--- loncom/publisher/lonupload.pm 2017/11/12 23:01:00 1.68 +++ loncom/publisher/lonupload.pm 2019/03/04 19:54:35 1.69 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Handler to upload files into construction space # -# $Id: lonupload.pm,v 1.68 2017/11/12 23:01:00 raeburn Exp $ +# $Id: lonupload.pm,v 1.69 2019/03/04 19:54:35 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -176,6 +176,7 @@ sub phaseone { # Check for file to be uploaded $env{'form.upfile.filename'}=~s/\\/\//g; $env{'form.upfile.filename'}=~s/^.*\/([^\/]+)$/$1/; + $env{'form.upfile.filename'}=~s/(\s+$|^\s+)//g; if (!$env{'form.upfile.filename'}) { $r->print('
'.&mt('No upload file specified.').'
'. &earlyout($fn,$uname,$udom)); @@ -214,6 +215,14 @@ sub phaseone { # Split part that I can change from the part that I cannot change my ($fn1,$fn2)=($fn=~/^(\/priv\/[^\/]+\/[^\/]+\/)(.*)$/); +# Check for pattern: .number.extension which is reserved for LON-CAPA versioning. +# Check for disallowed characters: #?&%:<>`|, and remove + if ($fn2 ne '') { + ($fn2,my $warning) = &check_filename($fn2); + if ($warning ne '') { + $r->print($warning); + } + } # Display additional options for upload # and upload button $r->print( @@ -281,7 +290,7 @@ sub phasetwo { my $base = &File::Basename::basename($fn); my $path = &File::Basename::dirname($fn); $base = &HTML::Entities::encode($base,'<>&"'); - my $url = $path."/".$base; + my $url = $path."/".$base; &Debug($r, "URL is now ".$url); my $datatoken; if ($env{'form.datatoken'} =~ /^$match_username\_$match_domain\_upload_\w*_\d+_\d+$/) { @@ -421,6 +430,47 @@ sub check_extension { return ($result,$returnflag); } +sub check_filename { + my ($fname) = @_; + my $warning; + if ($fname =~/[#\?&%":<>`|]/) { + $fname =~s/[#\?&%":<>`|]//g; + $warning .= '' + .&mt('Removed one or more disallowed characters from filename') + .'
'; + } + if ($fname=~ /\.(\d+)\.(\w+)$/) { + my $num = $1; + $warning .= ''
+ .&mt('Bad filename [_1]',''.$fname.'')
+ .'
'
+ .&mt('[_1](name).(number).(extension)[_2] not allowed.','','')
+ .'
'
+ .&mt('Replacing the [_1].number.[_2] with [_1]_letter.[_2] in requested filename.','','')
+ .'
' + .&mt('Changed ___ to a single _ in filename') + .'
'; + } + return ($fname,$warning); +} + sub phasethree { my ($r,$fn,$uname,$udom,$mode) = @_; @@ -503,10 +553,18 @@ sub handler { my $r=shift; my $javascript = ''; - my $fn=$env{'form.filename'}; + my $fn; + my $warning; if ($env{'form.filename1'}) { - $fn=$env{'form.filename1'}.$env{'form.filename2'}; + my $fn1 = $env{'form.filename1'}; + my $fn2 = $env{'form.filename2'}; + $fn2 =~ s/(\s+$|^\s+)//g; + $fn2 =~ s/\/+/\//g; + ($fn2,$warning) = &check_filename($fn2); + $fn = $fn1.$fn2; + } else { + $fn = $env{'form.filename'}; } $fn=~s/\/+/\//g; @@ -519,8 +577,8 @@ sub handler { my ($uname,$udom)=&Apache::lonnet::constructaccess($fn); unless (($uname) && ($udom)) { - $r->log_reason($uname.' at '.$udom. - ' trying to publish file '.$env{'form.filename'}. + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. + ' trying to upload file '.$fn. ' - not authorized', $r->filename); return HTTP_NOT_ACCEPTABLE; @@ -575,6 +633,9 @@ ENDJS .'' ); } + if ($warning) { + $r->print($warning); + } if ($env{'form.phase'} eq 'four') { my $output = &phasefour($r,$fn,$uname,$udom,'author'); $r->print($output); @@ -589,7 +650,7 @@ ENDJS } $r->print(&Apache::loncommon::end_page()); - return OK; + return OK; } 1;