Peter M. Groen / knowledgetree

Commit b517ab57cdd411eadfd4e9d0b23dea84d8aeba8b

Authored by conradverm
1 parent 02e4b1bb

WSA-51 

"Check that folder and name lookup are sanitized when performing lookup so there are no database errors"
Fixed.

WSA-50
"KTAPIFolder::_get_folder_by_name should be called as a static method"
Fixed.

Committed By: Conrad Vermeulen
Reviewed By: Kevin Fourie


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@7649 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 53 additions and 36 deletions
ktapi/KTAPIFolder.inc.php
  View file @b517ab5
... ... @@ -5,32 +5,32 @@
5 5 * KnowledgeTree Open Source Edition
6 6 * Document Management Made Simple
7 7 * Copyright (C) 2004 - 2007 The Jam Warehouse Software (Pty) Limited
8   - *
  8 + *
9 9 * This program is free software; you can redistribute it and/or modify it under
10 10 * the terms of the GNU General Public License version 3 as published by the
11 11 * Free Software Foundation.
12   - *
  12 + *
13 13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 16 * details.
17   - *
  17 + *
18 18 * You should have received a copy of the GNU General Public License
19 19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20   - *
  20 + *
21 21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
22 22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
23   - *
  23 + *
24 24 * The interactive user interfaces in modified source and object code versions
25 25 * of this program must display Appropriate Legal Notices, as required under
26 26 * Section 5 of the GNU General Public License version 3.
27   - *
  27 + *
28 28 * In accordance with Section 7(b) of the GNU General Public License version 3,
29 29 * these Appropriate Legal Notices must retain the display of the "Powered by
30   - * KnowledgeTree" logo and retain the original copyright notice. If the display of the
  30 + * KnowledgeTree" logo and retain the original copyright notice. If the display of the
31 31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
32   - * must display the words "Powered by KnowledgeTree" and retain the original
33   - * copyright notice.
  32 + * must display the words "Powered by KnowledgeTree" and retain the original
  33 + * copyright notice.
34 34 * Contributor( s): ______________________________________
35 35 *
36 36 */
... ... @@ -61,7 +61,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
61 61 * @param int $folderid
62 62 * @return KTAPI_Folder
63 63 */
64   - function &get(&$ktapi, $folderid)
  64 + public static function &get(&$ktapi, $folderid)
65 65 {
66 66 assert(!is_null($ktapi));
67 67 assert(is_a($ktapi, 'KTAPI'));
... ... @@ -93,7 +93,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
93 93 * @param Folder $folder
94 94 * @return KTAPI_Folder
95 95 */
96   - function KTAPI_Folder(&$ktapi, &$folder)
  96 + public function KTAPI_Folder(&$ktapi, &$folder)
97 97 {
98 98 $this->ktapi = &$ktapi;
99 99 $this->folder = &$folder;
... ... @@ -106,7 +106,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
106 106 * @access protected
107 107 * @return Folder
108 108 */
109   - function &get_folder()
  109 + public function &get_folder()
110 110 {
111 111 return $this->folder;
112 112 }
... ... @@ -117,7 +117,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
117 117 *
118 118 * @return array
119 119 */
120   - function get_detail()
  120 + public function get_detail()
121 121 {
122 122 $detail = array(
123 123 'id'=>(int) $this->folderid,
... ... @@ -129,12 +129,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
129 129 return $detail;
130 130 }
131 131  
132   - function get_parent_folder_id()
  132 + public function get_parent_folder_id()
133 133 {
134 134 return (int) $this->folder->getParentID();
135 135 }
136 136  
137   - function get_folder_name()
  137 + public function get_folder_name()
138 138 {
139 139 return $this->folder->getFolderName($this->folderid);
140 140 }
... ... @@ -145,12 +145,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
145 145 *
146 146 * @return int
147 147 */
148   - function get_folderid()
  148 + public function get_folderid()
149 149 {
150 150 return (int) $this->folderid;
151 151 }
152 152  
153   - function &_get_folder_by_name($foldername, $folderid)
  153 + public static function &_get_folder_by_name($ktapi, $foldername, $folderid)
154 154 {
155 155 $foldername=trim($foldername);
156 156 if (empty($foldername))
... ... @@ -166,7 +166,10 @@ class KTAPI_Folder extends KTAPI_FolderItem
166 166 {
167 167 continue;
168 168 }
169   - $sql = "SELECT id FROM folders WHERE name='$foldername' and parent_id=$folderid";
  169 + $foldername = sanitizeForSQL($foldername);
  170 + $sql = "SELECT id FROM folders WHERE
  171 + (name='$foldername' and parent_id=$folderid) OR
  172 + (name='$foldername' and parent_id is null and $folderid=1)";
170 173 $row = DBUtil::getOneResult($sql);
171 174 if (is_null($row) || PEAR::isError($row))
172 175 {
... ... @@ -175,7 +178,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
175 178 $folderid = $row['id'];
176 179 }
177 180  
178   - return KTAPI_Folder::get($this->ktapi, $folderid);
  181 + return KTAPI_Folder::get($ktapi, $folderid);
179 182 }
180 183  
181 184  
... ... @@ -186,12 +189,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
186 189 * @param string $foldername
187 190 * @return KTAPI_Folder
188 191 */
189   - function &get_folder_by_name($foldername)
  192 + public function &get_folder_by_name($foldername)
190 193 {
191   - return KTAPI_Folder::_get_folder_by_name($foldername, $this->folderid);
  194 + return KTAPI_Folder::_get_folder_by_name($this->ktapi, $foldername, $this->folderid);
192 195 }
193 196  
194   - function get_full_path()
  197 + public function get_full_path()
195 198 {
196 199 $path = $this->folder->getFullPath() . '/' . $this->folder->getName();
197 200  
... ... @@ -206,7 +209,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
206 209 * @param string $function
207 210 * @return KTAPI_Document
208 211 */
209   - function &_get_document_by_name($documentname, $function='getByNameAndFolder')
  212 + public function &_get_document_by_name($documentname, $function='getByNameAndFolder')
210 213 {
211 214 $documentname=trim($documentname);
212 215 if (empty($documentname))
... ... @@ -224,6 +227,21 @@ class KTAPI_Folder extends KTAPI_FolderItem
224 227 $ktapi_folder = $this->get_folder_by_name($foldername);
225 228 }
226 229  
  230 + $currentFolderName = $this->get_folder_name();
  231 +
  232 + if (PEAR::isError($ktapi_folder) && substr($foldername, 0, strlen($currentFolderName)) == $currentFolderName)
  233 + {
  234 + if ($currentFolderName == $foldername)
  235 + {
  236 + $ktapi_folder = $this;
  237 + }
  238 + else
  239 + {
  240 + $foldername = substr($foldername, strlen($currentFolderName)+1);
  241 + $ktapi_folder = $this->get_folder_by_name($foldername);
  242 + }
  243 + }
  244 +
227 245 if (is_null($ktapi_folder) || PEAR::isError($ktapi_folder))
228 246 {
229 247 return new KTAPI_Error(KTAPI_ERROR_FOLDER_INVALID, $ktapi_folder);
... ... @@ -254,7 +272,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
254 272 * @param string $documentname
255 273 * @return KTAPI_Document
256 274 */
257   - function &get_document_by_name($documentname)
  275 + public function &get_document_by_name($documentname)
258 276 {
259 277 return $this->_get_document_by_name($documentname,'getByNameAndFolder');
260 278 }
... ... @@ -266,12 +284,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
266 284 * @param string $documentname
267 285 * @return KTAPI_Document
268 286 */
269   - function &get_document_by_filename($documentname)
  287 + public function &get_document_by_filename($documentname)
270 288 {
271 289 return $this->_get_document_by_name($documentname,'getByFilenameAndFolder');
272 290 }
273 291  
274   - function _resolve_user($userid)
  292 + public function _resolve_user($userid)
275 293 {
276 294 $user=null;
277 295  
... ... @@ -286,8 +304,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
286 304 return $user;
287 305 }
288 306  
289   -
290   - function get_listing($depth=1, $what='DF')
  307 + public function get_listing($depth=1, $what='DF')
291 308 {
292 309 if ($depth < 1)
293 310 {
... ... @@ -439,7 +456,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
439 456 * @param string $tempfilename This is a reference to the file that is accessible locally on the file system.
440 457 * @return KTAPI_Document
441 458 */
442   - function &add_document($title, $filename, $documenttype, $tempfilename)
  459 + public function &add_document($title, $filename, $documenttype, $tempfilename)
443 460 {
444 461 if (!is_file($tempfilename))
445 462 {
... ... @@ -497,7 +514,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
497 514 * @param string $foldername
498 515 * @return KTAPI_Folder
499 516 */
500   - function &add_folder($foldername)
  517 + public function &add_folder($foldername)
501 518 {
502 519 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_ADD_FOLDER);
503 520  
... ... @@ -525,7 +542,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
525 542 *
526 543 * @param string $reason
527 544 */
528   - function delete($reason)
  545 + public function delete($reason)
529 546 {
530 547 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_DELETE);
531 548 if (PEAR::isError($user))
... ... @@ -554,7 +571,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
554 571 *
555 572 * @param string $newname
556 573 */
557   - function rename($newname)
  574 + public function rename($newname)
558 575 {
559 576 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_RENAME_FOLDER);
560 577 if (PEAR::isError($user))
... ... @@ -579,7 +596,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
579 596 * @param KTAPI_Folder $ktapi_target_folder
580 597 * @param string $reason
581 598 */
582   - function move($ktapi_target_folder, $reason='')
  599 + public function move($ktapi_target_folder, $reason='')
583 600 {
584 601 assert(!is_null($ktapi_target_folder));
585 602 assert(is_a($ktapi_target_folder,'KTAPI_Folder'));
... ... @@ -611,7 +628,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
611 628 * @param KTAPI_Folder $ktapi_target_folder
612 629 * @param string $reason
613 630 */
614   - function copy($ktapi_target_folder, $reason='')
  631 + public function copy($ktapi_target_folder, $reason='')
615 632 {
616 633 assert(!is_null($ktapi_target_folder));
617 634 assert(is_a($ktapi_target_folder,'KTAPI_Folder'));
... ... @@ -644,7 +661,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
644 661 * @access public
645 662 * @return array
646 663 */
647   - function get_permissions()
  664 + public function get_permissions()
648 665 {
649 666 return new PEAR_Error('TODO');
650 667 }
... ... @@ -655,7 +672,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
655 672 * @access public
656 673 * @return array
657 674 */
658   - function get_transaction_history()
  675 + public function get_transaction_history()
659 676 {
660 677 return new PEAR_Error('TODO');
661 678 }
... ...