Index: admin_templates/incs/form_blocks.tpl
===================================================================
--- admin_templates/incs/form_blocks.tpl (revision 15338)
+++ admin_templates/incs/form_blocks.tpl (working copy)
@@ -365,9 +365,9 @@
prefix : '',
field : '',
thumb_format: '',
- urls : '',
- names : '',
- sizes : '',
+ urls : '',
+ names : '',
+ sizes : '',
flashsid : '',
uploadURL : '',
deleteURL : '',
Index: kernel/db/db_event_handler.php
===================================================================
--- kernel/db/db_event_handler.php (revision 15338)
+++ kernel/db/db_event_handler.php (working copy)
@@ -3114,6 +3114,10 @@
return;
}
+ if ( !$this->Application->isAdmin ) {
+ $value = array_map('htmlspecialchars_decode', $value);
+ }
+
$tmp_path = WRITEABLE . '/tmp/';
$fname = $value['name'];
$id = $this->Application->GetVar('id');
@@ -3232,8 +3236,13 @@
protected function OnDeleteFile(kEvent $event)
{
$event->status = kEvent::erSTOP;
+ $filename = $this->Application->GetVar('file');
- if ( strpos($this->Application->GetVar('file'), '../') !== false ) {
+ if ( !$this->Application->isAdmin ) {
+ $filename = htmlspecialchars_decode($filename);
+ }
+
+ if ( strpos($filename, '../') !== false ) {
return;
}
@@ -3243,7 +3252,7 @@
$var_name = $this->_getPendingActionVariableName($event);
$schedule = $this->Application->RecallVar($var_name);
$schedule = $schedule ? unserialize($schedule) : Array ();
- $schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $this->Application->GetVar('file'));
+ $schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $filename);
$this->Application->StoreVar($var_name, serialize($schedule));
}
@@ -3259,6 +3268,11 @@
$event->status = kEvent::erSTOP;
$file = $this->Application->GetVar('file');
+
+ if ( !$this->Application->isAdmin ) {
+ $file = htmlspecialchars_decode($file);
+ }
+
if ( (strpos($file, '../') !== false) || (trim($file) !== $file) ) {
// when relative paths or special chars are found template names from url, then it's hacking attempt
return;
Index: kernel/utility/formatters/upload_formatter.php
===================================================================
--- kernel/utility/formatters/upload_formatter.php (revision 15338)
+++ kernel/utility/formatters/upload_formatter.php (working copy)
@@ -24,7 +24,7 @@
*
* @var FileHelper
*/
- var $fileHelper = null;
+ var $fileHelper = NULL;
public function __construct()
{
@@ -48,6 +48,11 @@
*/
public function Parse($value, $field_name, &$object)
{
+ if ( !$this->Application->isAdmin ) {
+ // this allows to revert htmlspecialchars call for each field submitted on front-end
+ $value = is_array($value) ? array_map('htmlspecialchars_decode', $value) : htmlspecialchars_decode($value);
+ }
+
$ret = !is_array($value) ? $value : '';
$options = $object->GetFieldOptions($field_name);
@@ -76,15 +81,18 @@
// no pending files -> return already uploded files
return getArrayValue($value, 'upload');
}
+
$swf_uploaded_ids = explode('|', $value['tmp_ids']);
$swf_uploaded_names = explode('|', $value['tmp_names']);
$existing = $value['upload'] ? explode('|', $value['upload']) : array();
+
if (isset($options['multiple'])) {
$max_files = $options['multiple'] == false ? 1 : $options['multiple'];
}
else {
$max_files = 1;
}
+
$fret = array();
// don't delete uploaded file, when it's name matches delete file name
@@ -92,6 +100,7 @@
$schedule = $this->Application->RecallVar($var_name);
$schedule = $schedule ? unserialize($schedule) : Array();
$files2delete = Array();
+
foreach ($schedule as $data) {
if ($data['action'] == 'delete') {
$files2delete[] = $data['file'];
@@ -258,7 +267,7 @@
* @param string $format
* @return string
*/
- function Format($value, $field_name, &$object, $format = null)
+ function Format($value, $field_name, &$object, $format = NULL)
{
if (is_null($value)) {
return '';
@@ -303,7 +312,7 @@
* @param bool $force_direct_links
* @return string
*/
- function GetFormatted($value, $field_name, &$object, $format = null, $force_direct_links = null)
+ function GetFormatted($value, $field_name, &$object, $format = NULL, $force_direct_links = NULL)
{
if (!$format) {
return $value;
Index: kernel/utility/http_query.php
===================================================================
--- kernel/utility/http_query.php (revision 15338)
+++ kernel/utility/http_query.php (working copy)
@@ -269,7 +269,7 @@
case 'F';
$this->convertFiles();
- $this->Files = $this->MergeVars($_FILES, false); //do not strip slashes!
+ $this->Files = $this->MergeVars($_FILES); // , false); //do not strip slashes!
break;
}
}