Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Upload Class File


mcmannehan

Recommended Posts

I wondering, why the check for illegal character dosen't exist!!! In the frozen and in the boostrap 4 version. So i recommand change complett the function parse to this:

Start about at line 35 catalog/admin/includes/classes/upload.php

function parse() {
      global $messageStack;

      $file = array();

      if (isset($_FILES[$this->file])) {
        $file = array('name' => $_FILES[$this->file]['name'],
                      'type' => $_FILES[$this->file]['type'],
                      'size' => $_FILES[$this->file]['size'],
                      'tmp_name' => $_FILES[$this->file]['tmp_name']);
      } elseif (isset($_FILES[$this->file])) {
        $file = array('name' => $_FILES[$this->file]['name'],
                      'type' => $_FILES[$this->file]['type'],
                      'size' => $_FILES[$this->file]['size'],
                      'tmp_name' => $_FILES[$this->file]['tmp_name']);
      }

      if ( tep_not_null($file['tmp_name']) && ($file['tmp_name'] != 'none') && is_uploaded_file($file['tmp_name']) ) {
        if (sizeof($this->extensions) > 0) {
          if (!in_array(strtolower(substr($file['name'], strrpos($file['name'], '.')+1)), $this->extensions)) {
            if ($this->message_location == 'direct') {
              $messageStack->add(ERROR_FILETYPE_NOT_ALLOWED, 'error');
            } else {
              $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error');
            }

            return false;
          }
        }
        //BOC by mcmannehan
        if (preg_match('/^([-\.\w]+)$/', $file['name']) !== true) {
      		$message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']);
        	if ($this->message_location == 'direct') {
          	$messageStack->add($message, 'error');
        	} else {
          	$messageStack->add_session($message, 'error');
        	}
      		return false;
      	}
        //EOC 
        $this->set_file($file);
        $this->set_filename($file['name']);
        $this->set_tmp_filename($file['tmp_name']);

        return $this->check_destination();
      } else {
        if ($this->message_location == 'direct') {
          $messageStack->add(WARNING_NO_FILE_UPLOADED, 'warning');
        } else {
          $messageStack->add_session(WARNING_NO_FILE_UPLOADED, 'warning');
        }

        return false;
      }
    }

And add to the catalog/admin/includes/languages/english.php:

const ERROR_FILE_ILLEGAL_CHAR = 'Invalid character in the file name! <strong>%s</strong>. Spaces and special characters are not allowed in Internet filenames. Allowed are: a-z A-Z 0-9 - _';

"const" have some restriction but it's much more better and faster than define.

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

Changes in the Regex are wrong. For to allow only a-z A-Z 0-9 - _ .

The regex must be:

if (preg_match('/^[-A-Za-z0-9._]+$/i', $file['name']) == false) {
      	$message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']);
        if ($this->message_location == 'direct') {
          $messageStack->add($message, 'error');
        } else {
          $messageStack->add_session($message, 'error');
        }
      	return false;
      }

 

  • The clever one learn from everything and from everybody
  • The normal one learn from his experience
  • The silly one knows everything better

[socrates, 412 before Christ]

Computers help us with the problems we wouldn't have without them!
99.9% of the bugs sit in front of the computer!
My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0

if(isset($this) || !isset($this)){ // that's the question...

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...