From c4003cea016ddec3fc85d8ee858914d961a55e76 Mon Sep 17 00:00:00 2001
From: kevin_fourie <kevin_fourie@c91229c3-7414-0410-bfa2-8a42b809f60b>
Date: Wed, 6 Jun 2007 16:31:45 +0000
Subject: [PATCH] Merged in from STABLE trunk...

---
 lib/sanitize.inc                      |  4 +++-
 lib/util/sanitize.inc                 |  4 +++-
 plugins/ktcore/document/edit.php      |  4 ++--
 plugins/ktcore/folder/Rename.php      |  6 ++----
 plugins/ktcore/folder/addDocument.php |  8 +++-----
 plugins/ktstandard/KTDiscussion.php   | 12 ++++++------
 search/simpleSearch.php               |  5 ++---
 view.php                              | 11 ++++++-----
 8 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/lib/sanitize.inc b/lib/sanitize.inc
index e042003..ae283f3 100644
--- a/lib/sanitize.inc
+++ b/lib/sanitize.inc
@@ -44,7 +44,9 @@ function sanitize($string) {
 	}
 
 	// This might be a little too aggressive
-	$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	//$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	// Allow numeric characters
+	$pattern = "([^[:alnum:]|^_\.\ \:-])";
 	return ereg_replace($pattern, '', $string);
 }
 
diff --git a/lib/util/sanitize.inc b/lib/util/sanitize.inc
index e042003..ae283f3 100644
--- a/lib/util/sanitize.inc
+++ b/lib/util/sanitize.inc
@@ -44,7 +44,9 @@ function sanitize($string) {
 	}
 
 	// This might be a little too aggressive
-	$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	//$pattern = "([^[:alpha:]|^_\.\ \:-])";
+	// Allow numeric characters
+	$pattern = "([^[:alnum:]|^_\.\ \:-])";
 	return ereg_replace($pattern, '', $string);
 }
 
diff --git a/plugins/ktcore/document/edit.php b/plugins/ktcore/document/edit.php
index a5de966..8731825 100644
--- a/plugins/ktcore/document/edit.php
+++ b/plugins/ktcore/document/edit.php
@@ -40,9 +40,9 @@ require_once(KT_LIB_DIR . '/documentmanagement/documentutil.inc.php');
 require_once(KT_LIB_DIR . '/triggers/triggerregistry.inc.php');
 require_once(KT_LIB_DIR . '/permissions/permission.inc.php');
 require_once(KT_LIB_DIR . '/permissions/permissionutil.inc.php');
-
 require_once(KT_LIB_DIR . "/widgets/forms.inc.php");
 require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 // {{{ KTDocumentEditAction
 class KTDocumentEditAction extends KTDocumentAction {
@@ -191,7 +191,7 @@ class KTDocumentEditAction extends KTDocumentAction {
         if ($this->oDocument->getDocumentTypeId() != $doctypeid) {
             $this->oDocument->setDocumentTypeId($doctypeid);
         }
-        $this->oDocument->setName($data['document_title']);
+        $this->oDocument->setName(sanitize($data['document_title']));
         $res = $this->oDocument->update();
         if (PEAR::isError($res)) {
             $oForm->handleError(sprintf(_kt("Unexpected failure to update document title: %s"), $res->getMessage()));
diff --git a/plugins/ktcore/folder/Rename.php b/plugins/ktcore/folder/Rename.php
index eb21e43..12ca085 100644
--- a/plugins/ktcore/folder/Rename.php
+++ b/plugins/ktcore/folder/Rename.php
@@ -30,13 +30,12 @@
  */
 
 require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
-
 require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php");
 require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php");
 require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php");
 require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php");
-
 require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 class KTFolderRenameAction extends KTFolderAction {
     var $sName = 'ktcore.actions.folder.rename';
@@ -88,8 +87,7 @@ class KTFolderRenameAction extends KTFolderAction {
             }
         }
 
-        $res = KTFolderUtil::rename($this->oFolder, $sFolderName, $this->oUser);
-
+        $res = KTDocumentUtil::rename($this->oDocument, sanitize($sFilename), $this->oUser);
         if (PEAR::isError($res)) {
             $_SESSION['KTErrorMessage'][] = $res->getMessage();
             redirect(KTBrowseUtil::getUrlForFolder($this->oFolder));
diff --git a/plugins/ktcore/folder/addDocument.php b/plugins/ktcore/folder/addDocument.php
index a9f6020..04e1817 100644
--- a/plugins/ktcore/folder/addDocument.php
+++ b/plugins/ktcore/folder/addDocument.php
@@ -30,15 +30,13 @@
  */
 
 require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
-
 require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php");
 require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php");
 require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php");
 require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php");
-
 require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php");
-
 require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 class KTFolderAddDocumentAction extends KTFolderAction {
     var $sName = 'ktcore.actions.folder.addDocument';
@@ -282,8 +280,8 @@ class KTFolderAddDocumentAction extends KTFolderAction {
         );
         
         $aFile = $this->oValidator->validateFile($extra_d['file'], $aErrorOptions);
-        $sTitle = $extra_d['document_name'];
-
+        $sTitle = sanitize($extra_d['document_name']);
+        
         $iFolderId = $this->oFolder->getId();
         $aOptions = array(
             'contents' => new KTFSFileLike($aFile['tmp_name']),
diff --git a/plugins/ktstandard/KTDiscussion.php b/plugins/ktstandard/KTDiscussion.php
index db5ff52..3e69b53 100644
--- a/plugins/ktstandard/KTDiscussion.php
+++ b/plugins/ktstandard/KTDiscussion.php
@@ -32,7 +32,7 @@
 require_once(KT_LIB_DIR . '/widgets/fieldWidgets.php');
 require_once(KT_LIB_DIR . '/discussions/DiscussionThread.inc');
 require_once(KT_LIB_DIR . '/discussions/DiscussionComment.inc');
-
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 define('DISCUSSION_OPEN', 0);
 define('DISCUSSION_CONCLUSION', 1);
@@ -177,8 +177,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
         $oComment = DiscussionComment::createFromArray(array(
             'threadid' => $oThread->getId(),
             'userid' => $this->oUser->getId(),
-            'subject' => $sSubject,
-            'body' => KTUtil::formatPlainText($sBody),
+            'subject' => sanitize($sSubject),
+            'body' => sanitize(KTUtil::formatPlainText($sBody)),
         ));
         $aErrorOptions['message'] = _kt("There was an error adding the comment to the thread");
         $this->oValidator->notError($oComment, $aErrorOptions);
@@ -306,8 +306,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
         $oComment = DiscussionComment::createFromArray(array(
             'threadid' => $oThread->getId(),
             'userid' => $this->oUser->getId(),
-            'subject' => $sSubject,
-            'body' => KTUtil::formatPlainText($sBody),
+            'subject' => sanitize($sSubject),
+            'body' => sanitize(KTUtil::formatPlainText($sBody)),
         ));
         $aErrorOptions['message'] = _kt("There was an error adding the comment to the thread");
         $this->oValidator->notError($oComment, $aErrorOptions);
@@ -387,7 +387,7 @@ class KTDocumentDiscussionAction extends KTDocumentAction {
 	}
 	
 	$aErrorOptions['message'] = _kt("No reason provided");
-	$sReason = $this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions);
+	$sReason = sanitize($this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions));
 	
 	if($iStateId > $oThread->getState()) {
 	    $sTransactionNamespace = 'ktcore.transactions.collaboration_step_approve';
diff --git a/search/simpleSearch.php b/search/simpleSearch.php
index a500e3a..6e19389 100644
--- a/search/simpleSearch.php
+++ b/search/simpleSearch.php
@@ -37,11 +37,10 @@ require_once(KT_LIB_DIR . "/util/ktutil.inc");
 require_once(KT_LIB_DIR . "/browse/DocumentCollection.inc.php");
 require_once(KT_LIB_DIR . "/browse/BrowseColumns.inc.php");
 require_once(KT_LIB_DIR . "/browse/PartialQuery.inc.php");
-
 require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc");
-
 require_once(KT_LIB_DIR . '/browse/columnregistry.inc.php');
 require_once(KT_LIB_DIR . '/actions/bulkaction.php');
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 class SimpleSearchTitleColumn extends TitleColumn {
     function setSearch($sSearch) {
@@ -143,7 +142,7 @@ class SimpleSearchDispatcher extends KTStandardDispatcher {
         $aErrorOptions = array(
             "message" => _kt("Please provide a search term"),
         );
-        $searchable_text = KTUtil::arrayGet($_REQUEST, "fSearchableText");
+        $searchable_text = sanitize(KTUtil::arrayGet($_REQUEST, "fSearchableText"));
         $this->oValidator->notEmpty($searchable_text, $aErrorOptions);
 
 
diff --git a/view.php b/view.php
index 26a6adc..e5c9283 100755
--- a/view.php
+++ b/view.php
@@ -35,6 +35,7 @@ require_once(KT_LIB_DIR . "/templating/kt3template.inc.php");
 require_once(KT_LIB_DIR . "/dispatcher.inc.php");
 require_once(KT_LIB_DIR . "/util/ktutil.inc");
 require_once(KT_LIB_DIR . "/database/dbutil.inc");
+require_once(KT_LIB_DIR . "/util/sanitize.inc");
 
 // document related includes
 require_once(KT_LIB_DIR . "/documentmanagement/Document.inc");
@@ -94,12 +95,12 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
     function do_main() {
         // fix legacy, broken items.
         if (KTUtil::arrayGet($_REQUEST, "fDocumentID", true) !== true) {
-            $_REQUEST["fDocumentId"] = KTUtil::arrayGet($_REQUEST, "fDocumentID");
+            $_REQUEST["fDocumentId"] = sanitize(KTUtil::arrayGet($_REQUEST, "fDocumentID"));
             unset($_REQUEST["fDocumentID"]);
         }
 
         $document_data = array();
-        $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId');
+        $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId'));
         if ($document_id === null) {
             $this->oPage->addError(sprintf(_kt("No document was requested.  Please <a href=\"%s\">browse</a> for one."), KTBrowseUtil::getBrowseBaseUrl()));
             return $this->do_error();
@@ -250,7 +251,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
     function do_viewComparison() {
     
         $document_data = array();
-        $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId');
+        $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId'));
         if ($document_id === null) {
             $this->oPage->addError(sprintf(_kt("No document was requested.  Please <a href=\"%s\">browse</a> for one."), KTBrowseUtil::getBrowseBaseUrl()));
             return $this->do_error();
@@ -258,7 +259,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
     
         $document_data["document_id"] = $document_id;
     
-        $base_version = KTUtil::arrayGet($_REQUEST, 'fBaseVersion');
+        $base_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fBaseVersion'));
     
         // try get the document.
         $oDocument =& Document::get($document_id, $base_version);
@@ -283,7 +284,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher {
         $this->aBreadcrumbs = array_merge($this->aBreadcrumbs, KTBrowseUtil::breadcrumbsForDocument($oDocument, $aOptions));
         $this->oPage->setBreadcrumbDetails(_kt("compare versions"));
     
-        $comparison_version = KTUtil::arrayGet($_REQUEST, 'fComparisonVersion');
+        $comparison_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fComparisonVersion'));
         if ($comparison_version=== null) {
             $this->oPage->addError(sprintf(_kt("No comparison version was requested.  Please <a href=\"%s\">select a version</a>."), KTUtil::addQueryStringSelf('action=history&fDocumentId=' . $document_id)));
             return $this->do_error();
--
libgit2 0.21.4