Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix: Better error management in upload files

Browse Source
This commit is contained in:
Laurent Destailleur
2010-05-01 14:28:48 +00:00
parent 9e887c8980
commit 968addfad3
36 changed files with 739 additions and 591 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
htdocs/lib/functions.lib.php
View File

@@ -1958,95 +1958,6 @@ function dol_print_error_email()
}
/**
* \brief Move an uploaded file after some controls.
* If there is errors (virus found, antivir in error, bad filename), file is not moved.
* \param src_file Source filename
* \param dest_file Target filename
* \param allowoverwrite Overwrite if exists
* \param disablevirusscan Disable virus scan
* \return int >0 if OK, <0 if KO (an array with virus or errors if virus found or errors)
*/
function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan=0)
{
global $conf;
$file_name = $dest_file;
// If we need to make a virus scan
if (empty($disablevirusscan) && file_exists($src_file) && $conf->global->MAIN_ANTIVIRUS_COMMAND)
{
require_once(DOL_DOCUMENT_ROOT.'/lib/security.lib.php');
require_once(DOL_DOCUMENT_ROOT.'/lib/antivir.class.php');
$antivir=new AntiVir($db);
$result = $antivir->dol_avscan_file($src_file);
if ($result < 0) // If virus or error, we stop here
{
$reterrors=$antivir->errors;
dol_syslog("Functions.lib::dol_move_uploaded_file File ".$file_name." KO with antivir", LOG_WARNING);
//return $reterrors;
return -99;
}
}
// Security:
// Disallow file with some extensions. We renamed them.
// Car si on a mis le rep documents dans un rep de la racine web (pas bien), cela permet d'executer du code a la demande.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$file_name))
{
$file_name.= '.noexe';
}
// Security:
// On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans les noms de fichiers.
if (preg_match('/^\./',$src_file) || preg_match('/\.\./',$src_file) || preg_match('/[<>|]/',$src_file))
{
dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING);
return -1;
}
// Security:
// On interdit fichiers caches, remontees de repertoire ainsi que les pipe dans
// les noms de fichiers.
if (preg_match('/^\./',$dest_file) || preg_match('/\.\./',$dest_file) || preg_match('/[<>|]/',$dest_file))
{
dol_syslog("Refused to deliver file ".$dest_file, LOG_WARNING);
return -2;
}
// The file functions must be in OS filesystem encoding.
$src_file_osencoded=dol_osencode($src_file);
$file_name_osencoded=dol_osencode($file_name);
// Check if destination file already exists
if (! $allowoverwrite)
{
if (file_exists($file_name_osencoded))
{
dol_syslog("Functions.lib::dol_move_uploaded_file File ".$file_name." already exists", LOG_WARNING);
return -3;
}
}
// Move file
$return=move_uploaded_file($src_file_osencoded, $file_name_osencoded);
if ($return)
{
if (! empty($conf->global->MAIN_UMASK)) @chmod($file_name_osencoded, octdec($conf->global->MAIN_UMASK));
dol_syslog("Functions.lib::dol_move_uploaded_file Success to move ".$src_file." to ".$file_name." - Umask=".$conf->global->MAIN_UMASK, LOG_DEBUG);
return 1;
}
else
{
dol_syslog("Functions.lib::dol_move_uploaded_file Failed to move ".$src_file." to ".$file_name, LOG_ERR);
return -4;
}
return 1;
}
/**
* \brief Show title line of an array
* \param name libelle champ