Peter M. Groen / knowledgetree

Commit ad25279a2e44d426e2dbf99fda8a176aa5a31c12

Authored by Conrad Vermeulen
1 parent 61adf64a

WSA-87 

"Comparison of folders when validating upload path does not work on windows correctly"
Fixed. Refactored some functionality and made the path seperator consistent.

Committed By: Conrad Vermeulen
Reviewed By: Isaac Lundal

git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@7782 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 4 changed files with 75 additions and 116 deletions
ktapi/KTAPIDocument.inc.php
  View file @ad25279
... ... @@ -35,6 +35,8 @@
35 35 *
36 36 */
37 37  
  38 +//require_once(KT_DIR . '/ktwebservice/KTUploadManager.inc.php');
  39 +
38 40 class KTAPI_Document extends KTAPI_FolderItem
39 41 {
40 42 /**
... ... @@ -175,14 +177,7 @@ class KTAPI_Document extends KTAPI_FolderItem
175 177 }
176 178 DBUtil::commit();
177 179  
178   - $tempfilename=addslashes($tempfilename);
179   - $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";
180   - $result = DBUtil::runQuery($sql);
181   - if (PEAR::isError($result))
182   - {
183   - return $result;
184   - }
185   -
  180 + KTUploadManager::temporary_file_imported($tempfilename);
186 181 }
187 182  
188 183 /**
... ...
ktapi/KTAPIFolder.inc.php
  View file @ad25279
... ... @@ -35,6 +35,8 @@
35 35 *
36 36 */
37 37  
  38 +require_once(KT_DIR . '/ktwebservice/KTUploadManager.inc.php');
  39 +
38 40 class KTAPI_Folder extends KTAPI_FolderItem
39 41 {
40 42 /**
... ... @@ -603,13 +605,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
603 605 }
604 606 DBUtil::commit();
605 607  
606   - $tempfilename=addslashes($tempfilename);
607   - $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";
608   - $result = DBUtil::runQuery($sql);
609   - if (PEAR::isError($result))
610   - {
611   - return $result;
612   - }
  608 + KTUploadManager::temporary_file_imported($tempfilename);
613 609  
614 610 return new KTAPI_Document($this->ktapi, $this, $document);
615 611 }
... ...
ktwebservice/KTUploadManager.inc.php
  View file @ad25279
... ... @@ -52,7 +52,8 @@ class KTUploadManager
52 52 $config = KTConfig::getSingleton();
53 53  
54 54 $this->age = $config->get('webservice/uploadExpiry',60);
55   - $this->temp_dir= $config->get('webservice/uploadDirectory');
  55 + $this->temp_dir = $config->get('webservice/uploadDirectory');
  56 + $this->temp_dir = str_replace('\\','/', $this->temp_dir);
56 57 }
57 58  
58 59 /**
... ... @@ -67,6 +68,44 @@ class KTUploadManager
67 68 $this->session = $session->get_session();
68 69 }
69 70  
  71 + function get_temp_filename($prefix)
  72 + {
  73 + $tempfilename = tempnam($this->temp_dir,$prefix);
  74 +
  75 + return $tempfilename;
  76 + }
  77 +
  78 + function is_valid_temporary_file($tempfilename)
  79 + {
  80 + $tempdir = substr($tempfilename,0,strlen($this->temp_dir));
  81 + $tempdir = str_replace('\\','/', $tempdir);
  82 + return ($tempdir == $this->temp_dir);
  83 + }
  84 +
  85 + function store_base64_file($base64, $prefix= 'sa_')
  86 + {
  87 + $tempfilename = $this->get_temp_filename($prefix);
  88 + if (!is_writable($tempfilename))
  89 + {
  90 + return new PEAR_Error("Cannot write to file: $tempfilename");
  91 + }
  92 +
  93 + if (!$this->is_valid_temporary_file($tempfilename))
  94 + {
  95 + return new PEAR_Error("Invalid temporary file: $tempfilename. There is a problem with the temporary storage path: $this->temp_dir.");
  96 + }
  97 +
  98 + $fp=fopen($tempfilename, 'wb');
  99 + if ($fp === false)
  100 + {
  101 + return new PEAR_Error("Cannot write content to temporary file: $tempfilename.");
  102 + }
  103 + fwrite($fp, base64_decode($base64));
  104 + fclose($fp);
  105 +
  106 + return $tempfilename;
  107 + }
  108 +
70 109 /**
71 110 * This tells the manager to manage a file that has been uploaded.
72 111 *
... ... @@ -81,7 +120,8 @@ class KTUploadManager
81 120 $now_str=date('YmdHis');
82 121  
83 122 $newtempfile = realpath($this->temp_dir) . '/' . $this->userid . '-'. $now_str;
84   - if (DIRECTORY_SEPARATOR == '\\') {
  123 + if (OS_WINDOWS)
  124 + {
85 125 $tempfile = str_replace('/','\\',$tempfile);
86 126 $newtempfile = str_replace('\\','/',$newtempfile);
87 127 }
... ... @@ -110,7 +150,6 @@ class KTUploadManager
110 150  
111 151 if ($result == false)
112 152 {
113   -
114 153 DBUtil::rollback();
115 154 return new PEAR_Error($tmp);
116 155 }
... ... @@ -136,11 +175,10 @@ class KTUploadManager
136 175 return $result;
137 176 }
138 177  
139   - function imported_file($action, $filename, $documentid)
  178 + function temporary_file_imported($tempfilename)
140 179 {
141   - DBUtil::startTransaction();
142   - $filename=basename($filename);
143   - $sql = "DELETE FROM uploaded_files WHERE action='$action' AND filename='$filename'";
  180 + $tempfilename = addslashes(str_replace('\\','/',$tempfilename));
  181 + $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";
144 182 $rs = DBUtil::runQuery($sql);
145 183 if (PEAR::isError($rs))
146 184 {
... ... @@ -148,15 +186,7 @@ class KTUploadManager
148 186 return false;
149 187 }
150 188  
151   - $sql = "INSERT INTO index_files(document_id, user_id) VALUES($documentid, $this->userid)";
152   - DBUtil::runQuery($sql);
153   - if (PEAR::isError($rs))
154   - {
155   - DBUtil::rollback();
156   - return false;
157   - }
158 189  
159   - DBUtil::commit();
160 190 return true;
161 191 }
162 192  
... ...
ktwebservice/webservice.php
  View file @ad25279
... ... @@ -1916,15 +1916,14 @@ class KTWebService
1916 1916 // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
1917 1917 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
1918 1918 $upload_manager = new KTUploadManager();
1919   - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));
1920   - if ($tempdir != $upload_manager->temp_dir)
  1919 + if (!$upload_manager->is_valid_temporary_file($tempfilename))
1921 1920 {
1922   - $response=array(
1923   - 'status_code'=>KTWS_ERR_INVALID_FOLDER,
1924   - 'message'=>'Invalid temporary file.'
  1921 + $response=array(
  1922 + 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
  1923 + 'message'=>"Invalid temporary file: $tempfilename. Not compatible with $upload_manager->temp_dir."
1925 1924 );
1926 1925  
1927   - $this->debug("add_document - $upload_manager->temp_dir != $tempdir", $session_id);
  1926 + $this->debug("add_document - Invalid temporary file: $tempfilename. Not compatible with $upload_manager->temp_dir.", $session_id);
1928 1927  
1929 1928 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
1930 1929 }
... ... @@ -2052,38 +2051,6 @@ class KTWebService
2052 2051 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $kt);
2053 2052 }
2054 2053  
2055   - // create a temporary file
2056   - $oConfig = KTConfig::getSingleton();
2057   - $tmp_dir = $oConfig->get('webservice/uploadDirectory');
2058   -
2059   - $tempfilename = tempnam($tmp_dir,'sa_');
2060   - if (!is_writable($tempfilename))
2061   - {
2062   - $response=array(
2063   - 'status_code'=>KTWS_ERR_INVALID_FOLDER,
2064   - 'message'=>'Cannot write to temp folder: ' + $tempfilename
2065   - );
2066   - $this->debug("add_small_document - cannot write $tempfilename", $session_id);
2067   -
2068   - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2069   - }
2070   -
2071   - // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
2072   - // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
2073   - $upload_manager = new KTUploadManager();
2074   - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));
2075   - if ( $tempdir != $upload_manager->temp_dir)
2076   - {
2077   - $response=array(
2078   - 'status_code'=>KTWS_ERR_INVALID_FOLDER,
2079   - 'message'=>'Invalid temporary file.'
2080   - );
2081   -
2082   - $this->debug("add_small_document - $upload_manager->temp_dir != $tempdir ", $session_id);
2083   -
2084   - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2085   - }
2086   -
2087 2054 $folder = &$kt->get_folder_by_id($folder_id);
2088 2055 if (PEAR::isError($folder))
2089 2056 {
... ... @@ -2095,19 +2062,19 @@ class KTWebService
2095 2062 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2096 2063 }
2097 2064  
2098   - // write to the temporary file
2099   - $fp=fopen($tempfilename, 'wb');
2100   - if ($fp === false)
2101   - {
2102   - $response=array(
  2065 + $upload_manager = new KTUploadManager();
  2066 + $tempfilename = $upload_manager->store_base64_file($base64);
  2067 + if (PEAR::isError($tempfilename))
  2068 + {
  2069 + $reason = $tempfilename->getMessage();
  2070 + $response=array(
2103 2071 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
2104   - 'message'=>'Cannot write to temp file: ' + $tempfilename
  2072 + 'message'=>'Cannot write to temp file: ' + $tempfilename . ". Reason: $reason"
2105 2073 );
2106   - $this->debug("add_small_document - cannot get folderid $folder_id" , $session_id);
  2074 + $this->debug("add_small_document - cannot write $tempfilename. Reason: $reason", $session_id);
  2075 +
2107 2076 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2108   - }
2109   - fwrite($fp, base64_decode($base64));
2110   - fclose($fp);
  2077 + }
2111 2078  
2112 2079 // simulate the upload
2113 2080 $upload_manager->uploaded($filename,$tempfilename, 'A');
... ... @@ -2159,8 +2126,7 @@ class KTWebService
2159 2126 // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
2160 2127 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
2161 2128 $upload_manager = new KTUploadManager();
2162   - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));
2163   - if ($tempdir != $upload_manager->temp_dir)
  2129 + if (!$upload_manager->is_valid_temporary_file($tempfilename))
2164 2130 {
2165 2131 $response['message'] = 'Invalid temporary file';
2166 2132 $this->debug("checkin_document - $upload_manager->temp_dir != $tempdir", $session_id);
... ... @@ -2282,47 +2248,19 @@ class KTWebService
2282 2248 'message'=>'',
2283 2249 );
2284 2250  
2285   - // create a temporary file
2286   - $oConfig = KTConfig::getSingleton();
2287   - $tmp_dir = $oConfig->get('webservice/uploadDirectory');
2288   -
2289   - $tempfilename = tempnam($tmp_dir,'su_');
2290   - if (!is_writable($tempfilename))
2291   - {
2292   - $response=array(
2293   - 'status_code'=>KTWS_ERR_INVALID_FOLDER,
2294   - 'message'=>'Cannot write to temp folder: ' + $tempfilename
2295   - );
2296   -
2297   - $this->debug("checkin_small_document - $tempfilename is not writable", $session_id);
2298   -
2299   - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2300   - }
2301   -
2302   - // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
2303   - // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
2304 2251 $upload_manager = new KTUploadManager();
2305   - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));
2306   - if ($tempdir != $upload_manager->temp_dir)
  2252 + $tempfilename = $upload_manager->store_base64_file($base64, 'su_');
  2253 + if (PEAR::isError($tempfilename))
2307 2254 {
2308   - $response['message'] = 'Invalid temporary file';
2309   - $this->debug("checkin_small_document - $upload_manager->temp_dir != $tempdir", $session_id);
2310   - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2311   - }
2312   -
2313   - // write to the temporary file
2314   - $fp=fopen($tempfilename, 'wb');
2315   - if ($fp === false)
2316   - {
2317   - $response=array(
  2255 + $reason = $tempfilename->getMessage();
  2256 + $response=array(
2318 2257 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
2319   - 'message'=>'Cannot write to temp file: ' + $tempfilename
  2258 + 'message'=>'Cannot write to temp file: ' + $tempfilename . ". Reason: $reason"
2320 2259 );
2321   - $this->debug("checkin_small_document - cannot write $tempfilename", $session_id);
  2260 + $this->debug("checkin_small_document - cannot write $tempfilename. Reason: $reason", $session_id);
  2261 +
2322 2262 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2323   - }
2324   - fwrite($fp, base64_decode($base64));
2325   - fclose($fp);
  2263 + }
2326 2264  
2327 2265 // simulate the upload
2328 2266 $upload_manager->uploaded($filename,$tempfilename, 'C');
... ...