will create a new PR for the document repository script and link it here
There was a problem hiding this comment.
changed the doc repo script in this PR: #7428
There was a problem hiding this comment.
@driusan let me know if it needs more changes
| @@ -0,0 +1,54 @@ | |||
| <?php | |||
Brief summary of changes
Solves an issue when if using special characters (&, <, >, ") the file download fails and the name of the file appears incorrectly in the browse tab of the media module.
The script removes the special characters from the sql data table media as well as from the file system.
Testing instructions (if applicable)