Re: [Dolibarr-dev] Pb with file upload

dolibarr-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dolibarr-dev] Pb with file upload

From:	Régis Houssin
Subject:	Re: [Dolibarr-dev] Pb with file upload
Date:	Sat, 02 Jun 2012 21:22:16 +0200
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

ok sorry, the "php.ini" of MAMP does not contain the variable
"magic_quotes_gpc" is apparently an oversight on their part, so he began
to "on" by default !!



Le 02/06/12 21:01, Destailleur Laurent a écrit :
> And the fix i added works ?
> Very very strange. Fix is enabled only if magic_quotes is on ?
> What is return of function   
> print file_exists("magic_quotes_gpc")
> and
> print magic_quotes_gpc();
> 
> 
> 2012/6/2 Régis Houssin <address@hidden
> <mailto:address@hidden>>
> 
>     yes but my php is 5.3.6 with no magic_quote ! strange !
> 
> 
>     Le 02/06/12 13:46, Laurent Destailleur (eldy) a écrit :
>     > Yes. The initial sentence should be read like this :
>     >
>     > "Note also that, IF YOU USE RECOMMANDED PHP SETUP, strisplashes should
>     > never..."
>     > instead of
>     > "Note also that strisplashes should never..."
>     >
>     > If using old php setup (magi_quote_gpc), php make some undesired
>     > escaping that are not HTML, Shell, nor PHP, nor database escaping.
>     > striplashes was provided to solve this problem. So it can be used in
>     > main (to solve the PHP bug) but not into core business code. It
>     could be
>     > removed completely when everybody will use a recent php version that
>     > does not contains this feature (considered as a bug by php team now,
>     > that's why this feautre is now complety removed in last php 5.4.0
>     version).
>     >
>     >
>     > Le 01/06/2012 21:04, Régis Houssin a écrit :
>     >> yes
>     >>
>     >> but your comment:
>     >>
>     >> "Note also that strisplashes should never be used anywhere in the
>     code,
>     >> because strislashes is nor a HTML escape, nor a javascrip escape,
>     nor a
>     >> shell or PHP escape function. If stripslashes is used somewhere, this
>     >> means there is a bug somewhere else."
>     >>
>     >> well you use it precisely in the main.inc.php :-)
>     >>
>     >> return (is_array($value) ? array_map('stripslashes_deep', $value) :
>     >> stripslashes($value));
>     >>
>     >>
>     >>
>     >>
>     >> Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit :
>     >>> I think i found the bug.
>     >>> I tried a fix into dev branch. Regis, does it works for you ?
>     >>>
>     >>>
>     >>> Le 01/06/2012 20:43, Régis Houssin a écrit :
>     >>>> yes but I added this in the function dol_unescape_file
>     >>>>
>     >>>> return trim(basename(stripslashes($filename)), ".\x00..\x20");
>     >>>>
>     >>>> you tried just making a "return $filename" ?
>     >>>>
>     >>>> you which version of php ?
>     >>>>
>     >>>>
>     >>>>
>     >>>>
>     >>>> Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit :
>     >>>>> Hum, strange.
>     >>>>> If i use  Capture d'ecran.docx
>     >>>>> i get into $_FILES
>     >>>>> Capture d'ecran.docx
>     >>>>>
>     >>>>> and not
>     >>>>> Capture d'ecran.docx
>     >>>>>
>     >>>>> A cake will be offered to people who can explain this difference !
>     >>>>> Well, we must find what is the criteria tha make this difference
>     >>>>> and use
>     >>>>> it to put a if inside the dol_unescape_file to have upload
>     working on
>     >>>>> all situation.
>     >>>>>
>     >>>>> Can you send me your php.ini. I will compare with mine.
>     >>>>>
>     >>>>>
>     >>>>>
>     >>>>> Le 01/06/2012 11:13, Régis Houssin a écrit :
>     >>>>>> i use this file name : Capture d'ecran.docx
>     >>>>>> my function :
>     >>>>>>
>     >>>>>> trim(basename(stripslashes($filename)), ".\x00..\x20");
>     >>>>>>
>     >>>>>> common function found around the internet and can clean the file
>     >>>>>> name in
>     >>>>>> $ _FILES
>     >>>>>>
>     >>>>>>
>     >>>>>> print $_FILES : Capture d\'ecran.docx
>     >>>>>>
>     >>>>>>
>     >>>>>> with my function :
>     >>>>>> files is record with name : Capture d'ecran.docx
>     >>>>>> source code in link: Capture+d%27ecran.docx
>     >>>>>>
>     >>>>>> without my function:
>     >>>>>> files is record with name : Capture d\'ecran.docx
>     >>>>>> source code in link : Capture+d%5C%27ecran.docx
>     >>>>>> the file does not delete when I click on the trash
>     >>>>>>
>     >>>>>>
>     >>>>>>
>     >>>>>> Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit :
>     >>>>>>> I made a fix into dol_unescapefile file because file uplaod was
>     >>>>>>> broken
>     >>>>>>> on linux and windows.
>     >>>>>>> I had to remove the stripslashes. I don't see a reason to have
>     >>>>>>> it. May
>     >>>>>>> be there is a diff between mac and linux when uploading a file ?
>     >>>>>>>
>     >>>>>>> If you upload a file called
>     >>>>>>> a'b
>     >>>>>>> the $_FILES['userfile']['name']; exit;
>     >>>>>>> a'b
>     >>>>>>>
>     >>>>>>> Regis, can you confirm that submitting a file called
>     >>>>>>> a'b
>     >>>>>>> is still
>     >>>>>>> a'b
>     >>>>>>> if you make:
>     >>>>>>>
>     >>>>>>> print $_FILES['userfile']['name']; exit;
>     >>>>>>>
>     >>>>>>> just after the main.inc.php of a submitted document.php page
>     (you
>     >>>>>>> must
>     >>>>>>> make show source of html page to see real content, for
>     example with
>     >>>>>>> htdocs/societe/documents.php) ?
>     >>>>>>>
>     >>>>>>>
>     >>>>>> Cordialement,
>     >>>> Cordialement,
>     >> Cordialement,
>     >
> 
>     Cordialement,
>     --
>     Régis Houssin
>     ---------------------------------------------------------
>     Cap-Networks
>     Cidex 1130
>     34, route de Gigny
>     71240 MARNAY
>     FRANCE
>     VoIP: +33 1 83 62 40 03 <tel:%2B33%201%2083%2062%2040%2003>
>     GSM: +33 6 33 02 07 97 <tel:%2B33%206%2033%2002%2007%2097>
>     Web: http://www.cap-networks.com/
>     Email: address@hidden
>     <mailto:address@hidden>
> 
>     Dolibarr developer: address@hidden <mailto:address@hidden>
>     Web Portal: http://www.dolibarr.fr/
>     SaaS offers: http://www.dolibox.fr/
>     Shop: http://www.dolistore.com/
>     Development platform: https://doliforge.org/
>     ---------------------------------------------------------
> 
> 

Cordialement,
-- 
Régis Houssin
---------------------------------------------------------
Cap-Networks
Cidex 1130
34, route de Gigny
71240 MARNAY
FRANCE
VoIP: +33 1 83 62 40 03
GSM: +33 6 33 02 07 97
Web: http://www.cap-networks.com/
Email: address@hidden

Dolibarr developer: address@hidden
Web Portal: http://www.dolibarr.fr/
SaaS offers: http://www.dolibox.fr/
Shop: http://www.dolistore.com/
Development platform: https://doliforge.org/
---------------------------------------------------------

[Prev in Thread]

Current Thread

[Next in Thread]

[Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
  - Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
    - Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
    - Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
    - Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
    - Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/02
    - Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/02
    - Re: [Dolibarr-dev] Pb with file upload, Destailleur Laurent, 2012/06/02
    - Re: [Dolibarr-dev] Pb with file upload, Régis Houssin <=

Prev by Date: Re: [Dolibarr-dev] Pb with file upload
Next by Date: [Dolibarr-dev] Hello Dolibarr developers
Previous by thread: Re: [Dolibarr-dev] Pb with file upload
Next by thread: [Dolibarr-dev] Hello Dolibarr developers
Index(es):
- Date
- Thread