Peter M. Groen / knowledgetree

Commit ad25279a2e44d426e2dbf99fda8a176aa5a31c12

Authored by Conrad Vermeulen
1 parent 61adf64a

WSA-87 

"Comparison of folders when validating upload path does not work on windows correctly"
Fixed. Refactored some functionality and made the path seperator consistent.

Committed By: Conrad Vermeulen
Reviewed By: Isaac Lundal

git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@7782 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 4 changed files with 75 additions and 116 deletions
ktapi/KTAPIDocument.inc.php
  View file @ad25279
@@ -35,6 +35,8 @@ @@ -35,6 +35,8 @@
35 * 35 *
36 */ 36 */
37 37
  38 +//require_once(KT_DIR . '/ktwebservice/KTUploadManager.inc.php');
  39 +
38 class KTAPI_Document extends KTAPI_FolderItem 40 class KTAPI_Document extends KTAPI_FolderItem
39 { 41 {
40 /** 42 /**
@@ -175,14 +177,7 @@ class KTAPI_Document extends KTAPI_FolderItem @@ -175,14 +177,7 @@ class KTAPI_Document extends KTAPI_FolderItem
175 } 177 }
176 DBUtil::commit(); 178 DBUtil::commit();
177 179
178 - $tempfilename=addslashes($tempfilename);  
179 - $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";  
180 - $result = DBUtil::runQuery($sql);  
181 - if (PEAR::isError($result))  
182 - {  
183 - return $result;  
184 - }  
185 - 180 + KTUploadManager::temporary_file_imported($tempfilename);
186 } 181 }
187 182
188 /** 183 /**
ktapi/KTAPIFolder.inc.php
  View file @ad25279
@@ -35,6 +35,8 @@ @@ -35,6 +35,8 @@
35 * 35 *
36 */ 36 */
37 37
  38 +require_once(KT_DIR . '/ktwebservice/KTUploadManager.inc.php');
  39 +
38 class KTAPI_Folder extends KTAPI_FolderItem 40 class KTAPI_Folder extends KTAPI_FolderItem
39 { 41 {
40 /** 42 /**
@@ -603,13 +605,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -603,13 +605,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
603 } 605 }
604 DBUtil::commit(); 606 DBUtil::commit();
605 607
606 - $tempfilename=addslashes($tempfilename);  
607 - $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";  
608 - $result = DBUtil::runQuery($sql);  
609 - if (PEAR::isError($result))  
610 - {  
611 - return $result;  
612 - } 608 + KTUploadManager::temporary_file_imported($tempfilename);
613 609
614 return new KTAPI_Document($this->ktapi, $this, $document); 610 return new KTAPI_Document($this->ktapi, $this, $document);
615 } 611 }
ktwebservice/KTUploadManager.inc.php
  View file @ad25279
@@ -52,7 +52,8 @@ class KTUploadManager @@ -52,7 +52,8 @@ class KTUploadManager
52 $config = KTConfig::getSingleton(); 52 $config = KTConfig::getSingleton();
53 53
54 $this->age = $config->get('webservice/uploadExpiry',60); 54 $this->age = $config->get('webservice/uploadExpiry',60);
55 - $this->temp_dir= $config->get('webservice/uploadDirectory'); 55 + $this->temp_dir = $config->get('webservice/uploadDirectory');
  56 + $this->temp_dir = str_replace('\\','/', $this->temp_dir);
56 } 57 }
57 58
58 /** 59 /**
@@ -67,6 +68,44 @@ class KTUploadManager @@ -67,6 +68,44 @@ class KTUploadManager
67 $this->session = $session->get_session(); 68 $this->session = $session->get_session();
68 } 69 }
69 70
  71 + function get_temp_filename($prefix)
  72 + {
  73 + $tempfilename = tempnam($this->temp_dir,$prefix);
  74 +
  75 + return $tempfilename;
  76 + }
  77 +
  78 + function is_valid_temporary_file($tempfilename)
  79 + {
  80 + $tempdir = substr($tempfilename,0,strlen($this->temp_dir));
  81 + $tempdir = str_replace('\\','/', $tempdir);
  82 + return ($tempdir == $this->temp_dir);
  83 + }
  84 +
  85 + function store_base64_file($base64, $prefix= 'sa_')
  86 + {
  87 + $tempfilename = $this->get_temp_filename($prefix);
  88 + if (!is_writable($tempfilename))
  89 + {
  90 + return new PEAR_Error("Cannot write to file: $tempfilename");
  91 + }
  92 +
  93 + if (!$this->is_valid_temporary_file($tempfilename))
  94 + {
  95 + return new PEAR_Error("Invalid temporary file: $tempfilename. There is a problem with the temporary storage path: $this->temp_dir.");
  96 + }
  97 +
  98 + $fp=fopen($tempfilename, 'wb');
  99 + if ($fp === false)
  100 + {
  101 + return new PEAR_Error("Cannot write content to temporary file: $tempfilename.");
  102 + }
  103 + fwrite($fp, base64_decode($base64));
  104 + fclose($fp);
  105 +
  106 + return $tempfilename;
  107 + }
  108 +
70 /** 109 /**
71 * This tells the manager to manage a file that has been uploaded. 110 * This tells the manager to manage a file that has been uploaded.
72 * 111 *
@@ -81,7 +120,8 @@ class KTUploadManager @@ -81,7 +120,8 @@ class KTUploadManager
81 $now_str=date('YmdHis'); 120 $now_str=date('YmdHis');
82 121
83 $newtempfile = realpath($this->temp_dir) . '/' . $this->userid . '-'. $now_str; 122 $newtempfile = realpath($this->temp_dir) . '/' . $this->userid . '-'. $now_str;
84 - if (DIRECTORY_SEPARATOR == '\\') { 123 + if (OS_WINDOWS)
  124 + {
85 $tempfile = str_replace('/','\\',$tempfile); 125 $tempfile = str_replace('/','\\',$tempfile);
86 $newtempfile = str_replace('\\','/',$newtempfile); 126 $newtempfile = str_replace('\\','/',$newtempfile);
87 } 127 }
@@ -110,7 +150,6 @@ class KTUploadManager @@ -110,7 +150,6 @@ class KTUploadManager
110 150
111 if ($result == false) 151 if ($result == false)
112 { 152 {
113 -  
114 DBUtil::rollback(); 153 DBUtil::rollback();
115 return new PEAR_Error($tmp); 154 return new PEAR_Error($tmp);
116 } 155 }
@@ -136,11 +175,10 @@ class KTUploadManager @@ -136,11 +175,10 @@ class KTUploadManager
136 return $result; 175 return $result;
137 } 176 }
138 177
139 - function imported_file($action, $filename, $documentid) 178 + function temporary_file_imported($tempfilename)
140 { 179 {
141 - DBUtil::startTransaction();  
142 - $filename=basename($filename);  
143 - $sql = "DELETE FROM uploaded_files WHERE action='$action' AND filename='$filename'"; 180 + $tempfilename = addslashes(str_replace('\\','/',$tempfilename));
  181 + $sql = "DELETE FROM uploaded_files WHERE tempfilename='$tempfilename'";
144 $rs = DBUtil::runQuery($sql); 182 $rs = DBUtil::runQuery($sql);
145 if (PEAR::isError($rs)) 183 if (PEAR::isError($rs))
146 { 184 {
@@ -148,15 +186,7 @@ class KTUploadManager @@ -148,15 +186,7 @@ class KTUploadManager
148 return false; 186 return false;
149 } 187 }
150 188
151 - $sql = "INSERT INTO index_files(document_id, user_id) VALUES($documentid, $this->userid)";  
152 - DBUtil::runQuery($sql);  
153 - if (PEAR::isError($rs))  
154 - {  
155 - DBUtil::rollback();  
156 - return false;  
157 - }  
158 189
159 - DBUtil::commit();  
160 return true; 190 return true;
161 } 191 }
162 192
ktwebservice/webservice.php
  View file @ad25279
@@ -1916,15 +1916,14 @@ class KTWebService @@ -1916,15 +1916,14 @@ class KTWebService
1916 // we need to add some security to ensure that people don't frig the checkin process to access restricted files. 1916 // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
1917 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome. 1917 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
1918 $upload_manager = new KTUploadManager(); 1918 $upload_manager = new KTUploadManager();
1919 - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));  
1920 - if ($tempdir != $upload_manager->temp_dir) 1919 + if (!$upload_manager->is_valid_temporary_file($tempfilename))
1921 { 1920 {
1922 - $response=array(  
1923 - 'status_code'=>KTWS_ERR_INVALID_FOLDER,  
1924 - 'message'=>'Invalid temporary file.' 1921 + $response=array(
  1922 + 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
  1923 + 'message'=>"Invalid temporary file: $tempfilename. Not compatible with $upload_manager->temp_dir."
1925 ); 1924 );
1926 1925
1927 - $this->debug("add_document - $upload_manager->temp_dir != $tempdir", $session_id); 1926 + $this->debug("add_document - Invalid temporary file: $tempfilename. Not compatible with $upload_manager->temp_dir.", $session_id);
1928 1927
1929 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response); 1928 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
1930 } 1929 }
@@ -2052,38 +2051,6 @@ class KTWebService @@ -2052,38 +2051,6 @@ class KTWebService
2052 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $kt); 2051 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $kt);
2053 } 2052 }
2054 2053
2055 - // create a temporary file  
2056 - $oConfig = KTConfig::getSingleton();  
2057 - $tmp_dir = $oConfig->get('webservice/uploadDirectory');  
2058 -  
2059 - $tempfilename = tempnam($tmp_dir,'sa_');  
2060 - if (!is_writable($tempfilename))  
2061 - {  
2062 - $response=array(  
2063 - 'status_code'=>KTWS_ERR_INVALID_FOLDER,  
2064 - 'message'=>'Cannot write to temp folder: ' + $tempfilename  
2065 - );  
2066 - $this->debug("add_small_document - cannot write $tempfilename", $session_id);  
2067 -  
2068 - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);  
2069 - }  
2070 -  
2071 - // we need to add some security to ensure that people don't frig the checkin process to access restricted files.  
2072 - // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.  
2073 - $upload_manager = new KTUploadManager();  
2074 - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));  
2075 - if ( $tempdir != $upload_manager->temp_dir)  
2076 - {  
2077 - $response=array(  
2078 - 'status_code'=>KTWS_ERR_INVALID_FOLDER,  
2079 - 'message'=>'Invalid temporary file.'  
2080 - );  
2081 -  
2082 - $this->debug("add_small_document - $upload_manager->temp_dir != $tempdir ", $session_id);  
2083 -  
2084 - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);  
2085 - }  
2086 -  
2087 $folder = &$kt->get_folder_by_id($folder_id); 2054 $folder = &$kt->get_folder_by_id($folder_id);
2088 if (PEAR::isError($folder)) 2055 if (PEAR::isError($folder))
2089 { 2056 {
@@ -2095,19 +2062,19 @@ class KTWebService @@ -2095,19 +2062,19 @@ class KTWebService
2095 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response); 2062 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2096 } 2063 }
2097 2064
2098 - // write to the temporary file  
2099 - $fp=fopen($tempfilename, 'wb');  
2100 - if ($fp === false)  
2101 - {  
2102 - $response=array( 2065 + $upload_manager = new KTUploadManager();
  2066 + $tempfilename = $upload_manager->store_base64_file($base64);
  2067 + if (PEAR::isError($tempfilename))
  2068 + {
  2069 + $reason = $tempfilename->getMessage();
  2070 + $response=array(
2103 'status_code'=>KTWS_ERR_INVALID_DOCUMENT, 2071 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
2104 - 'message'=>'Cannot write to temp file: ' + $tempfilename 2072 + 'message'=>'Cannot write to temp file: ' + $tempfilename . ". Reason: $reason"
2105 ); 2073 );
2106 - $this->debug("add_small_document - cannot get folderid $folder_id" , $session_id); 2074 + $this->debug("add_small_document - cannot write $tempfilename. Reason: $reason", $session_id);
  2075 +
2107 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response); 2076 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2108 - }  
2109 - fwrite($fp, base64_decode($base64));  
2110 - fclose($fp); 2077 + }
2111 2078
2112 // simulate the upload 2079 // simulate the upload
2113 $upload_manager->uploaded($filename,$tempfilename, 'A'); 2080 $upload_manager->uploaded($filename,$tempfilename, 'A');
@@ -2159,8 +2126,7 @@ class KTWebService @@ -2159,8 +2126,7 @@ class KTWebService
2159 // we need to add some security to ensure that people don't frig the checkin process to access restricted files. 2126 // we need to add some security to ensure that people don't frig the checkin process to access restricted files.
2160 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome. 2127 // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.
2161 $upload_manager = new KTUploadManager(); 2128 $upload_manager = new KTUploadManager();
2162 - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));  
2163 - if ($tempdir != $upload_manager->temp_dir) 2129 + if (!$upload_manager->is_valid_temporary_file($tempfilename))
2164 { 2130 {
2165 $response['message'] = 'Invalid temporary file'; 2131 $response['message'] = 'Invalid temporary file';
2166 $this->debug("checkin_document - $upload_manager->temp_dir != $tempdir", $session_id); 2132 $this->debug("checkin_document - $upload_manager->temp_dir != $tempdir", $session_id);
@@ -2282,47 +2248,19 @@ class KTWebService @@ -2282,47 +2248,19 @@ class KTWebService
2282 'message'=>'', 2248 'message'=>'',
2283 ); 2249 );
2284 2250
2285 - // create a temporary file  
2286 - $oConfig = KTConfig::getSingleton();  
2287 - $tmp_dir = $oConfig->get('webservice/uploadDirectory');  
2288 -  
2289 - $tempfilename = tempnam($tmp_dir,'su_');  
2290 - if (!is_writable($tempfilename))  
2291 - {  
2292 - $response=array(  
2293 - 'status_code'=>KTWS_ERR_INVALID_FOLDER,  
2294 - 'message'=>'Cannot write to temp folder: ' + $tempfilename  
2295 - );  
2296 -  
2297 - $this->debug("checkin_small_document - $tempfilename is not writable", $session_id);  
2298 -  
2299 - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);  
2300 - }  
2301 -  
2302 - // we need to add some security to ensure that people don't frig the checkin process to access restricted files.  
2303 - // possibly should change 'tempfilename' to be a hash or id of some sort if this is troublesome.  
2304 $upload_manager = new KTUploadManager(); 2251 $upload_manager = new KTUploadManager();
2305 - $tempdir = substr($tempfilename,0,strlen($upload_manager->temp_dir));  
2306 - if ($tempdir != $upload_manager->temp_dir) 2252 + $tempfilename = $upload_manager->store_base64_file($base64, 'su_');
  2253 + if (PEAR::isError($tempfilename))
2307 { 2254 {
2308 - $response['message'] = 'Invalid temporary file';  
2309 - $this->debug("checkin_small_document - $upload_manager->temp_dir != $tempdir", $session_id);  
2310 - return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);  
2311 - }  
2312 -  
2313 - // write to the temporary file  
2314 - $fp=fopen($tempfilename, 'wb');  
2315 - if ($fp === false)  
2316 - {  
2317 - $response=array( 2255 + $reason = $tempfilename->getMessage();
  2256 + $response=array(
2318 'status_code'=>KTWS_ERR_INVALID_DOCUMENT, 2257 'status_code'=>KTWS_ERR_INVALID_DOCUMENT,
2319 - 'message'=>'Cannot write to temp file: ' + $tempfilename 2258 + 'message'=>'Cannot write to temp file: ' + $tempfilename . ". Reason: $reason"
2320 ); 2259 );
2321 - $this->debug("checkin_small_document - cannot write $tempfilename", $session_id); 2260 + $this->debug("checkin_small_document - cannot write $tempfilename. Reason: $reason", $session_id);
  2261 +
2322 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response); 2262 return new SOAP_Value('return',"{urn:$this->namespace}kt_document_detail", $response);
2323 - }  
2324 - fwrite($fp, base64_decode($base64));  
2325 - fclose($fp); 2263 + }
2326 2264
2327 // simulate the upload 2265 // simulate the upload
2328 $upload_manager->uploaded($filename,$tempfilename, 'C'); 2266 $upload_manager->uploaded($filename,$tempfilename, 'C');