--- loncom/publisher/lonupload.pm 2012/10/29 17:38:55 1.61 +++ loncom/publisher/lonupload.pm 2019/03/06 03:39:54 1.70 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Handler to upload files into construction space # -# $Id: lonupload.pm,v 1.61 2012/10/29 17:38:55 raeburn Exp $ +# $Id: lonupload.pm,v 1.70 2019/03/06 03:39:54 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -130,7 +130,7 @@ use Apache::lonnet; use HTML::Entities(); use Apache::lonlocal; use Apache::lonnet; -use LONCAPA(); +use LONCAPA qw(:DEFAULT :match); my $DEBUG=0; @@ -150,8 +150,12 @@ sub upfile_store { chomp($env{'form.upfile'}); - my $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}. - '_upload_'.$fname.'_'.time.'_'.$$; + my $datatoken; + if (($env{'user.name'} =~ /^$match_username$/) && ($env{'user.domain'} =~ /^$match_domain$/)) { + $datatoken=$env{'user.name'}.'_'.$env{'user.domain'}. + '_upload_'.$fname.'_'.time.'_'.$$; + } + return if ($datatoken eq ''); { my $fh=Apache::File->new('>'.$r->dir_config('lonDaemons'). '/tmp/'.$datatoken.'.tmp'); @@ -161,7 +165,7 @@ sub upfile_store { } sub phaseone { - my ($r,$fn,$mode)=@_; + my ($r,$fn,$mode,$uname,$udom)=@_; my $action = '/adm/upload'; if ($mode eq 'testbank') { $action = '/adm/testbank'; @@ -172,8 +176,10 @@ sub phaseone { # Check for file to be uploaded $env{'form.upfile.filename'}=~s/\\/\//g; $env{'form.upfile.filename'}=~s/^.*\/([^\/]+)$/$1/; + $env{'form.upfile.filename'}=~s/(\s+$|^\s+)//g; if (!$env{'form.upfile.filename'}) { - $r->print('
'.&mt('No upload file specified.').'
'); + $r->print(''.&mt('No upload file specified.').'
'. + &earlyout($fn,$uname,$udom)); return; } @@ -187,8 +193,36 @@ sub phaseone { $r->print(''.&mt('Illegal filename.').'
'); return; } + # Check if quota exceeded + my $filesize = length($env{'form.upfile'}); + if (!$filesize) { + $r->print(''.
+ &mt('Unable to upload [_1]. (size = [_2] bytes)',
+ ''.$env{'form.upfile.filename'}.'',
+ $filesize).'
'.
+ &mt('Either the file you attempted to upload was empty, or your web browser was unable to read its contents.').'
'.
+ '
'.&mt('Or [_1]continue[_2] the testbank import without modifying the references(s).','','').'
'; + $result .= ''.&mt('Or [_1]continue[_2] the testbank import without modifying the reference(s).','','').'
'; } } } @@ -393,6 +430,47 @@ sub check_extension { return ($result,$returnflag); } +sub check_filename { + my ($fname) = @_; + my $warning; + if ($fname =~/[#\?&%":<>`|]/) { + $fname =~s/[#\?&%":<>`|]//g; + $warning .= '' + .&mt('Removed one or more disallowed characters from filename') + .'
'; + } + if ($fname=~ /\.(\d+)\.(\w+)$/) { + my $num = $1; + $warning .= ''
+ .&mt('Bad filename [_1]',''.$fname.'')
+ .'
'
+ .&mt('[_1](name).(number).(extension)[_2] not allowed.','','')
+ .'
'
+ .&mt('Replacing the [_1].number.[_2] with [_1]_letter.[_2] in requested filename.','','')
+ .'
' + .&mt('Changed ___ to a single _ in filename') + .'
'; + } + return ($fname,$warning); +} + sub phasethree { my ($r,$fn,$uname,$udom,$mode) = @_; @@ -406,6 +484,8 @@ sub phasethree { my $dir_root = $r->dir_config('lonDocRoot').$url_root; my $path = &File::Basename::dirname($fn); $path =~ s{^\Q$url_root\E}{}; + my $dirpath = $url_root.$path.'/'; + $dirpath=~s{/+}{/}g; my $filename = &HTML::Entities::encode($env{'form.filename'},'<>&"'); my $state = &embedded_form_elems('modify_orightml',$filename,$mode). ''; @@ -416,7 +496,7 @@ sub phasethree { if ($mode ne 'imsimport' && $mode ne 'testbank') { $result .= '' + .&mt('Path modified as a result of one or more instances of /../') + .'
'; + while ($fn =~ m{/\.\./}) { + $fn =~ s{/[^/]+/\.\./}{/}g; + } + } unless ($fn) { $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. @@ -478,8 +585,8 @@ sub handler { my ($uname,$udom)=&Apache::lonnet::constructaccess($fn); unless (($uname) && ($udom)) { - $r->log_reason($uname.' at '.$udom. - ' trying to publish file '.$env{'form.filename'}. + $r->log_reason($env{'user.name'}.' at '.$env{'user.domain'}. + ' trying to upload file '.$fn. ' - not authorized', $r->filename); return HTTP_NOT_ACCEPTABLE; @@ -518,10 +625,10 @@ ENDJS # Breadcrumbs my $brcrum = [{'href' => &Apache::loncommon::authorspace($fn), - 'text' => 'Construction Space'}, + 'text' => 'Authoring Space'}, {'href' => '/adm/upload', - 'text' => 'Upload file to Construction Space'}]; - $r->print(&Apache::loncommon::start_page('Upload file to Construction Space', + 'text' => 'Upload file to Authoring Space'}]; + $r->print(&Apache::loncommon::start_page('Upload file to Authoring Space', $javascript, {'bread_crumbs' => $brcrum,}) .&Apache::loncommon::head_subbox( @@ -534,6 +641,9 @@ ENDJS .'' ); } + if ($warning) { + $r->print($warning); + } if ($env{'form.phase'} eq 'four') { my $output = &phasefour($r,$fn,$uname,$udom,'author'); $r->print($output); @@ -544,11 +654,11 @@ ENDJS my ($output,$returnflag) = &phasetwo($r,$fn); $r->print($output); } else { - &phaseone($r,$fn); + &phaseone($r,$fn,undef,$uname,$udom); } $r->print(&Apache::loncommon::end_page()); - return OK; + return OK; } 1;