diff --git a/lib/sanitize.inc b/lib/sanitize.inc
index e042003..ae283f3 100644
--- a/lib/sanitize.inc
+++ b/lib/sanitize.inc
@@ -44,7 +44,9 @@ function sanitize($string) {
}
// This might be a little too aggressive
- $pattern = "([^[:alpha:]|^_\.\ \:-])";
+ //$pattern = "([^[:alpha:]|^_\.\ \:-])";
+ // Allow numeric characters
+ $pattern = "([^[:alnum:]|^_\.\ \:-])";
return ereg_replace($pattern, '', $string);
}
diff --git a/lib/util/sanitize.inc b/lib/util/sanitize.inc
index e042003..ae283f3 100644
--- a/lib/util/sanitize.inc
+++ b/lib/util/sanitize.inc
@@ -44,7 +44,9 @@ function sanitize($string) {
}
// This might be a little too aggressive
- $pattern = "([^[:alpha:]|^_\.\ \:-])";
+ //$pattern = "([^[:alpha:]|^_\.\ \:-])";
+ // Allow numeric characters
+ $pattern = "([^[:alnum:]|^_\.\ \:-])";
return ereg_replace($pattern, '', $string);
}
diff --git a/plugins/ktcore/document/edit.php b/plugins/ktcore/document/edit.php
index a5de966..8731825 100644
--- a/plugins/ktcore/document/edit.php
+++ b/plugins/ktcore/document/edit.php
@@ -40,9 +40,9 @@ require_once(KT_LIB_DIR . '/documentmanagement/documentutil.inc.php');
require_once(KT_LIB_DIR . '/triggers/triggerregistry.inc.php');
require_once(KT_LIB_DIR . '/permissions/permission.inc.php');
require_once(KT_LIB_DIR . '/permissions/permissionutil.inc.php');
-
require_once(KT_LIB_DIR . "/widgets/forms.inc.php");
require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
// {{{ KTDocumentEditAction
class KTDocumentEditAction extends KTDocumentAction {
@@ -191,7 +191,7 @@ class KTDocumentEditAction extends KTDocumentAction {
if ($this->oDocument->getDocumentTypeId() != $doctypeid) {
$this->oDocument->setDocumentTypeId($doctypeid);
}
- $this->oDocument->setName($data['document_title']);
+ $this->oDocument->setName(sanitize($data['document_title']));
$res = $this->oDocument->update();
if (PEAR::isError($res)) {
$oForm->handleError(sprintf(_kt("Unexpected failure to update document title: %s"), $res->getMessage()));
diff --git a/plugins/ktcore/folder/Rename.php b/plugins/ktcore/folder/Rename.php
index eb21e43..12ca085 100644
--- a/plugins/ktcore/folder/Rename.php
+++ b/plugins/ktcore/folder/Rename.php
@@ -30,13 +30,12 @@
*/
require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
-
require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php");
require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php");
require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php");
require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php");
-
require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
class KTFolderRenameAction extends KTFolderAction {
var $sName = 'ktcore.actions.folder.rename';
@@ -88,8 +87,7 @@ class KTFolderRenameAction extends KTFolderAction {
}
}
- $res = KTFolderUtil::rename($this->oFolder, $sFolderName, $this->oUser);
-
+ $res = KTDocumentUtil::rename($this->oDocument, sanitize($sFilename), $this->oUser);
if (PEAR::isError($res)) {
$_SESSION['KTErrorMessage'][] = $res->getMessage();
redirect(KTBrowseUtil::getUrlForFolder($this->oFolder));
diff --git a/plugins/ktcore/folder/addDocument.php b/plugins/ktcore/folder/addDocument.php
index a9f6020..04e1817 100644
--- a/plugins/ktcore/folder/addDocument.php
+++ b/plugins/ktcore/folder/addDocument.php
@@ -30,15 +30,13 @@
*/
require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
-
require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php");
require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php");
require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php");
require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php");
-
require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php");
-
require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
class KTFolderAddDocumentAction extends KTFolderAction {
var $sName = 'ktcore.actions.folder.addDocument';
@@ -282,8 +280,8 @@ class KTFolderAddDocumentAction extends KTFolderAction {
);
$aFile = $this->oValidator->validateFile($extra_d['file'], $aErrorOptions);
- $sTitle = $extra_d['document_name'];
-
+ $sTitle = sanitize($extra_d['document_name']);
+
$iFolderId = $this->oFolder->getId();
$aOptions = array(
'contents' => new KTFSFileLike($aFile['tmp_name']),
diff --git a/plugins/ktstandard/KTDiscussion.php b/plugins/ktstandard/KTDiscussion.php
index db5ff52..3e69b53 100644
--- a/plugins/ktstandard/KTDiscussion.php
+++ b/plugins/ktstandard/KTDiscussion.php
@@ -32,7 +32,7 @@
require_once(KT_LIB_DIR . '/widgets/fieldWidgets.php');
require_once(KT_LIB_DIR . '/discussions/DiscussionThread.inc');
require_once(KT_LIB_DIR . '/discussions/DiscussionComment.inc');
-
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
define('DISCUSSION_OPEN', 0);
define('DISCUSSION_CONCLUSION', 1);
@@ -177,8 +177,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
$oComment = DiscussionComment::createFromArray(array(
'threadid' => $oThread->getId(),
'userid' => $this->oUser->getId(),
- 'subject' => $sSubject,
- 'body' => KTUtil::formatPlainText($sBody),
+ 'subject' => sanitize($sSubject),
+ 'body' => sanitize(KTUtil::formatPlainText($sBody)),
));
$aErrorOptions['message'] = _kt("There was an error adding the comment to the thread");
$this->oValidator->notError($oComment, $aErrorOptions);
@@ -306,8 +306,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
$oComment = DiscussionComment::createFromArray(array(
'threadid' => $oThread->getId(),
'userid' => $this->oUser->getId(),
- 'subject' => $sSubject,
- 'body' => KTUtil::formatPlainText($sBody),
+ 'subject' => sanitize($sSubject),
+ 'body' => sanitize(KTUtil::formatPlainText($sBody)),
));
$aErrorOptions['message'] = _kt("There was an error adding the comment to the thread");
$this->oValidator->notError($oComment, $aErrorOptions);
@@ -387,7 +387,7 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
}
$aErrorOptions['message'] = _kt("No reason provided");
- $sReason = $this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions);
+ $sReason = sanitize($this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions));
if($iStateId > $oThread->getState()) {
$sTransactionNamespace = 'ktcore.transactions.collaboration_step_approve';
diff --git a/search/simpleSearch.php b/search/simpleSearch.php
index a500e3a..6e19389 100644
--- a/search/simpleSearch.php
+++ b/search/simpleSearch.php
@@ -37,11 +37,10 @@ require_once(KT_LIB_DIR . "/util/ktutil.inc");
require_once(KT_LIB_DIR . "/browse/DocumentCollection.inc.php");
require_once(KT_LIB_DIR . "/browse/BrowseColumns.inc.php");
require_once(KT_LIB_DIR . "/browse/PartialQuery.inc.php");
-
require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc");
-
require_once(KT_LIB_DIR . '/browse/columnregistry.inc.php');
require_once(KT_LIB_DIR . '/actions/bulkaction.php');
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
class SimpleSearchTitleColumn extends TitleColumn {
function setSearch($sSearch) {
@@ -143,7 +142,7 @@ class SimpleSearchDispatcher extends KTStandardDispatcher {
$aErrorOptions = array(
"message" => _kt("Please provide a search term"),
);
- $searchable_text = KTUtil::arrayGet($_REQUEST, "fSearchableText");
+ $searchable_text = sanitize(KTUtil::arrayGet($_REQUEST, "fSearchableText"));
$this->oValidator->notEmpty($searchable_text, $aErrorOptions);
diff --git a/view.php b/view.php
index 26a6adc..e5c9283 100755
--- a/view.php
+++ b/view.php
@@ -35,6 +35,7 @@ require_once(KT_LIB_DIR . "/templating/kt3template.inc.php");
require_once(KT_LIB_DIR . "/dispatcher.inc.php");
require_once(KT_LIB_DIR . "/util/ktutil.inc");
require_once(KT_LIB_DIR . "/database/dbutil.inc");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
// document related includes
require_once(KT_LIB_DIR . "/documentmanagement/Document.inc");
@@ -94,12 +95,12 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
function do_main() {
// fix legacy, broken items.
if (KTUtil::arrayGet($_REQUEST, "fDocumentID", true) !== true) {
- $_REQUEST["fDocumentId"] = KTUtil::arrayGet($_REQUEST, "fDocumentID");
+ $_REQUEST["fDocumentId"] = sanitize(KTUtil::arrayGet($_REQUEST, "fDocumentID"));
unset($_REQUEST["fDocumentID"]);
}
$document_data = array();
- $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId');
+ $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId'));
if ($document_id === null) {
$this->oPage->addError(sprintf(_kt("No document was requested. Please browse for one."), KTBrowseUtil::getBrowseBaseUrl()));
return $this->do_error();
@@ -250,7 +251,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
function do_viewComparison() {
$document_data = array();
- $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId');
+ $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId'));
if ($document_id === null) {
$this->oPage->addError(sprintf(_kt("No document was requested. Please browse for one."), KTBrowseUtil::getBrowseBaseUrl()));
return $this->do_error();
@@ -258,7 +259,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
$document_data["document_id"] = $document_id;
- $base_version = KTUtil::arrayGet($_REQUEST, 'fBaseVersion');
+ $base_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fBaseVersion'));
// try get the document.
$oDocument =& Document::get($document_id, $base_version);
@@ -283,7 +284,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
$this->aBreadcrumbs = array_merge($this->aBreadcrumbs, KTBrowseUtil::breadcrumbsForDocument($oDocument, $aOptions));
$this->oPage->setBreadcrumbDetails(_kt("compare versions"));
- $comparison_version = KTUtil::arrayGet($_REQUEST, 'fComparisonVersion');
+ $comparison_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fComparisonVersion'));
if ($comparison_version=== null) {
$this->oPage->addError(sprintf(_kt("No comparison version was requested. Please select a version."), KTUtil::addQueryStringSelf('action=history&fDocumentId=' . $document_id)));
return $this->do_error();