PHP connector in filemanager should have better error checking

[Kyle]

The PHP connector DetectHTML function does no error checking to make sure that the file was opened or read correctly. This causes a cascade of errors on systems with the PHP open_basedir set to disallow opening of files in the temporary file-upload directory. See the forums post ​http://www.fckeditor.net/forums/viewtopic.php?f=6&t=8619.

In the file 'editor/filemanager/connectors/php/util.php' starting on line 87 is the DetectHTML function.

Original:

function DetectHtml( $filePath )
{
	$fp = fopen( $filePath, 'rb' ) ;
	$chunk = fread( $fp, 1024 ) ;
	fclose( $fp ) ;

With improved error checking, it should be something like this...

function DetectHtml( $filePath )
{
	$fp = fopen( $filePath, 'rb' ) ;
        if ( $fp !== false )
        {
         	$chunk = fread( $fp, 1024 ) ;
             if ( $chunk === false )
             {
                     $chunk = '';
             }
	       fclose( $fp ) ;
        }
        else
        {
             $chunk = '';
        }

I'm not sure whether it would be better to return TRUE or FALSE in the case of being unable to open and/or read the file. I leave it to the security experts to debate that.

[Wiktor Walc]

Thanks Kyle for posting this here. I'm targeting it to 2.6 because it should be fixed as soon as possible.

If DetectHtml() fail to open the uploaded file, it will be checked once again after moving it to the final directory. If the file is invalid, FCKeditor will make an attempt do delete it.

[Frederico Caldeira Knabben]

I haven't tested it throughly, but the implementation seems ok.

I would just change line 240: "if" => "else if".

Then, if you have tested it well Wiktor, go ahead committing it. Please include a changelog entry for it.

[Wiktor Walc]

Fixed with [1615].