Fix: clear file name send by php

2012-06-01 07:14:29 +02:00 · 2012-06-01 07:14:29 +02:00 · 9c42cdc7d3
commit 9c42cdc7d3
parent d79b65ce49
1 changed files with 6 additions and 5 deletions
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@ -486,16 +486,17 @@ function dol_move($srcfile, $destfile, $newmask=0, $overwriteifexists=1)
 }

 /**
- *	Unescape a file submitted by upload. PHP escape char " and only char " into $FILES with %22
- *  This is a bug because when file contains %22, it is not escape, so there is no way to retrieve original value.
- *  So best solution is to keep " as %22 into uploaded filename.
+ *	Unescape a file submitted by upload. PHP escape char " (%22) and char ' (%27) into $FILES
+ *	Before= Capture d\'écran.doc  After= Capture d'écran.doc
 *
 *	@param	string	$filename		Filename
 */
 function dol_unescapefile($filename)
 {
-    //return stripslashes($filename);    // FIXME
-    return $filename;
+	// Remove path information and dots around the filename, to prevent uploading
+	// into different directories or replacing hidden system files.
+	// Also remove control characters and spaces (\x00..\x20) around the filename:
+	return trim(basename(stripslashes($filename)), ".\x00..\x20");
 }

 /**