mcmannehan Posted April 22, 2019 Share Posted April 22, 2019 I wondering, why the check for illegal character dosen't exist!!! In the frozen and in the boostrap 4 version. So i recommand change complett the function parse to this: Start about at line 35 catalog/admin/includes/classes/upload.php function parse() { global $messageStack; $file = array(); if (isset($_FILES[$this->file])) { $file = array('name' => $_FILES[$this->file]['name'], 'type' => $_FILES[$this->file]['type'], 'size' => $_FILES[$this->file]['size'], 'tmp_name' => $_FILES[$this->file]['tmp_name']); } elseif (isset($_FILES[$this->file])) { $file = array('name' => $_FILES[$this->file]['name'], 'type' => $_FILES[$this->file]['type'], 'size' => $_FILES[$this->file]['size'], 'tmp_name' => $_FILES[$this->file]['tmp_name']); } if ( tep_not_null($file['tmp_name']) && ($file['tmp_name'] != 'none') && is_uploaded_file($file['tmp_name']) ) { if (sizeof($this->extensions) > 0) { if (!in_array(strtolower(substr($file['name'], strrpos($file['name'], '.')+1)), $this->extensions)) { if ($this->message_location == 'direct') { $messageStack->add(ERROR_FILETYPE_NOT_ALLOWED, 'error'); } else { $messageStack->add_session(ERROR_FILETYPE_NOT_ALLOWED, 'error'); } return false; } } //BOC by mcmannehan if (preg_match('/^([-\.\w]+)$/', $file['name']) !== true) { $message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']); if ($this->message_location == 'direct') { $messageStack->add($message, 'error'); } else { $messageStack->add_session($message, 'error'); } return false; } //EOC $this->set_file($file); $this->set_filename($file['name']); $this->set_tmp_filename($file['tmp_name']); return $this->check_destination(); } else { if ($this->message_location == 'direct') { $messageStack->add(WARNING_NO_FILE_UPLOADED, 'warning'); } else { $messageStack->add_session(WARNING_NO_FILE_UPLOADED, 'warning'); } return false; } } And add to the catalog/admin/includes/languages/english.php: const ERROR_FILE_ILLEGAL_CHAR = 'Invalid character in the file name! <strong>%s</strong>. Spaces and special characters are not allowed in Internet filenames. Allowed are: a-z A-Z 0-9 - _'; "const" have some restriction but it's much more better and faster than define. The clever one learn from everything and from everybody The normal one learn from his experience The silly one knows everything better [socrates, 412 before Christ] Computers help us with the problems we wouldn't have without them! 99.9% of the bugs sit in front of the computer! My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0 if(isset($this) || !isset($this)){ // that's the question... Link to comment Share on other sites More sharing options...
mcmannehan Posted April 22, 2019 Author Share Posted April 22, 2019 Changes in the Regex are wrong. For to allow only a-z A-Z 0-9 - _ . The regex must be: if (preg_match('/^[-A-Za-z0-9._]+$/i', $file['name']) == false) { $message = sprintf(ERROR_FILE_ILLEGAL_CHAR, $file['name']); if ($this->message_location == 'direct') { $messageStack->add($message, 'error'); } else { $messageStack->add_session($message, 'error'); } return false; } The clever one learn from everything and from everybody The normal one learn from his experience The silly one knows everything better [socrates, 412 before Christ] Computers help us with the problems we wouldn't have without them! 99.9% of the bugs sit in front of the computer! My programmed add-ons: WDW EasyTabs 1.0.3, WDW Facebook Like 1.0.0 if(isset($this) || !isset($this)){ // that's the question... Link to comment Share on other sites More sharing options...
ruden Posted April 23, 2019 Share Posted April 23, 2019 Verification is the wrong approach.Special characters must be removed.Ideally SEO Friendly Images Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.