File Upload

Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/browser/default/frmupload.html =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/browser/default/frmupload.html (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/browser/default/frmupload.html (revision 292) @@ -24,4 +24,6 @@ + File Upload + Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/commands.asp =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/commands.asp (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/commands.asp (revision 292) @@ -97,4 +97,5 @@ Dim sNewFolderName sNewFolderName = Request.QueryString( "NewFolderName" ) + sNewFolderName = SanitizeFolderName( sNewFolderName ) If ( sNewFolderName = "" OR InStr( 1, sNewFolderName, ".." ) > 0 ) Then @@ -103,5 +104,5 @@ ' Map the virtual path to the local server path of the current folder. Dim sServerDir - sServerDir = ServerMapFolder( resourceType, currentFolder & "/" & sNewFolderName ) + sServerDir = ServerMapFolder( resourceType, CombinePaths(currentFolder, sNewFolderName) ) On Error Resume Next @@ -162,4 +163,5 @@ sFileName = oUploader.File( "NewFile" ).Name sExtension = oUploader.File( "NewFile" ).Ext + sFileName = SanitizeFileName( sFileName ) sOriginalFileName = sFileName Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/config.asp =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/config.asp (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/config.asp (revision 292) @@ -31,10 +31,15 @@ ConfigIsEnabled = true +' Due to security issues with Apache modules, it is reccomended to leave the +' following setting enabled. +Dim ConfigForceSingleExtension +ConfigForceSingleExtension = true + ' What the user can do with this connector -dim ConfigAllowedCommands +Dim ConfigAllowedCommands ConfigAllowedCommands = "FileUpload|GetFolders|GetFoldersAndFiles|CreateFolder" ' Allowed Resource Types -dim ConfigAllowedTypes +Dim ConfigAllowedTypes ConfigAllowedTypes = "File|Image|Flash|Media" Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/io.asp =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/io.asp (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/asp/io.asp (revision 292) @@ -157,4 +157,35 @@ end function +' Do a cleanup of the folder name to avoid possible problems +function SanitizeFolderName( sNewFolderName ) + Dim oRegex + Set oRegex = New RegExp + oRegex.Global = True + +' remove . \ / | : ? * + oRegex.Pattern = "(\.|\\|\/|\||:|\?|\*)" + SanitizeFolderName = oRegex.Replace( sNewFolderName, "_" ) + + Set oRegex = Nothing +end function + +' Do a cleanup of the file name to avoid possible problems +function SanitizeFileName( sNewFileName ) + Dim oRegex + Set oRegex = New RegExp + oRegex.Global = True + + if ( ConfigForceSingleExtension = True ) then + oRegex.Pattern = "\.(?![^.]*$)" + sNewFileName = oRegex.Replace( sNewFileName, "_" ) + end if + +' remove \ / | : ? * + oRegex.Pattern = "(\\|\/|\||:|\?|\*)" + SanitizeFileName = oRegex.Replace( sNewFileName, "_" ) + + Set oRegex = Nothing +end function + ' This is the function that sends the results of the uploading process. Sub SendUploadResults( errorNumber, fileUrl, fileName, customMsg ) Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/commands.php =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/commands.php (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/commands.php (revision 292) @@ -110,4 +110,5 @@ { $sNewFolderName = $_GET['NewFolderName'] ; + $sNewFolderName = SanitizeFolderName( $sNewFolderName ) ; if ( strpos( $sNewFolderName, '..' ) !== FALSE ) @@ -165,8 +166,5 @@ // Get the uploaded file name. $sFileName = $oFile['name'] ; - - // Replace dots in the name with underscores (only one dot can be there... security issue). - if ( $Config['ForceSingleExtension'] ) - $sFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sFileName ) ; + $sFileName = SanitizeFileName( $sFileName ) ; $sOriginalFileName = $sFileName ; Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/io.php =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/io.php (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/php/io.php (revision 292) @@ -181,4 +181,33 @@ } +// Do a cleanup of the folder name to avoid possible problems +function SanitizeFolderName( $sNewFolderName ) +{ + $sNewFolderName = stripslashes( $sNewFolderName ) ; + + // Remove . \ / | : ? * +// $sNewFolderName = preg_replace( '(\.|\\|\/|\||:|\?|\*)', '_', $sNewFolderName ) ; + $sNewFolderName = preg_replace( '/\\.|\\\\|\\/|\\||\\:|\\?|\\*/', '_', $sNewFolderName ) ; + + return $sNewFolderName ; +} + +// Do a cleanup of the file name to avoid possible problems +function SanitizeFileName( $sNewFileName ) +{ + global $Config ; + + $sNewFileName = stripslashes( $sNewFileName ) ; + + // Replace dots in the name with underscores (only one dot can be there... security issue). + if ( $Config['ForceSingleExtension'] ) + $sNewFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sNewFileName ) ; + + // Remove \ / | : ? * + $sNewFileName = preg_replace( '/\\\\|\\/|\\||\\:|\\?|\\*/', '_', $sNewFileName ) ; + + return $sNewFileName ; +} + // This is the function that sends the results of the uploading process. function SendUploadResults( $errorNumber, $fileUrl = '', $fileName = '', $customMsg = '' ) Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/test.html =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/test.html (revision 291) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/test.html (revision 292) @@ -33,5 +33,5 @@ '?Command=' + command + '&Type=' + document.getElementById('cmbType').value + - '&CurrentFolder=' + document.getElementById('txtFolder').value ; + '&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ; return sUrl ; Index: /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/uploadtest.html =================================================================== --- /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/uploadtest.html (revision 292) +++ /FCKeditor/branches/developers/alfonsoml/editor/filemanager/connectors/uploadtest.html (revision 292) @@ -0,0 +1,133 @@ + + + + FCKeditor - Uploaders Tests + + + + + + + + + + +

+ + + + + + +

+ Select the "File Uploader" to use:
+ +

+ Custom Uploader URL:
+ +

+
+ + + + + + +

+ +

+ Uploaded File URL:
+ +

+
+ Post URL: +

+ +