[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Pb with file upload
From: |
Régis Houssin |
Subject: |
Re: [Dolibarr-dev] Pb with file upload |
Date: |
Sat, 02 Jun 2012 21:22:16 +0200 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 |
ok sorry, the "php.ini" of MAMP does not contain the variable
"magic_quotes_gpc" is apparently an oversight on their part, so he began
to "on" by default !!
Le 02/06/12 21:01, Destailleur Laurent a écrit :
> And the fix i added works ?
> Very very strange. Fix is enabled only if magic_quotes is on ?
> What is return of function
> print file_exists("magic_quotes_gpc")
> and
> print magic_quotes_gpc();
>
>
> 2012/6/2 Régis Houssin <address@hidden
> <mailto:address@hidden>>
>
> yes but my php is 5.3.6 with no magic_quote ! strange !
>
>
> Le 02/06/12 13:46, Laurent Destailleur (eldy) a écrit :
> > Yes. The initial sentence should be read like this :
> >
> > "Note also that, IF YOU USE RECOMMANDED PHP SETUP, strisplashes should
> > never..."
> > instead of
> > "Note also that strisplashes should never..."
> >
> > If using old php setup (magi_quote_gpc), php make some undesired
> > escaping that are not HTML, Shell, nor PHP, nor database escaping.
> > striplashes was provided to solve this problem. So it can be used in
> > main (to solve the PHP bug) but not into core business code. It
> could be
> > removed completely when everybody will use a recent php version that
> > does not contains this feature (considered as a bug by php team now,
> > that's why this feautre is now complety removed in last php 5.4.0
> version).
> >
> >
> > Le 01/06/2012 21:04, Régis Houssin a écrit :
> >> yes
> >>
> >> but your comment:
> >>
> >> "Note also that strisplashes should never be used anywhere in the
> code,
> >> because strislashes is nor a HTML escape, nor a javascrip escape,
> nor a
> >> shell or PHP escape function. If stripslashes is used somewhere, this
> >> means there is a bug somewhere else."
> >>
> >> well you use it precisely in the main.inc.php :-)
> >>
> >> return (is_array($value) ? array_map('stripslashes_deep', $value) :
> >> stripslashes($value));
> >>
> >>
> >>
> >>
> >> Le 01/06/12 20:54, Laurent Destailleur (eldy) a écrit :
> >>> I think i found the bug.
> >>> I tried a fix into dev branch. Regis, does it works for you ?
> >>>
> >>>
> >>> Le 01/06/2012 20:43, Régis Houssin a écrit :
> >>>> yes but I added this in the function dol_unescape_file
> >>>>
> >>>> return trim(basename(stripslashes($filename)), ".\x00..\x20");
> >>>>
> >>>> you tried just making a "return $filename" ?
> >>>>
> >>>> you which version of php ?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Le 01/06/12 20:23, Laurent Destailleur (eldy) a écrit :
> >>>>> Hum, strange.
> >>>>> If i use Capture d'ecran.docx
> >>>>> i get into $_FILES
> >>>>> Capture d'ecran.docx
> >>>>>
> >>>>> and not
> >>>>> Capture d'ecran.docx
> >>>>>
> >>>>> A cake will be offered to people who can explain this difference !
> >>>>> Well, we must find what is the criteria tha make this difference
> >>>>> and use
> >>>>> it to put a if inside the dol_unescape_file to have upload
> working on
> >>>>> all situation.
> >>>>>
> >>>>> Can you send me your php.ini. I will compare with mine.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Le 01/06/2012 11:13, Régis Houssin a écrit :
> >>>>>> i use this file name : Capture d'ecran.docx
> >>>>>> my function :
> >>>>>>
> >>>>>> trim(basename(stripslashes($filename)), ".\x00..\x20");
> >>>>>>
> >>>>>> common function found around the internet and can clean the file
> >>>>>> name in
> >>>>>> $ _FILES
> >>>>>>
> >>>>>>
> >>>>>> print $_FILES : Capture d\'ecran.docx
> >>>>>>
> >>>>>>
> >>>>>> with my function :
> >>>>>> files is record with name : Capture d'ecran.docx
> >>>>>> source code in link: Capture+d%27ecran.docx
> >>>>>>
> >>>>>> without my function:
> >>>>>> files is record with name : Capture d\'ecran.docx
> >>>>>> source code in link : Capture+d%5C%27ecran.docx
> >>>>>> the file does not delete when I click on the trash
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Le 01/06/12 10:42, Laurent Destailleur (eldy) a écrit :
> >>>>>>> I made a fix into dol_unescapefile file because file uplaod was
> >>>>>>> broken
> >>>>>>> on linux and windows.
> >>>>>>> I had to remove the stripslashes. I don't see a reason to have
> >>>>>>> it. May
> >>>>>>> be there is a diff between mac and linux when uploading a file ?
> >>>>>>>
> >>>>>>> If you upload a file called
> >>>>>>> a'b
> >>>>>>> the $_FILES['userfile']['name']; exit;
> >>>>>>> a'b
> >>>>>>>
> >>>>>>> Regis, can you confirm that submitting a file called
> >>>>>>> a'b
> >>>>>>> is still
> >>>>>>> a'b
> >>>>>>> if you make:
> >>>>>>>
> >>>>>>> print $_FILES['userfile']['name']; exit;
> >>>>>>>
> >>>>>>> just after the main.inc.php of a submitted document.php page
> (you
> >>>>>>> must
> >>>>>>> make show source of html page to see real content, for
> example with
> >>>>>>> htdocs/societe/documents.php) ?
> >>>>>>>
> >>>>>>>
> >>>>>> Cordialement,
> >>>> Cordialement,
> >> Cordialement,
> >
>
> Cordialement,
> --
> Régis Houssin
> ---------------------------------------------------------
> Cap-Networks
> Cidex 1130
> 34, route de Gigny
> 71240 MARNAY
> FRANCE
> VoIP: +33 1 83 62 40 03 <tel:%2B33%201%2083%2062%2040%2003>
> GSM: +33 6 33 02 07 97 <tel:%2B33%206%2033%2002%2007%2097>
> Web: http://www.cap-networks.com/
> Email: address@hidden
> <mailto:address@hidden>
>
> Dolibarr developer: address@hidden <mailto:address@hidden>
> Web Portal: http://www.dolibarr.fr/
> SaaS offers: http://www.dolibox.fr/
> Shop: http://www.dolistore.com/
> Development platform: https://doliforge.org/
> ---------------------------------------------------------
>
>
Cordialement,
--
Régis Houssin
---------------------------------------------------------
Cap-Networks
Cidex 1130
34, route de Gigny
71240 MARNAY
FRANCE
VoIP: +33 1 83 62 40 03
GSM: +33 6 33 02 07 97
Web: http://www.cap-networks.com/
Email: address@hidden
Dolibarr developer: address@hidden
Web Portal: http://www.dolibarr.fr/
SaaS offers: http://www.dolibox.fr/
Shop: http://www.dolistore.com/
Development platform: https://doliforge.org/
---------------------------------------------------------
- [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/01
- Re: [Dolibarr-dev] Pb with file upload, Laurent Destailleur (eldy), 2012/06/02
- Re: [Dolibarr-dev] Pb with file upload, Régis Houssin, 2012/06/02
- Re: [Dolibarr-dev] Pb with file upload, Destailleur Laurent, 2012/06/02
- Re: [Dolibarr-dev] Pb with file upload,
Régis Houssin <=