// protect against directory traversal
if ($Mode == 'UPDATE_ITEM')
{
- $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
+ $row = get_attachment($selected_id);
+ if ($row['filename'] == "")
+ exit();
+ $unique_name = $row['unique_name'];
if ($filename && file_exists($dir."/".$unique_name))
unlink($dir."/".$unique_name);
}
$filename .= "/".clean_file_name($_FILES['pic']['name']);
//But check for the worst
- if (!in_array( substr($filename,-3), array('jpg','JPG','png','PNG')))
+ if (!in_array( substr($filename,-4), array('.jpg','.JPG','.png','.PNG')))
{
display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected'));
$input_error = 1;
if (is_uploaded_file($_FILES['uploadfile']['tmp_name']))
{
$file1 = $_FILES['uploadfile']['tmp_name'];
- $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".po";
+ $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']);
+ $file2 = $directory . "/LC_MESSAGES/$code.po";
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
if (is_uploaded_file($_FILES['uploadfile2']['tmp_name']))
{
$file1 = $_FILES['uploadfile2']['tmp_name'];
- $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".mo";
+ $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']);
+ $file2 = $directory . "/LC_MESSAGES/$code.mo";
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
//---------------------------------------------------------------------------------------------
end_page();
-?>
\ No newline at end of file
+?>
Changes all not POSIX compatible chars to underscore.
*/
function clean_file_name($filename) {
+ $filename = str_replace(chr(0), '', $filename);
return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename);
}
function item_img_name($stock_id)
{
- return strtr($stock_id, "><\\/:|*?", '________');
+ $stock_id = strtr($stock_id, "><\\/:|*?", '________');
+ return clean_file_name($stock_id);
}
-?>
\ No newline at end of file
+?>
projects / fa-stable.git / commitdiff