--- loncom/publisher/loncfile.pm 2004/06/10 18:20:16 1.57 +++ loncom/publisher/loncfile.pm 2005/05/30 16:56:46 1.69 @@ -9,7 +9,7 @@ # and displays a page showing the results of the action. # # -# $Id: loncfile.pm,v 1.57 2004/06/10 18:20:16 albertel Exp $ +# $Id: loncfile.pm,v 1.69 2005/05/30 16:56:46 www Exp $ # # Copyright Michigan State University Board of Trustees # @@ -289,11 +289,27 @@ sub checksuffix { } sub cleanDest { - my ($request,$dest)=@_; + my ($request,$dest,$subdir,$fn,$uname)=@_; #remove bad characters + my $foundbad=0; + if ($subdir && $dest =~/\./) { + $foundbad=1; + $dest=~s/\.//g; + } if ($dest=~/[\#\?&%\"]/) { + $foundbad=1; + $dest=~s/[\#\?&%\"]//g; + } + if ($dest=~m|/|) { + my ($newpath)=($dest=~m|(.*)/|); + $newpath=&relativeDest($fn,$newpath,$uname); + if (! -d "$newpath") { + $request->print("

".&mt('You have requested to create file in directory [_1] which doesn\'t exist. The requested directory path has been removed from the requested file name.','"'.$newpath.'"')."

"); + $dest=~s|.*/||; + } + } + if ($foundbad) { $request->print("

".&mt('Invalid characters in requested name have been removed.')."

"); - $dest=~s/[\#\?&%]//g; } return $dest; } @@ -688,13 +704,19 @@ button which returns you to the driector sub NewFile1 { my ($request, $user, $domain, $fn, $newfilename) = @_; - if ($ENV{'form.action'} =~ /new(.+)file/) { + if ($env{'form.action'} =~ /new(.+)file/) { my $extension=$1; ##Informs User (name).(number).(extension) not allowed if($newfilename =~ /\.(\d+)\.(\w+)$/){ $r->print(''.$newfilename. - ' - '.&mt('Bad Filename').'
('.&mt('name').').('.&mt('number').').('.&mt('extension').')'. + ' - '.&mt('Bad Filename').'
('.&mt('name').').('.&mt('number').').('.&mt('extension').') '. + ' '.&mt('Not Allowed').''); + return; + } + if($newfilename =~ /(\:\:\:|\&\&\&|\_\_\_)/){ + $r->print(''.$newfilename. + ' - '.&mt('Bad Filename').'
('.&mt('Must not include').' '.$1.') '. ' '.&mt('Not Allowed').''); return; } @@ -750,42 +772,46 @@ performed and reported to the user. sub phaseone { my ($r,$fn,$uname,$udom)=@_; - my $newfilename=&cleanDest($r,$ENV{'form.newfilename'}); + my $doingdir=0; + if ($env{'form.action'} eq 'newdir') { $doingdir=1; } + my $newfilename=&cleanDest($r,$env{'form.newfilename'},$doingdir,$fn,$uname); $newfilename=&relativeDest($fn,$newfilename,$uname); $r->print('
'. ''. ''. - ''); + ''); - if ($ENV{'form.action'} eq 'rename') { + if ($env{'form.action'} eq 'rename') { &Rename1($r, $uname, $udom, $fn, $newfilename, 'rename'); - } elsif ($ENV{'form.action'} eq 'move') { + } elsif ($env{'form.action'} eq 'move') { &Rename1($r, $uname, $udom, $fn, $newfilename, 'move'); - } elsif ($ENV{'form.action'} eq 'delete') { + } elsif ($env{'form.action'} eq 'delete') { &Delete1($r, $uname, $udom, $fn); - } elsif ($ENV{'form.action'} eq 'decompress') { + } elsif ($env{'form.action'} eq 'decompress') { &Decompress1($r, $uname, $udom, $fn); - } elsif ($ENV{'form.action'} eq 'copy') { + } elsif ($env{'form.action'} eq 'copy') { if($newfilename) { &Copy1($r, $uname, $udom, $fn, $newfilename); } else { $r->print('

'.&mt('No new filename specified.').'

'); } - } elsif ($ENV{'form.action'} eq 'newdir') { + } elsif ($env{'form.action'} eq 'newdir') { my $mode = ''; - if (exists($ENV{'form.callingmode'}) ) { - $mode = $ENV{'form.callingmode'}; + if (exists($env{'form.callingmode'}) ) { + $mode = $env{'form.callingmode'}; } &NewDir1($r, $uname, $udom, $fn, $newfilename, $mode); - } elsif ($ENV{'form.action'} eq 'newfile' || - $ENV{'form.action'} eq 'newhtmlfile' || - $ENV{'form.action'} eq 'newproblemfile' || - $ENV{'form.action'} eq 'newpagefile' || - $ENV{'form.action'} eq 'newsequencefile' || - $ENV{'form.action'} eq 'newrightsfile' || - $ENV{'form.action'} eq 'newstyfile' || - $ENV{'form.action'} eq 'Select Action') { - if ($newfilename) { + } elsif ($env{'form.action'} eq 'newfile' || + $env{'form.action'} eq 'newhtmlfile' || + $env{'form.action'} eq 'newproblemfile' || + $env{'form.action'} eq 'newpagefile' || + $env{'form.action'} eq 'newsequencefile' || + $env{'form.action'} eq 'newrightsfile' || + $env{'form.action'} eq 'newstyfile' || + $env{'form.action'} eq 'newlibraryfile' || + $env{'form.action'} eq 'Select Action') { + my $empty=&mt('Type Name Here'); + if (($newfilename!~/\/$/) && ($newfilename!~/$empty$/)) { &NewFile1($r, $uname, $udom, $fn, $newfilename); } else { $r->print('

'.&mt('No new filename specified.').'

'); @@ -978,11 +1004,16 @@ sub Copy2 { unless (copy($oldfile, $newfile)) { $request->print(' '.&mt('copy Error').': '.$!.''); return 0; + } elsif (!chmod(0660, $newfile)) { + $request->print(' '.&mt('chmod error').': '.$!.''); + return 0; + } elsif (-e $oldfile.'.meta' && + !copy($oldfile.'.meta', $newfile.'.meta') && + !chmod(0660, $newfile.'.meta')) { + $request->print(' '.&mt('copy metadata error'). + ': '.$!.''); + return 0; } else { - unless (chmod(0660, $newfile)) { - $request->print(' '.&mt('chmod error').': '.$!.''); - return 0; - } return 1; } } else { @@ -1086,66 +1117,66 @@ sub phasetwo { $main=$2; # Filename. } if($main=~m:\.(\w+)$:){ # Fixes problems with filenames with no extensions - $main=$`; #This is what is before the match (.) so it's just the main filename, yea it's nasty $suffix=$1; #This is the actually filename extension if it exists + $main=~s/\.\w+$//; #strip the extension } my $dest; # On success this is where we'll go. &Debug($r,"loncfile::phase2 dir = $dir main = $main suffix = $suffix"); - &Debug($r," newfilename = ".$ENV{'form.newfilename'}); + &Debug($r," newfilename = ".$env{'form.newfilename'}); my $conspace=$fn; &Debug($r,"loncfile::phase2 Full construction space name: $conspace"); - &Debug($r,"loncfie::phase2 action is $ENV{'form.action'}"); + &Debug($r,"loncfie::phase2 action is $env{'form.action'}"); # Select the appropriate processing sub. - if ($ENV{'form.action'} eq 'decompress') { - $main .= '.'; - $main .= $suffix; + if ($env{'form.action'} eq 'decompress') { + $main .= '.'.$suffix; if(!&decompress2($r, $uname, $dir, $main)) { return ; } $dest = $dir."/."; - } elsif ($ENV{'form.action'} eq 'rename') { # Rename. - if($ENV{'form.newfilename'}) { + } elsif ($env{'form.action'} eq 'rename' || + $env{'form.action'} eq 'move') { + if($env{'form.newfilename'}) { if (!defined($dir)) { $fn=~m:^(.*)/:; $dir=$1; } - if(!&Rename2($r, $uname, $dir, $fn, $ENV{'form.newfilename'})) { + if(!&Rename2($r, $uname, $dir, $fn, $env{'form.newfilename'})) { return; } - $dest = $ENV{'form.newfilename'}; + $dest = $env{'form.newfilename'}; } - } elsif ($ENV{'form.action'} eq 'delete') { - if(!&Delete2($r, $uname, $ENV{'form.newfilename'})) { + } elsif ($env{'form.action'} eq 'delete') { + if(!&Delete2($r, $uname, $env{'form.newfilename'})) { return ; } # Once a resource is deleted, we just list the directory that # previously held it. # $dest = $dir."/."; # Parent dir. - } elsif ($ENV{'form.action'} eq 'copy') { - if($ENV{'form.newfilename'}) { - if(!&Copy2($r, $uname, $dir, $fn, $ENV{'form.newfilename'})) { + } elsif ($env{'form.action'} eq 'copy') { + if($env{'form.newfilename'}) { + if(!&Copy2($r, $uname, $dir, $fn, $env{'form.newfilename'})) { return ; } - $dest = $ENV{'form.newfilename'}; + $dest = $env{'form.newfilename'}; } else { $r->print('

'.&mt('No New filename specified').'

'); return; } - } elsif ($ENV{'form.action'} eq 'newdir') { - my $newdir= $ENV{'form.newfilename'}; + } elsif ($env{'form.action'} eq 'newdir') { + my $newdir= $env{'form.newfilename'}; if(!&NewDir2($r, $uname, $newdir)) { return; } $dest = $newdir."/"; } - if ( ($ENV{'form.action'} eq 'newdir') && ($ENV{'form.phase'} eq 'two') && ( ($ENV{'form.callingmode'} eq 'testbank') || ($ENV{'form.callingmode'} eq 'imsimport') ) ) { + if ( ($env{'form.action'} eq 'newdir') && ($env{'form.phase'} eq 'two') && ( ($env{'form.callingmode'} eq 'testbank') || ($env{'form.callingmode'} eq 'imsimport') ) ) { $r->print('

'.&mt('Done').'

'); } else { $r->print('

'.&mt('Done').'

'); @@ -1156,10 +1187,11 @@ sub handler { $r=shift; + &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['decompress','action','filename','newfilename']); &Debug($r, "loncfile.pm - handler entered"); - &Debug($r, " filename: ".$ENV{'form.filename'}); - &Debug($r, " newfilename: ".$ENV{'form.newfilename'}); + &Debug($r, " filename: ".$env{'form.filename'}); + &Debug($r, " newfilename: ".$env{'form.newfilename'}); # # Determine the root filename # This could come in as "filename", which actually is a URL, or @@ -1167,29 +1199,28 @@ sub handler { # my $fn; - if ($ENV{'form.filename'}) { - &Debug($r, "test: $ENV{'form.filename'}"); - $fn=&Apache::lonnet::unescape($ENV{'form.filename'}); + if ($env{'form.filename'}) { + &Debug($r, "test: $env{'form.filename'}"); + $fn=&Apache::lonnet::unescape($env{'form.filename'}); $fn=&URLToPath($fn); - } elsif($ENV{'QUERY_STRING'} && $ENV{'form.phase'} ne 'two') { + } elsif($ENV{'QUERY_STRING'} && $env{'form.phase'} ne 'two') { #Just hijack the script only the first time around to inject the #correct information for further processing - &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['decompress']); - $fn=&Apache::lonnet::unescape($ENV{'form.decompress'}); + $fn=&Apache::lonnet::unescape($env{'form.decompress'}); $fn=&URLToPath($fn); - $ENV{'form.action'}="decompress"; - } elsif ($ENV{'form.qualifiedfilename'}) { - $fn=$ENV{'form.qualifiedfilename'}; + $env{'form.action'}="decompress"; + } elsif ($env{'form.qualifiedfilename'}) { + $fn=$env{'form.qualifiedfilename'}; } else { &Debug($r, "loncfile::handler - no form.filename"); - $r->log_reason($ENV{'user.name'}.' at '.$ENV{'user.domain'}. + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. ' unspecified filename for cfile', $r->filename); return HTTP_NOT_FOUND; } unless ($fn) { &Debug($r, "loncfile::handler - doctored url is empty"); - $r->log_reason($ENV{'user.name'}.' at '.$ENV{'user.domain'}. + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. ' trying to cfile non-existing file', $r->filename); return HTTP_NOT_FOUND; } @@ -1204,7 +1235,7 @@ sub handler { "loncfile::handler constructaccess uname = $uname domain = $udom"); unless (($uname) && ($udom)) { $r->log_reason($uname.' at '.$udom. - ' trying to manipulate file '.$ENV{'form.filename'}. + ' trying to manipulate file '.$env{'form.filename'}. ' ('.$fn.') - not authorized', $r->filename); return HTTP_NOT_ACCEPTABLE; @@ -1214,8 +1245,8 @@ sub handler { &Apache::loncommon::content_type($r,'text/html'); $r->send_http_header; - if ( ($ENV{'form.action'} eq 'newdir') && ($ENV{'form.phase'} eq 'two') && ( ($ENV{'form.callingmode'} eq 'testbank') || ($ENV{'form.callingmode'} eq 'imsimport') ) ) { - my $newdirname = $ENV{'form.newfilename'}; + if ( ($env{'form.action'} eq 'newdir') && ($env{'form.phase'} eq 'two') && ( ($env{'form.callingmode'} eq 'testbank') || ($env{'form.callingmode'} eq 'imsimport') ) ) { + my $newdirname = $env{'form.newfilename'}; $r->print('LON-CAPA Construction Space